SlideShare a Scribd company logo

Security in agile teams

Maria Gomez, profile picture
Maria Gomez

The document discusses the importance of security in agile teams, highlighting methods to improve security practices through better planning and testing. It emphasizes the need for a thorough understanding of current systems, threat landscapes, and essential security tools like password managers and static analysis tools. Additionally, it outlines the process for integrating security requirements and acceptance criteria in development and quality assurance phases.

Technology
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
D o u b l e - c l i c k t o e d i t SECURITY IN AGILE TEAMS Maria Gomez @mariascandella Barcelona June 2017
Developer Architect Coach Tech lead Speaker Security Expert
Developer Architect Coach Tech lead Speaker Security Expert
With great power comes great responsibility “ — uncle Ben https://flic.kr/p/5UDwbm
https://flic.kr/p/c12Ad
We could do better
Security in agile teams
BENEFITS • Higher confidence • Evolutionary model • Better testing and planning • Faster reaction to making improvements or fixes 
Security in agile teams
INCEPTION
WHAT’S THE CURRENT STATE? • List of existing systems/applications as well as their users. • Review of past incidents/attacks • Review of existing security policies and how they will impact the scope of the project
WHAT WILL BE BUILT?
WHAT IS THE CURRENT THREAT LANDSCAPE?  https://www.owasp.org/index.php/Application_Threat_Modeling
DELIVERY
SECURITY CHECKLIST • Secret Management tool for the team • Password Manager • Keep secrets out of source control • Dependency checker for the CI/CD pipeline • Static analysis tools Cade Cairns - Security Playbook (https://github.com/cairnsc/security-playbook)
READY FOR DEV • Identify security requirements • Introduce acceptance criteria Given an unauthenticated user enters the system When she tries to view her profile Then she is redirected to the login page #0
IN DEV
IN QA The system meets the acceptance criteria CFRs have been taken into account and implemented as part of the story, if necessary Established code conventions have been met Check against attack trees
IN PROD Incident Report Plan
CONTINUOUS IMPROVEMENT Given an unauthenticated user enters the system When she tries to view her profile Then she is redirected to the login page #
Security in agile teams
REFERENCES https://www.thoughtworks.com/insights/blog/incorporating-security-best- practices-agile-teams https://github.com/cairnsc/security-playbook https://martinfowler.com/articles/web-security-basics.html https://www.owasp.org/index.php/Main_Page
@mariascandella THANKS!

More Related Content

PDF
Security in agile teams
Maria Gomez
 
PDF
Why does security matter for devops by Caroline Wong
DevSecCon
 
PPTX
The road goes ever on and on by Ciaran Conliffe
DevSecCon
 
PPTX
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
PDF
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
Franklin Mosley
 
PPTX
The Journey to DevSecOps
SeniorStoryteller
 
PPTX
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
Security in agile teams
Maria Gomez
 
Why does security matter for devops by Caroline Wong
DevSecCon
 
The road goes ever on and on by Ciaran Conliffe
DevSecCon
 
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
Franklin Mosley
 
The Journey to DevSecOps
SeniorStoryteller
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24
 
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 

What's hot (20)

PDF
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PDF
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
PDF
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
PDF
Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24
 
PDF
Top 5 Data Security Strategies in QA
QASource
 
PPTX
Cybersecurity is the Future of Computing
David Fry
 
PDF
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
PPTX
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon
 
PDF
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Security Conference
 
PPTX
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
North Texas Chapter of the ISSA
 
PDF
Building Security Controls around Attack Models
SeniorStoryteller
 
PDF
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
PDF
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
PPTX
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce
 
PPTX
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24
 
PDF
Chaos monitoring
Mona Arkhipova
 
PDF
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
PPTX
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
Skybox Security
 
PDF
Estimating Development Security Maturity in About an Hour
Priyanka Aash
 
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
The path of secure software by Katy Anton
DevSecCon
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
Outpost24 Webinar - Creating a sustainable application security program to dr...
Outpost24
 
Top 5 Data Security Strategies in QA
QASource
 
Cybersecurity is the Future of Computing
David Fry
 
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Security Conference
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
North Texas Chapter of the ISSA
 
Building Security Controls around Attack Models
SeniorStoryteller
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24
 
Chaos monitoring
Mona Arkhipova
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
Skybox Security
 
Estimating Development Security Maturity in About an Hour
Priyanka Aash
 
Ad

Similar to Security in agile teams (20)

PDF
Security in a Continuous Delivery World
Dinis Cruz
 
PDF
Security in a Continuous Delivery World - 2015 - Sherif Mansour
Sherif Mansour
 
PPTX
Agile security
Arthur Donkers
 
PPTX
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
AgileNetwork
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
PDF
Defense-Oriented DevOps for Modern Software Development
James Wickett
 
PDF
Defense-Oriented DevOps for Modern Software Development
VMware Tanzu
 
PPTX
Security Champions - Introduce them in your Organisation
Ives Laaf
 
PDF
[AKC2021] SAFe case study digital experience(Pete Rim)
AgileKoreaConference Alliance
 
PDF
BSides Vienna 2015
Daniel Liber
 
PDF
Owasp summit debrief v1.0 (jun 2017)
owaspsummit
 
PDF
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
James Wickett
 
PDF
Agile Secure Development
Bosnia Agile
 
PDF
Building Security Teams
Astera Esther Schneeweisz
 
PDF
The Path of DevOps Enlightenment for InfoSec
James Wickett
 
PPTX
BSidesSF talk: Overcoming obstacles in operationalizing security
Rafae Bhatti
 
PPT
Cyber Security integration
Carlo Dapino
 
PDF
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Matthew Rosenquist
 
PDF
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Yazad Khandhadia
 
PPTX
Owasp summit slides day 2
Dinis Cruz
 
Security in a Continuous Delivery World
Dinis Cruz
 
Security in a Continuous Delivery World - 2015 - Sherif Mansour
Sherif Mansour
 
Agile security
Arthur Donkers
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
AgileNetwork
 
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
Defense-Oriented DevOps for Modern Software Development
James Wickett
 
Defense-Oriented DevOps for Modern Software Development
VMware Tanzu
 
Security Champions - Introduce them in your Organisation
Ives Laaf
 
[AKC2021] SAFe case study digital experience(Pete Rim)
AgileKoreaConference Alliance
 
BSides Vienna 2015
Daniel Liber
 
Owasp summit debrief v1.0 (jun 2017)
owaspsummit
 
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
James Wickett
 
Agile Secure Development
Bosnia Agile
 
Building Security Teams
Astera Esther Schneeweisz
 
The Path of DevOps Enlightenment for InfoSec
James Wickett
 
BSidesSF talk: Overcoming obstacles in operationalizing security
Rafae Bhatti
 
Cyber Security integration
Carlo Dapino
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Matthew Rosenquist
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Yazad Khandhadia
 
Owasp summit slides day 2
Dinis Cruz
 
Ad

More from Maria Gomez (19)

PPTX
From Monolith to Observable Microservices using DDD
Maria Gomez
 
PDF
CQRS and Event Sourcing: A DevOps perspective
Maria Gomez
 
PDF
Splitting the monolith using Domain Driven Design
Maria Gomez
 
PDF
Observable Microservices (O'Reilly SACon London 2018)
Maria Gomez
 
PPTX
Effective team onboarding
Maria Gomez
 
PDF
Observable microservices (O'Reilly SACon NY 2018)
Maria Gomez
 
PDF
Observable Microservices
Maria Gomez
 
PDF
Splitting the Monolith
Maria Gomez
 
PDF
Taller de Refactorización (Campus Party Quito 2014)
Maria Gomez
 
PDF
Refactoring workshop (Campus Party Quito 2014)
Maria Gomez
 
PDF
Project Management - Report
Maria Gomez
 
PDF
Principles of New Media - Essay
Maria Gomez
 
PDF
Project Management - Risk management
Maria Gomez
 
PPTX
Responsive Environments - MoodMixer Presentation
Maria Gomez
 
PDF
Responsive Environments - Critical report
Maria Gomez
 
PDF
New Media Management - Gantt chart
Maria Gomez
 
PDF
New Media Management - Project plan
Maria Gomez
 
PPTX
New Media Management - Presentation
Maria Gomez
 
PDF
New Media Management - Report
Maria Gomez
 
From Monolith to Observable Microservices using DDD
Maria Gomez
 
CQRS and Event Sourcing: A DevOps perspective
Maria Gomez
 
Splitting the monolith using Domain Driven Design
Maria Gomez
 
Observable Microservices (O'Reilly SACon London 2018)
Maria Gomez
 
Effective team onboarding
Maria Gomez
 
Observable microservices (O'Reilly SACon NY 2018)
Maria Gomez
 
Observable Microservices
Maria Gomez
 
Splitting the Monolith
Maria Gomez
 
Taller de Refactorización (Campus Party Quito 2014)
Maria Gomez
 
Refactoring workshop (Campus Party Quito 2014)
Maria Gomez
 
Project Management - Report
Maria Gomez
 
Principles of New Media - Essay
Maria Gomez
 
Project Management - Risk management
Maria Gomez
 
Responsive Environments - MoodMixer Presentation
Maria Gomez
 
Responsive Environments - Critical report
Maria Gomez
 
New Media Management - Gantt chart
Maria Gomez
 
New Media Management - Project plan
Maria Gomez
 
New Media Management - Presentation
Maria Gomez
 
New Media Management - Report
Maria Gomez
 

Recently uploaded (20)

PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

Security in agile teams