26/90 Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的唯一人員。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。” Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
27/90 Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的唯一人員。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。” Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team Who are your stakeholders ? 誰是你們的利益相關者
28/90 Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的唯一人員。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。” Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team Security officer should start taking up the role of security stakeholders 資安官應該開始擔任利益相關者的角色
30/90 Product Backlog Scenario: User are able to register Given the user is on “/users/register” When the user types the email “[email protected]” When the user types the password “xxx” When the user clicks the register button Then the response should contains “Password must be at least 8 characters long” ... BDD
31/90 Product Backlog Scenario: The application should not contain SQL injection vulnerabilities And the SQL-Injection policy is enabled And the attack strength is set to High And the alert threshold is set to Low When the scanner is run And the following false positives are removed | url | parameter | cweId | wascId | And the XML report is written to the file output/security/sql_injection.xml Then no Medium or Higher risk vulnerabilities should be present Credit: https://continuumsecurity.net/bdd-security/ BDD
32/90 Product Backlog Scenario: Present the login form itself over an HTTPS connection Given a new browser instance And the client/browser is configured to use an intercepting proxy And the proxy logs are cleared And the login page is displayed And the HTTP request-response containing the login form Then the protocol should be HTTPS And ... Credit: https://continuumsecurity.net/bdd-security/ BDD
38/90 DevOps & Security SecDevOps—sometimes called “Rugged DevOps” or “security at speed”—as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches. Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/
39/90 DevOps & Security SecDevOps—sometimes called “Rugged DevOps” or “security at speed”—as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches. Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/ “SecDevOps seeks to embed security inside the development process as deeply as DevOps has done with operations” (SecDevOps 旨在將開發過程中的資訊安全深入到 DevOps 的操作中 )
40/90 DevOps & Security The hinge to success for DevOps security lies in changing the underlying DevOps culture to embrace security—with no exceptions. As with any other methodology, security must be built into DevOps. Credit: https://techbeacon.com/devsecops-foundations
41/90 DevOps & Security The hinge to success for DevOps security lies in changing the underlying DevOps culture to embrace security—with no exceptions. As with any other methodology, security must be built into DevOps. Credit: https://techbeacon.com/devsecops-foundations DevOps 資訊安全成功的關鍵仰賴改變潛在的 DevOps 文化以擁抱安全性 - 沒有例外 -
55/90 DevOps & Compliance 《法律訴訟》美國 (1/2) 2002 MySQL vs. Progress Software 2002 MySQL vs. Progress Software 2006-03 Jacobson vs. Katzer 2006-03 Jacobson vs. Katzer 2007-10 BusyBox vs. Monsoon 2007-10 BusyBox vs. Monsoon 2007-11 BusyBox vs. Xterasys 2007-11 BusyBox vs. Xterasys 2007-11 BusyBox vs. High-Gain Antennas 2007-11 BusyBox vs. High-Gain Antennas 2007-12 BusyBox vs. Verizon 2007-12 BusyBox vs. Verizon 2008-01 Trend vs. Barracuda 2008-01 Trend vs. Barracuda 2008-06 BusyBox vs. Bell Microproduct 2008-06 BusyBox vs. Bell Microproduct
56/90 DevOps & Compliance 《法律訴訟》美國 (2/2) 2008-06 BusyBox vs. Super Micro Computer 2008-06 BusyBox vs. Super Micro Computer 2008-07 BusyBox vs. Extreme Networks 2008-07 BusyBox vs. Extreme Networks 2008-12 FSF vs. Cisco 2008-12 FSF vs. Cisco 2009-02 Microsoft vs. TomTom 2009-02 Microsoft vs. TomTom 2009-12 BusyBox vs. Best Buy 等 14 間 企業 2009-12 BusyBox vs. Best Buy 等 14 間 企業 2014-12 Ximpleware vs. Versata 2014-12 Ximpleware vs. Versata
71/90 CI/CD & Pipeline Credit: https://martinfowler.com/books/continuousDelivery.html Continuous delivery is about putting the release schedule in the hands of the business, not in the hands of IT.
72/90 CI/CD & Pipeline Credit: https://martinfowler.com/books/continuousDelivery.html Continuous delivery is about putting the release schedule in the hands of the business, not in the hands of IT. 持續交付是指將發布時程放在業務手中,而不是掌握在 IT 手中
73/90 CI/CD & Pipeline Credit: https://martinfowler.com/bliki/ContinuousDelivery.html Continuous Delivery is sometimes confused with Continuous Deployment. Continuous Deployment means that every change goes through the pipeline and automatically gets put into production, resulting in many production deployments every day. Continuous Delivery just means that you are able to do frequent deployments but may choose not to do it, usually due to businesses preferring a slower rate of deployment. In order to do Continuous Deployment you must be doing Continuous Delivery. Martin Fowler
74/90 CI/CD & Pipeline Credit: https://martinfowler.com/bliki/ContinuousDelivery.html Continuous Delivery is sometimes confused with Continuous Deployment. Continuous Deployment means that every change goes through the pipeline and automatically gets put into production, resulting in many production deployments every day. Continuous Delivery just means that you are able to do frequent deployments but may choose not to do it, usually due to businesses preferring a slower rate of deployment. In order to do Continuous Deployment you must be doing Continuous Delivery. Martin Fowler 持續交付只是意味著你可以進行頻繁部署 , 但可以選擇不這樣做, 通常是因為企業更喜歡較慢的部署速度
80/90 Security Marketing Compliance needs pen testing red team regulations controls standards unit / integration / performance test unit / integration / performance test scheduling unit / integration / performance test scheduling schedule pipeline Develop
81/90 Security Marketing Compliance Develop needs pen testing red team regulations controls standards unit / integration / performance test unit / integration / performance test scheduling unit / integration / performance test scheduling schedule pipeline
86/90 Security Marketing Compliance Develop needs pen testing red team regulations controls standards unit / integration / performance test unit / integration / performance test scheduling unit / integration / performance test scheduling schedule pipeline
yftzeng
nagix
coconala_engineer
iamshunta
onlinesalon
leveragestech
dahatake
mraible
cybozuinsideout
biwashi
poteboy
minorun365
lemiorhan
keithpitt
rasmusluckow
chrisshort
jacobian
zakiyama
reverentgeek
philhawksworth
geoffreycrofte
jakevdp
jonrohan
schacon
aarron