Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure360 - Agile Security By Example

Matt Konda
May 15, 2013
Technology
0
690

Secure360 - Agile Security By Example

Note: This talk is highly interactive and was delivered primarily through story cards on a story board at the front of a room with stakeholders from the audience helping to prioritize and change direction on the fly. The slides supported that, but were not in themselves a foundational part of the talk.

Conference Abstract:
In this highly interactive talk, we will use Agile methods to present an overview of Agile project management. We will start with four cards or “epics” (topics): Explain Agile, Agile Security Metrics, A Fictional Case Study and Agile Anti-Patterns. The audience will participate by prioritizing and defining additional cards and tasks as the talk progresses. The talk will literally be driven by the agile process that we are trying to explain. Throughout, we will track the metrics of our presentation and at the end we will demonstrate how we set out to do what we wanted to do (or didn’t!).

The core value to the attendee is learning the foundation of Agile by using it and seeing it first hand. We expect to talk at length about the benefits Agile offers to security projects and programs. In addition, we expect to talk about specific security related metrics. If the original plan holds through the talk, we will also cover some anti-patterns – how to know there is something wrong in an agile project. Worst case is that those interfacing with development teams using agile will have a better sense of how that process works. Warning: this talk may eat itself.

Matt Konda

May 15, 2013
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
110
Automate All of the Things
mkonda
0
180
Building Rugged Software in a DevOps World
mkonda
0
94
What is Rugged all about?
mkonda
1
81
Real World Security Testing
mkonda
1
95
Security Automation Pipeline
mkonda
1
190
Security Automation Workshop
mkonda
0
53
Rationalizing Security
mkonda
0
52
Application Security Landscape
mkonda
0
73

Other Decks in Technology

See All in Technology
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
150
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
280
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
180
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
2
230
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
100
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
1
120
家族アルバム みてねにおけるGrafana活用術 / Grafana Meetup Japan Vol.1 LT
isaoshimizu
1
550
20240416_devopsdaystokyo
kzkmaeda
1
220
反実仮想機械学習とは何か
usaito
PRO
11
4.3k
長期運用プロジェクトでのMySQLからTiDB移行の検証
colopl
2
850

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
How to name files
jennybc
65
93k
Scaling GitHub
holman
457
140k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
What's new in Ruby 2.0
geeforr
337
31k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
The Cost Of JavaScript in 2023
addyosmani
16
3.9k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
Become a Pro
speakerdeck
PRO
11
4.5k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k

Transcript

  1. Agile Security By Example Matt Konda @mkonda Jemurai.com

  2. None

  3. Background on me • Developer (~16 years) • Used agile

    a lot (~9 years) • Appsec focused (~5 years) • speaking around dev & sec (~2+ years) jemurai.com @mkonda

  4. DEVELOPER (~16 YEARS) BACKGROUND ON ME

  5. background on you • Management Role? • technical role? •

    CISSP? • How many people “know” agile? • Like agile? • Use agile?
  6. None

  7. How this is going to work • Identify stakeholders •

    Run the talk with agile • Do 5 minute sprints • Start with 4 epics

  8. Initial epics • Explain Agile • A Fictional Case Study

    • Agile Security Metrics • Agile Anti-Patterns

  9. Agile values Individuals and interactions over processes and tools

  10. Agile values Working software over comprehensive documentation

  11. Agile values Customer collaboration over contract negotiation

  12. Agile values Responding to change over following a plan

  13. Traditional Plan Original goal

  14. Traditional Plan Original goal Actual GOAL Agile Plan

  15. Agile concepts Story A narrative description of a feature or

    task. Often in the form of: As a <stakeholder> I need to <action> in order to <actual business objective>.

  16. Agile concepts Stakeholder The people who will be impacted by

    a story. Often product managers and customers in addition to development, quality assurance, operations, security and IT.
  17. None

  18. Agile concepts Sprint An arbitrary unit of time in which

    work will be measured. Often one or two weeks. Also an “iteration”.

  19. Agile concepts Backlog The queue of work to be done.

    Sometimes different backlogs for different types of things – say features, issues, documentation, technical controls.

  20. Agile concepts Release The point where work is made available

    to a broader audience. Often after several Sprints. m Stories per Sprint, n Sprints per release.

  21. Agile concepts Story Board The place where work for the

    current Sprint is easy to see and track. Could be on the wall like we are doing, or in a tool like Trello, AgileZen, Jira/ GreenHopper, etc.

  22. Trello Example

  23. Agilezen Example

  24. Agile concepts Standup A periodic checkpoint meeting attended by stakeholders

    during which issues and progress are reviewed. Best if daily, very short, review any issues.
  25. None

  26. Agile concepts Visibility Stakeholders can see status on story board.

    Built in at a fine grained level of detail.

  27. Agile concepts Parking Lot A process for managing issues as

    they arise. Usually says that new issues will be added to a list of items to be discussed and triaged by the team (including business stakeholders) at the next standup.

  28. Agile concepts Sprint Planning The process by which a team

    chooses and estimates what work to do in a given Sprint. Stakeholders must prioritize and know what is in the Sprint. Team discusses & estimates tasks assigned.
  29. None

  30. Agile concepts Velocity How many tasks get done per Sprint.

    Measured in Stories, Story Points or Estimated Story Hours per Sprint.
  31. None

  32. Agile concepts Retrospective Built in mechanism for continuous improvement. At

    the end of every Sprint, the team talks about ways the processes/project can be improved.
  33. None

  34. Agile concepts Technical Debt A measure of work that should

    be done because corners have been cut in one way or another. Often manifested as lack of documentation, lack of testing, lack of operational process.

  35. Agile concepts Grooming The process of managing the backlog. Let

    longer term goals stay big and broadly estimated, let shorter term upcoming work be estimated at a finer level of detail.

  36. CREDIT: RALLYDEV.COM

  37. Notice that traditional presentations are not especially conducive to Agile

    collaboration

  38. Traditional Plan Original goal

  39. Traditional Plan Original goal Actual GOAL Agile Plan

  40. Case Study The following slides illustrate how Agile could be

    applied to different types of security projects.

  41. Case Study: Policy Framework • A master policy could be

    a story. • Each policy could be a story. • Stakeholders are policy approvers and implementers. • Additional stories for mapping policy to compliance/ standard.

  42. Case Study: Pen test • Each part of a penetration

    test could be a story • Scope & Approval • Recon • Exploitation • Pivot & Exploit • Report

  43. Case Study: DLP Implementation • Requirements (email, file, db, network)

    • Tool/Partner selection • Implementation phases Rule tuning Server prep • Testing

  44. Case Study: remediation • Issue remediation demands tracking and visibility

    • Consolidate issues • Each Sprint assign and track issues • Maintain backlog of issues that haven’t been addressed.

  45. Case Study: All together now • A combined story board

    will show issues across the previous four areas. • By managing at the detailed level, you can choose what tasks are next and easily communicate to management what is and what is not being done.

  46. Agile security metrics The following slides illustrate how Agile security

    metrics can work.

  47. What is hard about metrics? Measures. Time.

  48. Agile security metrics • Agile is GREAT for metrics. •

    Check the case study. • Check out progress so for in the talk.

  49. Agile security metrics • Using standard Agile metrics, you can

    track progress toward any long term project goal, including: Policy development Pen Test Product implementation Issue remediation

  50. Agile metrics Credit: rallydev.com

  51. Agile security metrics • Burndown • Velocity • Easy to

    filter

  52. Use metrics to show your organization what you are doing

    and the impact of their prioritization.

  53. Agile Anti-Patterns How do you know you are doing it

    wrong?
  54. None

  55. Agile security anti-patterns • Stakeholders are not included • Stakeholders

    or team do not participate in process • After a Sprint, substantial work done during the sprint is not what was planned

  56. Agile security anti-patterns • Stories are estimated at bigger than

    a sprint • Stories get stuck as work in progress and never move without raising a red flag • Backlog is disorganized

  57. Agile security anti-patterns • Team not involved in estimation •

    Standup takes an hour
  58. None