Secure360 - Agile Security By Example

Slide 1

Slide 1 text

Agile Security By Example Matt Konda @mkonda Jemurai.com

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Background on me • Developer (~16 years) • Used agile a lot (~9 years) • Appsec focused (~5 years) • speaking around dev & sec (~2+ years) jemurai.com @mkonda

Slide 4

Slide 4 text

DEVELOPER (~16 YEARS) BACKGROUND ON ME

Slide 5

Slide 5 text

background on you • Management Role? • technical role? • CISSP? • How many people “know” agile? • Like agile? • Use agile?

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

How this is going to work • Identify stakeholders • Run the talk with agile • Do 5 minute sprints • Start with 4 epics

Slide 8

Slide 8 text

Initial epics • Explain Agile • A Fictional Case Study • Agile Security Metrics • Agile Anti-Patterns

Slide 9

Slide 9 text

Agile values Individuals and interactions over processes and tools

Slide 10

Slide 10 text

Agile values Working software over comprehensive documentation

Slide 11

Slide 11 text

Agile values Customer collaboration over contract negotiation

Slide 12

Slide 12 text

Agile values Responding to change over following a plan

Slide 13

Slide 13 text

Traditional Plan Original goal

Slide 14

Slide 14 text

Traditional Plan Original goal Actual GOAL Agile Plan

Slide 15

Slide 15 text

Agile concepts Story A narrative description of a feature or task. Often in the form of: As a I need to in order to .

Slide 16

Slide 16 text

Agile concepts Stakeholder The people who will be impacted by a story. Often product managers and customers in addition to development, quality assurance, operations, security and IT.

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

Agile concepts Sprint An arbitrary unit of time in which work will be measured. Often one or two weeks. Also an “iteration”.

Slide 19

Slide 19 text

Agile concepts Backlog The queue of work to be done. Sometimes different backlogs for different types of things – say features, issues, documentation, technical controls.

Slide 20

Slide 20 text

Agile concepts Release The point where work is made available to a broader audience. Often after several Sprints. m Stories per Sprint, n Sprints per release.

Slide 21

Slide 21 text

Agile concepts Story Board The place where work for the current Sprint is easy to see and track. Could be on the wall like we are doing, or in a tool like Trello, AgileZen, Jira/ GreenHopper, etc.

Slide 22

Slide 22 text

Trello Example

Slide 23

Slide 23 text

Agilezen Example

Slide 24

Slide 24 text

Agile concepts Standup A periodic checkpoint meeting attended by stakeholders during which issues and progress are reviewed. Best if daily, very short, review any issues.

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

Agile concepts Visibility Stakeholders can see status on story board. Built in at a ﬁne grained level of detail.

Slide 27

Slide 27 text

Agile concepts Parking Lot A process for managing issues as they arise. Usually says that new issues will be added to a list of items to be discussed and triaged by the team (including business stakeholders) at the next standup.

Slide 28

Slide 28 text

Agile concepts Sprint Planning The process by which a team chooses and estimates what work to do in a given Sprint. Stakeholders must prioritize and know what is in the Sprint. Team discusses & estimates tasks assigned.

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Agile concepts Velocity How many tasks get done per Sprint. Measured in Stories, Story Points or Estimated Story Hours per Sprint.

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

Agile concepts Retrospective Built in mechanism for continuous improvement. At the end of every Sprint, the team talks about ways the processes/project can be improved.

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

Agile concepts Technical Debt A measure of work that should be done because corners have been cut in one way or another. Often manifested as lack of documentation, lack of testing, lack of operational process.

Slide 35

Slide 35 text

Agile concepts Grooming The process of managing the backlog. Let longer term goals stay big and broadly estimated, let shorter term upcoming work be estimated at a ﬁner level of detail.

Slide 36

Slide 36 text

CREDIT: RALLYDEV.COM

Slide 37

Slide 37 text

Notice that traditional presentations are not especially conducive to Agile collaboration

Slide 38

Slide 38 text

Traditional Plan Original goal

Slide 39

Slide 39 text

Traditional Plan Original goal Actual GOAL Agile Plan

Slide 40

Slide 40 text

Case Study The following slides illustrate how Agile could be applied to different types of security projects.

Slide 41

Slide 41 text

Case Study: Policy Framework • A master policy could be a story. • Each policy could be a story. • Stakeholders are policy approvers and implementers. • Additional stories for mapping policy to compliance/ standard.

Slide 42

Slide 42 text

Case Study: Pen test • Each part of a penetration test could be a story • Scope & Approval • Recon • Exploitation • Pivot & Exploit • Report

Slide 43

Slide 43 text

Case Study: DLP Implementation • Requirements (email, ﬁle, db, network) • Tool/Partner selection • Implementation phases Rule tuning Server prep • Testing

Slide 44

Slide 44 text

Case Study: remediation • Issue remediation demands tracking and visibility • Consolidate issues • Each Sprint assign and track issues • Maintain backlog of issues that haven’t been addressed.

Slide 45

Slide 45 text

Case Study: All together now • A combined story board will show issues across the previous four areas. • By managing at the detailed level, you can choose what tasks are next and easily communicate to management what is and what is not being done.

Slide 46

Slide 46 text

Agile security metrics The following slides illustrate how Agile security metrics can work.

Slide 47

Slide 47 text

What is hard about metrics? Measures. Time.

Slide 48

Slide 48 text

Agile security metrics • Agile is GREAT for metrics. • Check the case study. • Check out progress so for in the talk.

Slide 49

Slide 49 text

Agile security metrics • Using standard Agile metrics, you can track progress toward any long term project goal, including: Policy development Pen Test Product implementation Issue remediation

Slide 50

Slide 50 text

Agile metrics Credit: rallydev.com

Slide 51

Slide 51 text

Agile security metrics • Burndown • Velocity • Easy to ﬁlter

Slide 52

Slide 52 text

Use metrics to show your organization what you are doing and the impact of their prioritization.

Slide 53

Slide 53 text

Agile Anti-Patterns How do you know you are doing it wrong?

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

Agile security anti-patterns • Stakeholders are not included • Stakeholders or team do not participate in process • After a Sprint, substantial work done during the sprint is not what was planned

Slide 56

Slide 56 text

Agile security anti-patterns • Stories are estimated at bigger than a sprint • Stories get stuck as work in progress and never move without raising a red ﬂag • Backlog is disorganized

Slide 57

Slide 57 text

Agile security anti-patterns • Team not involved in estimation • Standup takes an hour

Slide 58

Slide 58 text

No content