'Security First' Agile Delivery

Cloud First and Mobile First are currently common drivers of IT strategy. Security, however, by necessity, is also paramount when it comes to delivering applications, systems and services in these realms. How can we ensure security at every layer of the application stack, from cloud infrastructure, through platform and application?  How can we use Agile to drive security as a high priority yet at the same time balance risk and the developer or end user experience? How do we attain the vision pioneered by industry leaders such as Netflix towards Adaptive and Reactive security in the government?

This is a talk about practical means to inject security into Agile delivery, starting with people, through process, and last but not least, with tools.

 
4 favorite thumb_down thumb_up 0 comments visibility_off  Remove from Watchlist visibility  Add to Watchlist
 

Outline/structure of the Session

  • Introduction - 2 min
  • Review Cloud Shared Security Responsibility Model - 5 min
  • Inject Security - 30 min
    • People
      • Product Owner
        • How can the Product Owner prioritize security?
      • Development team
        • How can security minded development occur?
      • Scrum Master
        • How can scrum master ensure security is accounted for in acceptance criteria, definition of done, impediments?
    • Process
      • Agile Ceremonies
        • How can security be injected into Scrum?
        • How can security be injected into Kanban?
        • How can security be injected into SAFe?
    • Tools
      • DevOps; How can security be applied to deliver:
        • infrastructure as code?
        • software defined networking?
        • applications?
      • Metrics
        • What metrics can we define and use to inform our security posture?
  • Questions & Answers - 8 min

Learning Outcome

Learn how to inject security into Agile delivery, from people, through Agile processes, with DevOps tooling, to stay compliant with federal security requirements. 

Learn potential answers to the questions raised in the talk.

Target Audience

Security Professionals, IT Professionals, Product Owners, Scrum masters, Agile developers, DevOps Engineers

schedule Submitted 1 year ago

Comments Subscribe to Comments

comment Comment on this Proposal

  • Liked Brian Sjoberg
    keyboard_arrow_down

    Brian Sjoberg - Let's Sharpen Your Agile Ax, It's Story Splitting Time

    Brian Sjoberg
    Brian Sjoberg
    Agile Coach
    Excella Consulting
    schedule 1 year ago
    Sold Out!
    45 Mins
    Workshop
    Beginner

    Do you want to write great User Stories that provide the vehicle for conversation and confirmation that we build the right thing? Do you struggle with splitting stories so that they still provide business value but can be accomplished within a fraction of your iteration and be potentially shippable to production? We will do a quick refresher on User Story formatting to include Acceptance Criteria. Then we will dive into learning techniques for splitting stories in this interactive workshop. 

  • Liked Andrea Goulet
    keyboard_arrow_down

    Andrea Goulet - Vulnerability: The Key To Successful Agile Adoption

    Andrea Goulet
    Andrea Goulet
    CEO
    Corgibytes, LLC
    schedule 1 year ago
    Sold Out!
    45 Mins
    Talk
    Beginner

    Software development culture has been dominated by the hero. Rock stars, ninjas, and 10Xers have been the center of attention, giving the skewed perception that great software is the result of a single amazing developer. But this couldn't be further from the truth.

    In this talk, Andrea Goulet, the CEO of Corgibytes, will share her experiences using vulnerability and empathy as drivers for Agile adoption and culture building. 

  • Liked Fadi Stephan
    keyboard_arrow_down

    Fadi Stephan - Fostering Self-organizing Teams

    45 Mins
    Workshop
    Intermediate

    One of the 12 principles of the Agile manifesto states that “The best architecture, requirements, and designs emerge from self-organizing teams.” Why is that? and what exactly are self-organizing teams? How does a team become self-organizing? Teams that have always been used to command and control cannot suddenly become self-organizing overnight. Come to this session to learn what self-organizing really means. Understand the attributes of a self-organizing team and some of the challenges you face in getting your team there. Understand how to find the right balance between team learning and team empowerment vs. control? Leave with techniques to help you build and foster high performing self-organizing teams.

  • Liked Manjit Singh
    keyboard_arrow_down

    Manjit Singh - Project Managers, Transform Thyself! From Command-n-Control to Facilitation & Collaboration Enabler

    45 Mins
    Workshop
    Beginner

    No one has more trouble making the switch to Agile than traditional PMs. Learn how to Inspect and adapt your way to a more Agile version of you and design a journey towards facilitation and collaboration mastery.

  • Liked Anantha Bangalore
    keyboard_arrow_down

    Anantha Bangalore - Agile stops Ransomware

    45 Mins
    Talk
    Beginner

    In recent days Ransomware attacks have become one of the worst cyber security threats.  Ransomware is a class of malware, which denies access to user data by various means. Many businesses believe that paying the ransom is the most effective way of getting their data back. This in turn is fueling the rapid development of new strains of ransomware. Ransomware attacks started out by targeting individual users through phishing attacks.   In recent years, as illustrated by the attack on the MedStar group of hospitals, new strains of Ransomware malware such as Loki and SamSam are targeting vulnerabilities in entire networks. This ransomware instead of targeting individual users, targets entire networks, by encrypting all the data they can access for a larger lump sum payout. Ramsomware such as SamSam exploits un-patched deployments of various popular application platforms such as JBoss.  These new strains are also attacking backups.

    One of the most effective ways to combat ransomware is to have a robust backup strategy  While there is a tremendous focus on developing functionality fast, tasks such as Backup are not something developers focus on, even in organizations where Agile and DevOps is reasonably mature. Many times there is an assumption that Backup is occurring and it is someone else’s problem.

    Given that the Ransomware attacks are not only targeting the primary systems, but also backups, it is critical to ensure there are effective backup strategies to ensure that there is no path from the primary systems to backup systems.

    As part of the Agile development and DevOps lifecycle Enterprises need to focus on ensuring all data is being backed up in a safe and secure location that allows them to quickly recover from attacks. If backups are tightly integrated into the CI/CD pipeline, it enables enterprises to quickly recover from Ransomware or other attacks and ensures Operational Resiliency for the enterprise.

    In this talk we will describe the dangers posed by various strains of Ransomeware to enterprises and show how Agile and DevOps can be used to effectively combat ransomware attacks.

  • Liked Tanusree McCabe
    keyboard_arrow_down

    Tanusree McCabe - Automating Cloud Infrastructure: Cloud Native vs Cloud Neutral

    45 Mins
    Demonstration
    Beginner

    Do you want to learn more about developing infrastructure as code?  How about software defined networking? Are you interested in real life examples of automating application stacks?  Are you interested in learning about cloud native services versus cloud neutral tools that can automate infrastructure?  

    If you said 'yes' to any of these, then this session is for you. In this session, I will demonstrate how to automate application stacks using an Amazon Web Services (AWS) cloud environment, with both AWS native services as well as AWS-agnostic tools. 

  • Liked Fadi Stephan
    keyboard_arrow_down

    Fadi Stephan - Agile Contracts - Doomed from the Start

    45 Mins
    Talk
    Advanced

    "Customer collaboration over contract negotiation" is one of the 4 values of the Agile manifesto. However, this remains a challenging value to adopt in practice especially when dealing with a client/vendor relationship. Many organizations and contracting officers still rely on traditional contracting arrangements that directly conflict with the 4th value of "responding to change over following a plan". Others adopt more creative Agile contracts that have their own pitfalls that may result in counterproductive behavior that negatively impacts collaboration. In this session we will look at such contracts. We will compare and contrast different types of contracts and learn how some lead to enhanced customer collaboration while others might destroy the client/vendor relationship. We will go over some examples of specific contract clauses and discuss the intent behind the clauses and compare expected team behavior vs. observed team behavior. Come to this session to learn about Agile contracts. Learn how to identify contract clauses that will result in anti-Agile and non-collaborative behavior. Learn what aspects encourage collaboration and how to structure contracts that results in a win-win for both client and vendor.