Mastering Security in Agile/Scrum, Case Study - RSA Conference
Recommend Documents
Cyber Security & Aviation. MASH-F01. Managing ... General Counsel & Managing Director Information. Security. TAL
Taking it all In â And Applying It to Scale ... resolve ALL potential vulnerabilities, whether reported from ..... ISO
Associate Director â Security Research and Analytics. UBS AG. SESSION ID: .... Can be resource intensive, consumes CPU
We define malware as âmalicious softwareâ or anything that can run on an endpoint and do bad things. This includes .
MANAGING DAILY. SECURITY ... Reveal Challenges with the Volume of Work.
▻ Discuss ... Concepts that drive physical factories can drive IT/IS work. ▻ Lean
...
XXXX Surpasses Gmail for Top Productivity App. XXXX is a ... Apps to Protect Your Array of Passwords. 7 ... A bookmarkle
Threat information-sharing and collaboration programs help .... information exchange as a top priority for the global se
Session ID: Session Classification: Ben Rothke, CISSP CISM. Wyndham
Worldwide Corp. Building a Security Operations Center. (SOC). TECH-203.
Advanced ...
SESSION ID: TECH0R03. Robert M. Hinden. Check Point Fellow. Check Point Software. SDN AND SECURITY: Why Take Over the Ho
SAP web servers by country (Top 20). 0%. 100%. 200%. 300%. 400%. 500%.
600%. MEXICA. CHILE ... NetWeaver ABAP URL – /sap/bc/soap/rfc. ▻ Can be ...
Base rate. â 95% detection, 10% false positives. â Is it good? Is it bad? â Key is to .... Outside view: data from
The security industry moves fast. WE SEE⦠WE HAD⦠6. 9 new startups every month. 5 new categories every six months.
Session ID: Session Classification: Christopher Hadnagy. Social-Engineer.Com.
Human Hacking Exposed. 6 Preventative Tips. That Can. Save Your Company.
Metrics that measure the deployment of your awareness program. - Are you ... Never embarrass people, no Viagra phishing
ClamAV Signatures. ⢠IP and domain blacklisting. ⢠Arbitrary IOC tracking and blacklisting. ⢠Ensure you have the
The RSA Security Analytics solution makes this a reality via two ... The All-In-One
appliance brings the RSA Security Analytics experience to smaller enterprises ...
has not been proven to be unbreakable, but having survived a great deal of cryptanalytic security over the last thirty years [5]. 3. New Security Weakness in RSA.
02/26 and 02/27, will each receive a Pebble smartwatch with an estimated retail
value in US Dollars or “ARV” of $150; aggregate retail value of all prizes is ARV ...
Our objective in conducting the first RSA® Data Privacy and Security Survey was to understand the value that the averag
will discover brute-force attacks like the one we just described because the cracker makes no attempt to hide the attack (by spreading it over many days, for ex-.
MediaFly provides sales enablement and transformation solutions for the ... an application security scanning solution to
Regulations and Information Security. First Midwest Bank operates in an environment of growing industry and information
Jul 29, 2016 - N11.com had been a WhiteHat Sentinel Dynamic (DAST) customer for quite some time, using the product to sc
Regulations and Information Security. First Midwest Bank operates in an environment of growing industry and information
Mastering Security in Agile/Scrum, Case Study - RSA Conference
From Waterfall to Agile Product Owner Product Backlog
Requirements & Analysis
Sprint Planning Meeting
Design
Scrum 24h
Scrum Master Daily Scrum Meeting Sprint ~2 weeks
Sprint Review Meeting
Team
Coding
Sprint Backlog
Verification Operation
4
Deliverable
Agile Transformation Major R&D Agile Transformation Ericsson Finland as forerunner ~500 R&D employees working in software development for mobile networks
Not only process change – also a big cultural change!
5
From This
6
Through This
7
To This
8
CASE STUDY: Security in Agile
9
Background to the Case Study R&D Transformation Case linked to TiViT Cloud SW Research Project initiated 2010 Multi-branched research, including Agile Research partners with major interest in agile security
Problem statement for Security in Agile Current Agile/Scrum models do not have security embedded 10
What have we researched until now? Agile Transformation – yes But ... How is Security embedded? How to make sure products developed with agile/scrum/lean are secure?
Develop good practice for global Ericsson R&D Theory meets practice – or does it?
Starting Point – Risk Analysis (RA) Old methodology Suited for product releases with relatively long interval
Agile brings new requirements More frequent product releases More dynamic feature changes (short lead time)
Tangible outcome: New RA method Promises: Minimal preparation work required prior to workshop Workshop of ½ - 2 days for a full product For new features, very quickly … 15min(?)
More fluid workshops; mind-maps instead of matrixes More motivating for participants Using xMind (but any mind-map is ok)
Templates
Iterated and experimented 10-15 times before outlining Agile RA methodology
13
Risk Management with Agile/ Continuous Integration Business Level Risk Analysis – updated every time product backlog changes
Scrum 24h
Scrum Master Daily Scrum Meeting
Product Owner Product Backlog
Sprint Planning Meeting
Sprint ~2 weeks
Sprint Review Meeting
Team Sprint Backlog
Validation of Risks
Continuous Build
Release 1
Release 2
Technical Level Risk Analysis – every time sprint starts Every check-in Every Product Release
Release 3
14
What else has been achieved so far? Security awareness – one key learning Security much more visible now
Learning from other companies and organizations Research consortium, SafeCode… Don’t try this alone at home!
Next area to address in detail: Security Testing Objective to find a good working model: Product Owner
Set 1: Every Check-In Set 2: Every Scrum Set 3: Every Epic/sprint Set 4: Every Product Release to Customer
Scrum 24h
Scrum Master Daily Scrum Meeting
Product Backlog
Sprint Planning Meeting
Sprint ~2 weeks
Sprint Review Meeting
Team Sprint Backlog
Automate what you can Continuous Build
Some tests should not too be automated Release 1
Release 2
Release 3
Security Requirements Management in Agile Non-functional requirements (e.g. Security requirements) – challenge in Agile 2 fundamental problems Which requirements to choose How to formulate the chosen requirements into Agile User Stories Negative user stories? – How to confirm by testing?
17
Example
Software Security Guidance for Agile Practitioners www.safecode.org
18
And we continue with these as well Processes Finalizing Process – security control points How to add controls without sacrificing ’agile model’
Organization Who should have which competence?
Measuring security... No good metrixes for product security
Takeaways
20
How to Apply Security in Agile Apply security ’agilely’ Bit by bit; no ’one-big-shot’ Adjust on the fly, give room for iteration
Allocate sufficient resources Take learnings from other companies Make use of existing material
21
For security in agile, define strategy for: Organization – Security Roles, Responsibilities Process – Security Control Points Security Requirements Management
