Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security from Inception

Matt Konda
July 11, 2014
Technology
1
420

Security from Inception

A talk with practical examples of how security can be built into agile projects from their inception.

Matt Konda

July 11, 2014
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
110
Automate All of the Things
mkonda
0
180
Building Rugged Software in a DevOps World
mkonda
0
94
What is Rugged all about?
mkonda
1
81
Real World Security Testing
mkonda
1
95
Security Automation Pipeline
mkonda
1
190
Security Automation Workshop
mkonda
0
53
Rationalizing Security
mkonda
0
52
Application Security Landscape
mkonda
0
73

Other Decks in Technology

See All in Technology
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
180
NgRx Signal Store
rainerhahnekamp
0
140
アクセス制御にまつわる改善 / Improving access control
itkq
0
510
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
890
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
290
20240416_devopsdaystokyo
kzkmaeda
1
210
VS CodeでAWSを操作しよう
smt7174
7
1.6k
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
260
生産性向上チームの紹介
cybozuinsideout
PRO
1
860
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
3
270
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
290

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
274
13k
Building Your Own Lightsaber
phodgson
99
5.7k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
A designer walks into a library…
pauljervisheath
200
23k
A Modern Web Designer's Workflow
chriscoyier
689
190k
We Have a Design System, Now What?
morganepeng
43
6.7k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
Producing Creativity
orderedlist
PRO
337
39k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
What's in a price? How to price your products and services
michaelherold
237
11k
The Brand Is Dead. Long Live the Brand.
mthomps
49
28k
Ruby is Unlike a Banana
tanoku
96
10k

Transcript

  1. Security from inception Matt Konda @mkonda Jemurai.com

  2. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager ! Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: ! Training Coaching Code Review Plugged in to SDLC Consulting Assessments

  3. BACKGROUND ON ME

  4. What is an inception?

  5. exercise

  6. ARE STAKEHOLDERS ASKING FOR SECURITY?

  7. villain Persona

  8. Baseline security requirements

  9. story points

  10. estimates to include security considerations

  11. Agile metrics Credit: rallydev.com

  12. Agile values Individuals and interactions over processes and tools

  13. Agile values Working software over comprehensive documentation

  14. Agile values Customer collaboration over contract negotiation

  15. Agile values Responding to change over following a plan

  16. Traditional Plan Original goal

  17. Traditional Plan Original goal Actual GOAL Agile Plan

  18. Example: 2FA

  19. placeholder for building picture

  20. Example: auditing

  21. story review

  22. CREDIT:
 RALLYDEV.COM

  23. incremental code review

  24. hipchat

  25. continuous integration

  26. Speaking of tools…

  27. there is no !

  28. checklists

  29. bug tracking

  30. EVIL False Positives Are a Necessary

  31. standup

  32. None

  33. provide scenarios for negative testing

  34. built in architecture review

  35. operationalize

  36. None

  37. Facilitate

  38. ask questions

  39. None
  40. None

  41. Ɣ Ɣ 5(/,$%,/,7< 0$,17$,1$%,/,7< Ɣ Ɣ Ɣ Ɣ Ɣ Ɣ

    Ɣ Ɣ 6(&85,7< ruggeddev.org @ruggeddev rugged

  42. make developer friends !

  43. None

  44. goal: describe some practical ways to engage with real world

    development teams

  45. Summary • Villain Person from Inception • baseline Security Requirements

    Up Front • Story Review for Security: acceptance criteria • Security Requirements included in stories PRE estimation • Incremental Code Review • Share Tools: planning, collaboration, build • Participate in Standup • operational and monitoring guide • Facilitate - ask questions - stay involved

  46. Thank you

  47. Thank you

  48. Security from inception Matt Konda @mkonda Jemurai.com