The Security Sprint By Ramnath Cidambi. Agile and DevOps DevOps is a “recent” concept though the building blocks have existed for a while – The understanding.

Slides:

Advertisements

Similar presentations

Are Parametric Techniques Relevant for Agile Development Projects?

Advertisements

Iteration Planning.

An Effective Agile Testing Framework AN AGILE TESTING FRAMEWORK

Chapter: 3 Agile Development

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Steve Collins Richland County IT Manager Agile.  Have Fun  Learn About Agile  Tell Some Stories.

Interoperability. What is testing? Where have we come from? Where are we now? Why is nFocus at MSAIC? Overview.

Local Touch – Global Reach The New Tester Matthew Eakin, Manager Managed Testing Practice Sogeti, USA.

What is Agile? Agile is a software methodology based on iterative and incremental development, where requirements and solutions evolve through collaboration.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

NAUG NAUG Knowledge Evening – th February 2007.

Agile development By Sam Chamberlain. First a bit of history..

© ThoughtWorks, 2008 Improving Productivity and Quality With Agile Patrick Kua.

Computer Engineering 203 R Smith Agile Development 1/ Agile Methods What are Agile Methods? – Extreme Programming is the best known example – SCRUM.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 17 Slide 1 Extreme Programming.

Michael Burnside Blog: Software Quality Assurance, Quality Engineering, and Web and Mobile Test.

Chapter 5 Software Process Models. Problems with “Traditional” Processes 1.Focused on and oriented towards “large projects” and lengthy development time.

Scrum’s Product Owner Role Jeff Patton Agile Product Design

Testing Challenges in an Agile Environment Biraj Nakarja Sogeti UK 28 th October 2009.

Extreme/Agile Programming Prabhaker Mateti. ACK These slides are collected from many authors along with a few of mine. Many thanks to all these authors.

4/23/ :45 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

The US Oncology Network is supported by McKesson Specialty Health. © 2013 McKesson Specialty Health. All rights reserved. Scrum is an Agile Process.

Chapter 2 Software processes. Topics covered Software process models Process activities Coping with change.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Agile Software Development Jeff Sutherland, one of the developers started it In February 2001, 17 Tools: continuous integration, automated or xUnit test,

Theories of Agile, Fails of Security Daniel Liber CyberArk.

Phoenix Scrum User Group Simplifying Scrum Online May 21 st 2009.

Agenda: Overview of Agile testing Difference between Agile and traditional Methodology Agile Development Methodologies Extreme Programming Test Driven.

10 key principles of agile software development

Agile Development Chapter 10 - part 2. Agile Philosophy  A guiding philosophy and set of guidelines for : developing information systems in an unknown,

To RAD or not to RAD? RAD is the relatively new kid on the block. You know the one. The one with all the flashy stuff and is practically the Usain Bolt.

Challenges in Agile Unclear project scope, multiple iterations, minimal documentation, early and frequent testing needs and active stakeholder involvement.

Copyright 2015, Robert W. Hasker. Classic Model Gathering Requirements Specification Scenarios Sequences Design Architecture Class, state models Implementation.

Successful Software Practice How to successfully work as a team to create software Chris Mendes, Chief Technology Officer Sirca Limited March 2012.

FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.

About Me learn Professor 3 startups. Simplifying Agile – Delivering Value Quickly.

Embedded Systems Software Engineering

CS223: Software Engineering

Agile Methods SENG 301.

Agile Project Management and the yin & yang of

Rapid Launch Workshop ©CC BY-SA.

From manual test shop to fully automated test coverage: A How-To session to speed up your journey Jayshree Bhakta ITHAKA/JSTOR.

Agile Metrics that Matter

CSC 355 – Newer Approaches to System Development Life Cycles & Processes, Spring 2017 March 2017 Dr. Dale Parson.

Integrate Agile Testing into the Process

Creating User Documentation in an Agile World

Product Backlog List of things that needs to be done to make the product come into existence

Impact of Agile Methodology on Software Architecture

Pega 9/14/2018 8:48 AM Definition of Done = ready for PO acceptance

Approaches to Systems Development

Rapid software development

Making Information Security Manageable with GRC

Johanna Rothman Create Technical Excellence Chapter 9

Johanna Rothman Agile Team Measurements Chapter 12

How to Successfully Implement an Agile Project

Johanna Rothman Know What “Done” Means Chapter 11

Developing Maximum Value

Chapter 3 – Agile Software Development

Coming up: What is Agile?

Agile Development – a new way of software development?

Extreme Programming.

Government of Canada Digital Standards

Agile Development.

Adapting Agile in Pharmaceutical Industries

Are you measuring what really counts?

Chapter 5: New and Emerging Process Methodologies

Digital Transformation & Compile to Combat in 24 Hours (C2C24)

What makes a Good Agile Team

Presentation transcript:

The Security Sprint By Ramnath Cidambi

Agile and DevOps DevOps is a “recent” concept though the building blocks have existed for a while – The understanding of what it is varies Agile is mature, well-defined Agile & DevOps are complimentary and need to co-exist

Agile and DevOps Methods and Goals – Rapid response to change – Speed to Market = Iterative and Fast – Focus on the Product = Focus on Customer – Small Chunks – Collaborate What happened to the “Focus on Security”?

More challenges! Refactoring of code could create security vulnerabilities Automation such as continuous integration results in less priority to change management

What is a IT Team to do?

Agile and DevOps Incorporate Security in three areas

Agile and DevOps Incorporate Security in Process

Step 1 – Risk Assessment (RA) & Security Architecture A new product or system ? Product/System owner should work with Security team to perform a RA that includes input from all Stakeholders Develop a System Security architecture that uses the RA as input. the ideal process

Step 2 – Security Assessment of every story Validate every story with respect to the system security architecture Every sprint should have a security risk indicator based on the validation Every security sensitive story – Factor into design – Security Acceptance criteria – Security testing the ideal process

What Really Happens? The need for speed and business priority takes over Security requirements are postponed to future sprints Business requirements take precedence over security There are not enough hours in the day It is not “going to happen to us” justifies the decisions Projects start running a security debt!

How do we solve it? Collect on the Security debt! Create Security Only Sprints (SOS) Involve the CISO and sell it to the business Use Security Only Sprints to educate Use Security Only sprints to get to the ideal process! Business Sprint Business Sprint Business Sprint Security Sprint

Agile and DevOps Incorporate Security using Tools

Tools make it easy! Use tools to scan code for vulnerabilities – Make it part of the development environment Automation of Security Testing – Use tools such as OWASP ZAP Pen test after integration and before user acceptance (this may be too late!) Continuous integration needs continuous security testing

Tools make it easy….and hard DevOps is all about automation. For your end product to be secure… Make sure Dev, Test, UAT and Prod environments are identical Ensure Security team has validated the environments Everything you need to do should be done before build Make sure it works for you and your organization!

Agile and DevOps Educate and Increase awareness

Agile and DevOps People and Security Integrate member(s) of security team with App dev experience in team Training in Secure development needs to be constant! People are your best defense!

Agile and DevOps There will be a constant tension between the need for speed and agility and meeting security needs of the organization. A healthy balance is important.