Presentation is loading. Please wait.

Presentation is loading. Please wait.

Theories of Agile, Fails of Security Daniel Liber CyberArk.

Published byMerry Stafford Modified over 8 years ago

Similar presentations

Presentation on theme: "Theories of Agile, Fails of Security Daniel Liber CyberArk."— Presentation transcript:

1 Theories of Agile, Fails of Security Daniel Liber CyberArk

2 Short Bio R&D Security Leader @ CyberArk – Promoting product security – SDLC ~10 years of experience – Research, consulting, PT, engineer CyberArk: – Privileged accounts security http://www.cyberark.com

3 “Success is stumbling from failure to failure with no loss of enthusiasm.” (Winston Churchill) Why Fail?

4 What can you take out of this talk? Predicting and preventing Agile-Security bottlenecks Balancing out security risks Security practices visibility Collaboration, delegation, validation

5 Most popular Agile slide in the world! Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan

6 Agenda We need to start from somewhere…

7 Microsoft’s SDL (Traditional)

8 Microsoft’s SDL (Agile) Sprint Essential Performed every sprint Bucket Important on a regular basis but can be spread across multiple sprints One time Foundational once at the start of every new Agile project

9 Scrum Explained Sprint: regular, repeatable, deliverable cycle Backlog: Prioritized stack of features Roles: Product Owner, Team, Scrum Master Stories: Requirement as user point of view Grooming: Refining the backlog Meetings: Planning, Daily, Summary, Retro Product Backlog Spring Backlog Sprint Deliverables

10 “Daily vs. Security Practitioner” Problem Sprint of 2 weeks Overlooking 4 teams Participating in every daily 15 minutes each daily 10 days X 4 teams X 15 minutes = 10 hours ~ 1 day = 10% of your sprint time

11 “Daily vs. Security Practitioner” Problem Solution – use security champions Team members Security friendly Eyes and ears on meetings Potential for security team (In a way, the team’s security bouncer)

12 Going back to Microsoft’s Agile SDL

13 Fast, short, easy threat modeling…?

14 “Demanding Security Task, Short Cycle” Problem Solution – talk to Product Owner Product roadmap sharing Sensitive epics / features to review Allocate security sprints (buckets) Cut off: Decide on top threats to explore (Cooperation with business is essential)

15 Visibility of Security in Agile “The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.” face-to-face meetings can’t reflect status of security task to a 3 rd party Interactions require two or more to participate

16 Kanban Explained Incremental: Improvement by continuous change WIP: Working In Progress Cycle Time: Time from start to done of a task Visibility: Flow of work is visualized Board: Activity is managed using a Kanban board

17 Security Fixes and Improvements How you wish to feelHow you feel

18 “This Security Issue Will Have To Wait” Problem Solution – Define one of the next tracks: SLA (Hint: challenging, but still measurable) Security WIP Story points – Per product vs. per all products – Per sprint vs. per quarter – Fixes vs. Improvements

19 Integrating Security into Boards Boards with no visible security activities:

20 Integrating Security into Boards Adding security lanes: Design  Design review column Dev  Static analysis / CR column QA  Penetration testing Invisibility = Problems

21 Measuring Security in Agile What is different from Waterfall? Building the big picture from small iterations Collecting evidence of simultaneous activities Vague control points – Should be every… – Sprint? – Group of sprints? – Version release?

22 RSA EU Conference 2012

23 Measuring Security in Agile Security cards on board – velocity, cycle time, etc. From Grooming to Ready – Each card gets a ‘security level’ score – Each score gets different attention for security – When card is ready, look for evidence Automation, automation, automation

24 Questions? Not all Agile theories help security Adjustments implemented will prevent fails Eliminate security bottlenecks Empower others to execute more security activities

25 Thanks!

26 Pictures references http://www.japanprobe.com/wp-content/uploads/hurdle-face.jpg http://memegenerator.net http://imgflip.com https://www.microsoft.com/en-us/SDL/Discover/sdlagile.aspx http://mascotdesigngallery.com

Download ppt "Theories of Agile, Fails of Security Daniel Liber CyberArk."

Similar presentations

Keith McMillan Principal, Adept Technologies Copyright (C) 2008, Adept Technologies llc.

Keith McMillan Principal, Adept Technologies Copyright (C) 2008, Adept Technologies llc.
Iterative Development: Done Simply Emily Lynema NCSU Libraries Code4Lib 2010.

Iterative Development: Done Simply Emily Lynema NCSU Libraries Code4Lib 2010.
Iteration Planning.

Iteration Planning.
Program Management School Agile & ADDIE Add-Up (AAAU) Elliott Masies Learning 2012 October 21-24, 2012.

Program Management School Agile & ADDIE Add-Up (AAAU) Elliott Masies Learning 2012 October 21-24, 2012.
Delivering Enterprise Projects Using Agile Methods Brent Barton May 23, 2006.

Delivering Enterprise Projects Using Agile Methods Brent Barton May 23, 2006.
Agile Development Primer – Using Roundtable TSMS in an Agile Shop Michael G. Solomon Solomon Consulting Inc.

Agile Development Primer – Using Roundtable TSMS in an Agile Shop Michael G. Solomon Solomon Consulting Inc.
COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 1 Agile documentation development methodology Giby Panicker and Judith Benjamin 1-Dec-2012.

COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 1 Agile documentation development methodology Giby Panicker and Judith Benjamin 1-Dec-2012.
PROC-1 3. Software Process. PROC-2 What’s a process? Set of activities in creating software It involves creativity –hard to automate –Requires human judgment.

PROC-1 3. Software Process. PROC-2 What’s a process? Set of activities in creating software It involves creativity –hard to automate –Requires human judgment.
Ni.com Introduction to Agile and Scrum Speaker/Author: Paul Packebush Section Manager, Corporate Metrology Author:Logan Kunitz Staff Calibration Engineer.

Ni.com Introduction to Agile and Scrum Speaker/Author: Paul Packebush Section Manager, Corporate Metrology Author:Logan Kunitz Staff Calibration Engineer.
What is Agile? Agile is a software methodology based on iterative and incremental development, where requirements and solutions evolve through collaboration.

What is Agile? Agile is a software methodology based on iterative and incremental development, where requirements and solutions evolve through collaboration.
Agile 101.

Agile 101.
Agile Project Management with Scrum

Agile Project Management with Scrum
Agile Process Models. Prescriptive models don’t work It is unrealistic to not have changes. Why? The Agile Manifesto: Individuals and interactions over.

Agile Process Models. Prescriptive models don’t work It is unrealistic to not have changes. Why? The Agile Manifesto: Individuals and interactions over.
Agile development By Sam Chamberlain. First a bit of history..

Agile development By Sam Chamberlain. First a bit of history..
Scrum Master & Agile Project Manager: A Tale of Two Different Roles

Scrum Master & Agile Project Manager: A Tale of Two Different Roles
Managing a Project Using an Agile Approach and the PMBOK® Guide

Managing a Project Using an Agile Approach and the PMBOK® Guide
The Product Owner prioritizes the requirements or features through feedback from the Stakeholders & interaction with the core team The Team.

The Product Owner prioritizes the requirements or features through feedback from the Stakeholders & interaction with the core team The Team.
Introduction to Agile.

Introduction to Agile.
Agile Methodologies for Project Management By – Komal Mehta.

Agile Methodologies for Project Management By – Komal Mehta.
PopMedNet Software Development Life Cycle Chayim Herzig-Marx Harvard Pilgrim Health Care Institute Daniel Dee Lincoln Peak Partners.

PopMedNet Software Development Life Cycle Chayim Herzig-Marx Harvard Pilgrim Health Care Institute Daniel Dee Lincoln Peak Partners.

Similar presentations

Ads by Google