SlideShare a Scribd company logo

Integrating of security activates in agile process

Download as PPTX, PDF
Zubair Rahim, profile picture
Zubair Rahim

This document discusses integrating security activities into agile development processes. It outlines common security practices from frameworks like Microsoft SDL, Cigital Touchpoints, Common Criteria, and CLASP. The document presents a flow chart for integrating security into each stage of agile development, from planning and requirements to implementation and release. The goal is to leverage security best practices while maintaining agility.

Technology
Related topics:
agile-software-development
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Integrating of Security Activates in Agile Process PRESENTER: ZUBAIR RAHIM 1
Presentation Outline 2  What is security  Why We need security  Agile development  What is Agile Security  Agile Security Manifesto  Integration of Security in Agile Development Method  Integration Method
What is cyber security 3  Cyber security or IT security, is the protection of computer systems from the theft or damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide. (Wikipedia)  It covers all aspects of ensuring the protection of citizens, businesses and critical infrastructures from threats that arise from their use of computers and the Internet.  CIA 
Why We need security 4 MORE THAN 2.5 BILLION RECORDS STOLEN 2017 ... The 2003 loss estimates by these firms range from $226 billion.
Agile Development SUMMARY.JPG
Agile Security 6  Today large parts of the industry have shifted software development from a former waterfall model to a more flexible agile software development process.  So the industry experience, identify what practices from mature SE processes are easily integrated and also provide a benefit to agile projects.
Cigital’s “Agile Security Manifesto” 7 Rely on good developers and testers over security specialists 01 Implement secure architecture over adding security features afterwards 02 Continuously improve security over completely changing processes 03 Focus on fixing software over finding bugs 04
Integration of Security in Agile Development Method 8  The four highly profile SE processes 1. Microsoft SDL, 2. Cigital Touchpoints, 3. Common Criteria and 4. CLASP are investigated.  Based on these investigations a total of 41 security activities are obtained.
9
Cigatel Touchpoints 10  lightweight SE process
Common Criteria  International set of guidelines and specifications developed for evaluating information security products.  ISO certified  Requirements  Security Requirements  Agree on definitions  Design  Risk Analyses  Critical Assets  UMLSec  Requirements Inspection  Release  Repository Improvement 11
CLASP 12  Comprehesive, Lightweight Application Security Process
Comparison of secure software development standards and models 13
Integration Method  It is good to use these security activities for a secure software development but may be with the integration of some heavy weight activities may lead to loss of agility of a process. To handle the issue of Integration of agile and security issue a flow chart is introduce. 14
15
16

More Related Content

PPTX
Deep secure holistic protection for ICS
johnsdeepsecure
 
PDF
Cybersecurity Summit 2020 Slide Deck
Cimetrics Inc
 
PPTX
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
North Texas Chapter of the ISSA
 
PDF
Iio t security std
Plantconnectiot
 
PPTX
2019 Infosec World Keynote
John Kinsella
 
PDF
Cloud native patterns antipatterns
Martin Stemplinger
 
PDF
Cybersecurity for Field IIoT Networks
Yokogawa1
 
PPTX
Cybersecurity automation
Jaimingondaliya1
 
Deep secure holistic protection for ICS
johnsdeepsecure
 
Cybersecurity Summit 2020 Slide Deck
Cimetrics Inc
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
North Texas Chapter of the ISSA
 
Iio t security std
Plantconnectiot
 
2019 Infosec World Keynote
John Kinsella
 
Cloud native patterns antipatterns
Martin Stemplinger
 
Cybersecurity for Field IIoT Networks
Yokogawa1
 
Cybersecurity automation
Jaimingondaliya1
 

What's hot (20)

PPTX
ICS (Industrial Control System) Cybersecurity Training
Tonex
 
PDF
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
PDF
Limitless xdr meetup
Daliya Spasova
 
PDF
Conferencia principal: Evolución y visión de Elastic Security
Elasticsearch
 
PDF
Operationalize with alerting, custom dashboards, and timelines
Elasticsearch
 
PPTX
ISO/IEC 27032 – Guidelines For Cyber Security
Tharindunuwan9
 
PDF
Elastic SIEM (Endpoint Security)
Kangaroot
 
PPTX
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
EnergySec
 
PPTX
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Eric Andresen
 
PPTX
Securing the ‘Wild Wild West’: USM for Universities
AlienVault
 
PPTX
Industrial Cyber Security: What is Application Whitelisting?
honeywellgf
 
PDF
The Firewall Policy Hangover: Alleviating Security Management Migraines
AlgoSec
 
PDF
Elastic Security: Proteção Empresarial construída sobre o Elastic Stack
Elasticsearch
 
PDF
Friday Forum ISO 27001: 2013
APEXMarCom
 
PDF
Security Starts at the Endpoint
Elasticsearch
 
PPTX
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Ignyte Assurance Platform
 
PPT
Integrating Multiple IT Security Standards
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PDF
Palestra de abertura: Evolução e visão do Elastic Security
Elasticsearch
 
PPTX
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
DialogueScience
 
DOCX
Infosecforce security services
Bill Ross
 
ICS (Industrial Control System) Cybersecurity Training
Tonex
 
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Limitless xdr meetup
Daliya Spasova
 
Conferencia principal: Evolución y visión de Elastic Security
Elasticsearch
 
Operationalize with alerting, custom dashboards, and timelines
Elasticsearch
 
ISO/IEC 27032 – Guidelines For Cyber Security
Tharindunuwan9
 
Elastic SIEM (Endpoint Security)
Kangaroot
 
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
EnergySec
 
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Eric Andresen
 
Securing the ‘Wild Wild West’: USM for Universities
AlienVault
 
Industrial Cyber Security: What is Application Whitelisting?
honeywellgf
 
The Firewall Policy Hangover: Alleviating Security Management Migraines
AlgoSec
 
Elastic Security: Proteção Empresarial construída sobre o Elastic Stack
Elasticsearch
 
Friday Forum ISO 27001: 2013
APEXMarCom
 
Security Starts at the Endpoint
Elasticsearch
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Ignyte Assurance Platform
 
Integrating Multiple IT Security Standards
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Palestra de abertura: Evolução e visão do Elastic Security
Elasticsearch
 
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
DialogueScience
 
Infosecforce security services
Bill Ross
 
Ad

Similar to Integrating of security activates in agile process (20)

PPTX
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
PDF
Comparitive Analysis of Secure SDLC Models
IRJET Journal
 
PPTX
Secure Software Development Lifecycle
1&1
 
PPTX
111.pptx
JESUNPK
 
PDF
F_DR_Dark Reading Editorial Report_March 2022.pdf
josbjs
 
PDF
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
NathanDjami
 
PDF
Assurance-Level Driven Method for Integrating Security into SDLC Process
Seungjoo Kim
 
PDF
OT Security Architecture & Resilience: Designing for Security Success
accenture
 
PPTX
Secure DevOPS Implementation Guidance
Tej Luthra
 
PDF
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
PDF
4-lessons-of-security-leaders-for-2022.pdf
Jose R
 
PPT
The best way to use ISO 27001
powertech
 
PDF
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
ijseajournal
 
PDF
Microsoft Azure Security Techniquesand How Azure security can enhance your or...
Eric Amarasinghe
 
PDF
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
Mighty Guides, Inc.
 
PDF
Agile Product Development for IoT Best Practices.pdf
aaravgupta658
 
PDF
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
PDF
Accelerating OT - A Case Study
Digital Bond
 
PDF
Cybersecurity in Oil & Gas Company
Eryk Budi Pratama
 
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Comparitive Analysis of Secure SDLC Models
IRJET Journal
 
Secure Software Development Lifecycle
1&1
 
111.pptx
JESUNPK
 
F_DR_Dark Reading Editorial Report_March 2022.pdf
josbjs
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
NathanDjami
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Seungjoo Kim
 
OT Security Architecture & Resilience: Designing for Security Success
accenture
 
Secure DevOPS Implementation Guidance
Tej Luthra
 
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
4-lessons-of-security-leaders-for-2022.pdf
Jose R
 
The best way to use ISO 27001
powertech
 
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
ijseajournal
 
Microsoft Azure Security Techniquesand How Azure security can enhance your or...
Eric Amarasinghe
 
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
Mighty Guides, Inc.
 
Agile Product Development for IoT Best Practices.pdf
aaravgupta658
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
Accelerating OT - A Case Study
Digital Bond
 
Cybersecurity in Oil & Gas Company
Eryk Budi Pratama
 
Ad

Recently uploaded (20)

PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Cloud computing and distributed systems.
kkkkkhan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 

Integrating of security activates in agile process

  • 2. Presentation Outline 2  What is security  Why We need security  Agile development  What is Agile Security  Agile Security Manifesto  Integration of Security in Agile Development Method  Integration Method
  • 3. What is cyber security 3  Cyber security or IT security, is the protection of computer systems from the theft or damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide. (Wikipedia)  It covers all aspects of ensuring the protection of citizens, businesses and critical infrastructures from threats that arise from their use of computers and the Internet.  CIA 
  • 4. Why We need security 4 MORE THAN 2.5 BILLION RECORDS STOLEN 2017 ... The 2003 loss estimates by these firms range from $226 billion.
  • 6. Agile Security 6  Today large parts of the industry have shifted software development from a former waterfall model to a more flexible agile software development process.  So the industry experience, identify what practices from mature SE processes are easily integrated and also provide a benefit to agile projects.
  • 7. Cigital’s “Agile Security Manifesto” 7 Rely on good developers and testers over security specialists 01 Implement secure architecture over adding security features afterwards 02 Continuously improve security over completely changing processes 03 Focus on fixing software over finding bugs 04
  • 8. Integration of Security in Agile Development Method 8  The four highly profile SE processes 1. Microsoft SDL, 2. Cigital Touchpoints, 3. Common Criteria and 4. CLASP are investigated.  Based on these investigations a total of 41 security activities are obtained.
  • 9. 9
  • 10. Cigatel Touchpoints 10  lightweight SE process
  • 11. Common Criteria  International set of guidelines and specifications developed for evaluating information security products.  ISO certified  Requirements  Security Requirements  Agree on definitions  Design  Risk Analyses  Critical Assets  UMLSec  Requirements Inspection  Release  Repository Improvement 11
  • 14. Integration Method  It is good to use these security activities for a secure software development but may be with the integration of some heavy weight activities may lead to loss of agility of a process. To handle the issue of Integration of agile and security issue a flow chart is introduce. 14
  • 15. 15
  • 16. 16

Editor's Notes

  • #7: SecDev checlilist: https://www.sqreen.com/checklists/devops-security-checklist It’s an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk.
  • #8: 2- Use SMEs to develop security features – E.g. authentication, authorization, data validation, crypto, etc Focus on fixing software over finding bugs • Penetration testing, secure code review etc. find issues, but they don’t magically fix them for you • Automated security tools are great at findings issues…… even if the issue doesn’t exist! – And they don’t fix the issues for you • Apply a risk-based approach to focus development effort on the issues that matter and that cannot be handled through other means – E.g. business process, contracts, monitoring, etc. • Use the development backlog to communicate and prioritise issues that need to be remediated
  • #9: A comprehensive approach for agile development method selection and security enhancement A Sharma, RK Bawa - Proceedings of the International Journal of …, 2016 - ijiet.com
  • #11: https://betanews.com/2016/07/21/new-approach-agile-security/
  • #12: (Mellado, Fernandez-Medina, and Piattini 2006).
  • #14: https://www.researchgate.net/publication/267704821_Review_on_Common_Criteria_as_a_Secure_Software_Development_Model
  • #15: A comprehensive approach for agile development method selection and security enhancement A Sharma, RK Bawa - Proceedings of the International Journal of …, 2016 - ijiet.com