once upon a time
design
code
stuff
ideas test deploy
Slide 3
Slide 3 text
security was all about gates
design
code
stuff
idea test deploy
Slide 4
Slide 4 text
and goodness do we love gates
design
code
stuff
idea test deploy
Initial Risk
Assessment
Design
Review
Code and
Implementation
Review
Penetration
Testing
Slide 5
Slide 5 text
same thing, just more frequently?
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
Why don’t you do
security?
Slide 8
Slide 8 text
we can make you look good
Proactive security engagement
increases:
Preparedness
Credibility
Market awareness
Strategic thinking
Slide 9
Slide 9 text
So what does agile security need to be
1. Able to empower developers
2. Cost effective
3. Pragmatic and flexible
4. Easy to integrate with existing workflows
5. Scalable
Slide 10
Slide 10 text
common misconceptions
Slide 11
Slide 11 text
avoidance != management
Slide 12
Slide 12 text
too little to fail
(at security)
Slide 13
Slide 13 text
the sky is not always falling*
*except when it is (then you should really do something about it)
Slide 14
Slide 14 text
agility increases risk
Slide 15
Slide 15 text
Ten steps to a better,
stronger and more
secure you
regardless of budget, organisation size or how
cool you are
Slide 16
Slide 16 text
1. know your stack
Languages
Libraries
Operating Systems
Applications
Third Party Services
Slide 17
Slide 17 text
2. learn to add, adapt
and abandon
Slide 18
Slide 18 text
3. create a simple risk taxonomy
Critical
High
Medium
Low
Informational
False Positive
Slide 19
Slide 19 text
4. understand your security and
technical debt
it’s natural and awesome but you can’t run from it forever
Slide 20
Slide 20 text
5. bring security into your requirements
“engage security early and often and be sure to have
it included in your definition of done”
Slide 21
Slide 21 text
6. prepare for the worst
Monitoring
Analysis
Understanding
Response
Feedback
Slide 22
Slide 22 text
7. build an empire one
developer at a time
Slide 23
Slide 23 text
8. design your workflows
“the best technical people I know work really hard
to make themselves redundant. “
Slide 24
Slide 24 text
fails
Slide 25
Slide 25 text
10. outsource smartly
“if you are going to spend the money,
research your options, scope well and be
demanding”
Slide 26
Slide 26 text
common challenges
and how to conquer, obliterate or otherwise win
Slide 27
Slide 27 text
compliance is a priority
“nothing is more fatal to a new business than the
fines for non-compliance”
Slide 28
Slide 28 text
maintain momentum
“more secure today than yesterday”
Slide 29
Slide 29 text
use your words
No
Simple way to remove risk
Must be logically applied
and justified
Does not remove the
original need or objective
Yes
Scary for security people
Accepts risks and
understands them
Enables innovation
Encourage safe usage