As we have seen from recent reports in the news and elsewhere, cyberattacks come many sources. How can we use Agile practices to improve organization's information security posture?

In this session, Dan and Paul will discuss techniques that can help make information security an important part of software development and speed your response to threats. The use of hardening pipelines, dark stories, and user stories/acceptance criteria that map to policy guidance based on NIST 800-53 controls will be discussed and how each approaches improving your security posture from a different angle.

 
11 favorite thumb_down thumb_up 3 comments visibility_off  Remove from Watchlist visibility  Add to Watchlist
 

Outline/structure of the Session

This talk will cover methods for improving the security posture. The current working outline of the talk is as follows:

Introduction/Speaker background (~2  min)

Describe the problem (~5 min)

Hardening Your System with a CI/CD Pipeline (~15 min)

How NIST 800-53 based controls can be reflected in user stories and acceptance criteria (~7 min)

The use of dark stories to thwart the hacker (~7 min)

Q&A (~5-10 min)

Learning Outcome

In this session, attendees will learn:

  • how the development teams can take advantage of secure server images built using a CI/CD pipeline
  • how security policies can be turned into user stories and/or acceptance criteria
  • how dark stories can reflect potential bad actor behavior and can be used to drive how to thwart this behavior

Target Audience

Technical Managers, Development Team Members, Security Professionals

Prerequisite

A basic understanding of automated testing, continuous integration, and user story concepts would help as these concepts will be discussed, but the basics will be presumed to be known.

schedule Submitted 4 months ago

Comments Subscribe to Comments

comment Comment on this Proposal
  • George Dinwiddie
    By George Dinwiddie  ~  3 months ago
    reply Reply

    Can you explain the NIST 800-53 controls in plain language?

    • Paul Boos
      By Paul Boos  ~  2 months ago
      reply Reply

      Sorry it took awhile to get back, interestingly I never got notified on this particular one and caught it while I am playing catch up after getting back from vacation...

      I'm not sure I fully understand what you are asking; do you want plain english about what 800-53 Guidance is or the controls themselves? I am going to assume the latter, so some example controls in plain English are that NIST 800-53 Guidance would state that for a login:

      - one control would be a set of complexity rules for passwords

      - another control would be how many login attempts one can have before they are locked for some amount of time

      A couple of others for a session:

      - the session from the time of presenting a login page until log out will be have ___ encryption

      - the application's session can be inactive for some amount of time before the session is terminated

      These examples are a couple of software-centric ones. (There are other that are not software-centric.) The agency fills in the times or number of attempts and other undefined variables. What this portion of the session will present will be how these can become acceptance criteria or user stories as opposed to the complicated method of presentation NIST 800-53 and the follow-on Agency policy that fills in the undefined variables.

      Hope that helps!


  • Liked David W Kane
    keyboard_arrow_down

    David W Kane / George Paci - Dicey Markets: A Product Owner Simulation

    45 mins
    Workshop
    Intermediate

    Product owners face a challenge: potential new markets are vast and full of unknowns. Current thinking in successful product management recognizes the importance of learning about potential customers
    and adapting product decisions to reflect those insights. However, many exercises and workshops
    geared towards product owners treat target products and markets as a fixed, concrete objective—failing to include any market feedback

    Dicey Markets is a product owner simulation designed to reflect many of the forces driving product owners, including unknown information about the market, competitive pressure, and technical debt. The simulation
    emphasizes the role of rapid regular feedback in creating successful products in the face of uncertain markets.

  • Liked Gene Gotimer
    keyboard_arrow_down

    Gene Gotimer - Experiences Bringing Continuous Delivery to a DoD Project

    Gene Gotimer
    Gene Gotimer
    Technical Manager
    Coveros, Inc.
    schedule 2 months ago
    Sold Out!
    45 mins
    Experience Report
    Beginner

    Not every continuous delivery initiative starts with someone saying "drop everything. Let's do DevOps." Sometimes you have grow your practice incrementally. And sometimes, you don’t set out to grow a practice at all-- you are just fixing problems with your process, trying to make things better.

    I'll walk through a case study of how our team worked on an exemplar project for the Department of Defense to show that agile could work in a decidedly waterfall culture. I’ll also discuss techniques and tools we used to bring a DevOps mindset and continuous delivery practices into an environment that wasn't already Agile.

    I'll talk about how we were able to start in development, where we had the most control, with a "let's starting being Agile" initiative and working on "why is continuous integration important?" From there, we tackled one problem after another, each time making the release a little easier and a little less risky. We incrementally brought our practices through other environments until the project was confidently delivering working, QA-tested, security-tested releases that were ready for production every two weeks. I’ll discuss the journey we took and the tools we used to get to build quality into our product, our releases, and our release process.

  • Liked Colleen Johnson
    keyboard_arrow_down

    Colleen Johnson - End to End Kanban for the Whole Organization

    45 mins
    Talk
    Intermediate
    We often look to our engineering teams first to drive efficiency and speed to deliver but as we optimize the flow of our development processes we quickly create pressure in the organizational workflow with the activities that feed into and out of product delivery.  Product definition struggles to keep pace and establish a queue of viable options to pull from.  Marketing efforts begin to pile up as features release faster than we can share the news.  All of this stems from optimizing only one part of the overall system.  In this talk we will look at how to scale Kanban practices to the entire organization to provide the visibility, flexibility and predictability to make every part of the business truly agile.  
  • Liked Mike Cottmeyer
    keyboard_arrow_down

    Mike Cottmeyer - Agile Transformations Explained

    Mike Cottmeyer
    Mike Cottmeyer
    CEO & President
    LeadingAgile
    schedule 2 months ago
    Sold Out!
    45 mins
    Talk
    Intermediate

    Leading a large-scale agile transformation isn’t about adopting a new set of attitudes, processes, and behaviors at the team level… it’s about helping your company deliver faster to market, and developing the ability to respond to a rapidly-changing competitive landscape. First and foremost, it’s about achieving business agility. Business agility comes from people having clarity of purpose, a willingness to be held accountable, and the ability to achieve measurable outcomes. Unfortunately, almost everything in modern organizations gets in the way of teams acting with any sort of autonomy. In most companies, achieving business agility requires significant organizational change.
    Agile transformation necessitates a fundamental rethinking of how your company organizes for delivery, how it delivers value to its customers, and how it plans and measures outcomes. Agile transformation is about building enabling structures, aligning the flow of work, and measuring for outcomes based progress. It's about breaking dependencies. The reality is that this kind of change can only be led from the top. This talk will explore how executives can define an idealized end-state for the transformation, build a fiscally responsible iterative and incremental plan to realize that end-state, as well as techniques for tracking progress and managing change.

  • Liked Richard Cheng
    keyboard_arrow_down

    Richard Cheng - Group Hug: Implementing Agile Across Multiple Teams

    Richard Cheng
    Richard Cheng
    Principal
    Excella Consulting
    schedule 2 months ago
    Sold Out!
    45 mins
    Talk
    Intermediate

    The patterns for implementing Scrum at the team levels have largely been set, but what about dealing with Agile and Scrum across multiple teams. Is the answer just magical words like scaling, or SAFe, or LeSS? What are the core concepts and successful patterns? Is it just one big group hug?

    In this session, we will explore core concepts around implementing Agile concepts across multiple teams. The session starts with a simulation that explores distributing people across teams (which will actually NOT involve any hugging). From there, this session dives into:

    • Prioritization across multiple teams
    • Product Ownership across multiple teams
    • Dependencies and team alignment
    • Communities of Practice
    • Communication and collaboration across teams
    • The role of managers
    • A quick look at scaling methods

    Coming out of this session, attendees will have an understanding of core concepts and fundamental helpful practices in implementing Agile concepts across multiple teams.

  • Liked Julie Wyman
    keyboard_arrow_down

    Julie Wyman - Multitasking is Evil

    Julie Wyman
    Julie Wyman
    Agile Coach
    Excella Consulting
    schedule 2 months ago
    Sold Out!
    10 mins
    Workshop
    Beginner

    For a long time multitasking has been considered a must-have skill when, in fact, it makes us less productive and more prone to error. But even with plenty of studies and papers supporting that idea, it can be hard to convince managers and stakeholders that we should be taking on less at a time. In this lightning talk, we'll run through one very quick, lightweight simulation (Multitasking is Evil) you can use to help make that case and show that lowering work in progress is the way to go!

  • Liked Brian Sjoberg
    keyboard_arrow_down

    Brian Sjoberg / Julie Wyman - Understanding the Whole System, Not Just a Part

    45 mins
    Tutorial
    Beginner

    Are your solutions to recurring issues having only minor improvements? Are some of these solutions actually making things worse in the long run? When answering yes to these, typically, we are trying to solve the issues with too narrow a view. Oddly we think we are addressing it at sufficient level but usually not. In order to see the entire picture we need a common language that will enable us to understand an entire complex adaptive system (e.g. organizations, teams, individuals). Join us as we learn a language called System Modeling (aka. Causal Loop Diagrams).

    With this language we will be able to have rich dialogue to gain a full understanding of the entire complex adaptive system so that we can create solutions at the fundamental level and not the symptomatic level. Addressing system issues at the fundamental level will significantly improve the system. Symptomatic solutions may give the appearance of improvement in the short term but typically make things worse in the long run. Unfortunately we usually pick the symptomatic solutions because they seem obvious and we don't realize the long term impacts because of feedback delays that could take weeks, months or even years to realize.

  • Chris Li
    Chris Li
    Founder
    SparkPlug Agility
    schedule 2 months ago
    Sold Out!
    45 mins
    Workshop
    Intermediate

    Have you spent a lot of energy and time with your teams focusing on estimation? Do you feel that everyone isn't quite on the same page? There are many challenges on teams who wish to work with an agile mindset, and negative patterns around estimation can have quite the impact on productivity and team morale.

    In this workshop, participants will revisit what a Product Backlog Item represents and exactly what an estimate represents. Using this as a foundation, session participants will learn about four distinct parts of a pattern that repeats itself in organizations who may not have a strong handle on these concepts. The workshop concludes with a lightweight estimation exercise that participants can take back to their organization.

    Having a better understanding of estimation is helpful, and having a simple yet powerful game to compare items relatively to one another will help break your teams of the pattern of misunderstanding the point of backlog item estimation.

  • 45 mins
    Workshop
    Intermediate

    Imagine you were hired to provide consulting assistance for a new team just starting out with Kanban. The team has been struggling with their implementation and is looking forward to your expert guidance, support, and advice. It’s your first day and you just walked into the team room to look at their board. You want to make smart observations and thoughtful interpretations so you can have meaningful conversations with the team members. The team starts assembling in the team room for the daily standup and you plan on making some comments afterwards.

    What comments would you make? What thoughtful questions would you ask?

    This interactive presentation provides a detailed look at how to interpret and thoughtfully observe Kanban Boards to better understand the work of your teams. We will start with an overview of the Lean Kanban Method and then proceed through a series of interactive exercises that give you an opportunity to review and interpret various Kanban boards. The exercises will increase your understanding of Kanban systems and provide opportunities to practice interpreting various board setups so you can have thoughtful and meaningful conversations with your teams.

  • Liked Rachel Whitt
    keyboard_arrow_down

    Rachel Whitt / John Hughes - Impact Mapping Workshop: Deliver Business Outcomes, Don't Just Ship Software

    45 mins
    Workshop
    Beginner

    Our roadmaps and backlogs are usually littered with pet projects, squeaky wheels, and recent ad hoc items that gain priority simply because they are the latest shot across our bow. Impact mapping is a powerful practice that helps us identify and align our work to the most valuable business goals and mission objectives and avoid many of the common challenges that arise from an unfocused set of work priorities.

    Impact maps help us visualize quantifiable benefits that deliverables should produce towards our business objectives. They allow us to focus our work on those deliverables that move the needle the most, not just deliver features. The practice is a great way to communicate assumptions, create plans, and align stakeholders as well as aid in strategic planning, roadmap management, and defining measures of success and quality.

    This workshop will provide an appreciation for the power of impact mapping by walking you through building your own impact maps and the facilitation process for doing so in your own organization. You will leave the workshop having participated in a tangible example of the technique, and having gained an understanding of best-practices for facilitation with a focus on an impact map’s outputs and how they lead into the creation of actionable user stories when completed. Hands-on collaboration with your fellow attendees will help encourage your own application of this technique in your real world road-mapping and backlog refinement activities.

  • Liked Dante Vilardi
    keyboard_arrow_down

    Dante Vilardi / David Bujard / Nate Conroy - Agile Program Measurement at Scale: What worked, What Didn't

    45 mins
    Experience Report
    Intermediate

    Everyone wants to know which Agile metrics really count, and why. But a lot comes down to context: who's asking, what decisions are on the horizon, how you communicate, and so forth. Add scale, and you've got a major challenge.

    David Bujard, Dante Vilardi and Nate Conroy have spent the last few years trying to figure how to make agility measurement effective at a big federal program. In this talk they will discuss lessons learned from numerous experiments -- those that produced results, and those that didn't.

    David and Dante are Agile coaches who support a transformation program at USCIS.

  • Liked Brandon Carlson
    keyboard_arrow_down

    Brandon Carlson - From Continuous Delivery To Continuous Compliance

    Brandon Carlson
    Brandon Carlson
    IT Nerd
    Lean TECHniques
    schedule 4 months ago
    Sold Out!
    45 mins
    Talk
    Beginner

    Continuous Delivery (CD) and regulatory compliance are two critically important ingredients in today’s connected organizations. CD enables you to move quickly and respond to change in an era where change is increasing at an exponential rate with no sign of slowing down. Regulatory compliance ensures that your organization takes the appropriate steps to follow applicable laws and appear to require adding burdensome processes and controls to your software development lifecycle. While they appear to be at odds with one another at first, they actually complement each other well. While maintaining, analyzing, confirming, and reporting on the status of required information security, compliance, and privacy controls can be difficult, integrating these tasks within your CD pipeline is easier than you think. Using examples from real-world projects in organizations just like yours, Brandon explains how to integrate compliance and reporting into your CD pipeline using tools you already know such as pair programming, Jenkins, Chef, Metasploit, and others, leading you to the regulatory promised land known as “Continuous Compliance”.

  • Liked David Horowitz
    keyboard_arrow_down

    David Horowitz - Stop complaining and start learning! Retrospectives that drive real change.

    David Horowitz
    David Horowitz
    Cofounder and CEO
    Retrium
    schedule 4 months ago
    Sold Out!
    45 mins
    Talk
    Intermediate

    Good retrospectives (you know, the ones that actually lead to real change?) rest on three pillars:

    1. people,
    2. process, and
    3. follow-through

    What makes retrospectives so difficult is that if any of these three pillars starts to crack, it's next to impossible to succeed. Ultimately, getting the right people in the room, utilizing a good process to facilitate the conversation, and following-through on the learning outcomes depend on having an organizational culture that encourages learning, transparency, feedback loops, and continuous improvement.

    If this sounds like your company already, then great! This talk is not for you. For everyone else, join us to explore the current trends of employee engagement, how they overlap with agile retrospectives, and the true opportunity each team member has to improve the quality, speed, and outcome of their work. 

  • Liked Daphne Puerto
    keyboard_arrow_down

    Daphne Puerto / Fadi Stephan - UX in an Agile World

    45 mins
    Talk
    Intermediate

    Many UX designers struggle to work within a Scrum environment and see Scrum as a framework mainly for developers. Working in time-boxed Sprints and delivering small pieces iteratively and incrementally might force designers to focus on a single story at a time. This in turn can lead to tunnel vision, losing focus of the big picture and resulting in a fragmented user experience. Come to this presentation to learn where design fits in Scrum and how to apply design principles in Agile environments and work effectively with Scrum teams to produce a great user experience.

  • Liked Matt Barcomb
    keyboard_arrow_down

    Matt Barcomb / Trent Hone - Thwarting Your Agile Despondence!

    45 mins
    Talk
    Beginner

    Tired of Agile As A Lip-service?

    Feel like Lean is getting lost?

    Being asked to improve everything without changing anything?

    Do you want to know what you can do about it?

    If so, this talk is for you! Join Trent and Matt as they use Institutional Theory to examine the current state of Agile adoption, what it means for our work today, and what it suggests for the future.

    They’ll explain the increasing emphasis on frameworks, the move away from lightweight methods, and the paradoxes we’ve all observed in Agile adoptions. These developments follow clear and established patterns; they’re not unexpected. Come explore why we are where we are, and what we can do to move beyond Agile Despondency.

  • Liked Rodney Bodamer
    keyboard_arrow_down

    Rodney Bodamer - Lean Delivery Learnings: Tailoring Agile for Government Programs

    45 mins
    Talk
    Intermediate

    In the last five years there has been a tremendous surge in the volume of Federal procurements calling for lean and agile solutions to complex problems.  In spite of this, many of these same Government agencies still cling to traditional waterfall models of delivery.

    How do we embrace lean and agile principles while delivering under these constraints within large-scale Government agile software delivery initiatives? 

    What agile approaches can be effectively used "out of the box" while others may need to be tailored to address legacy Government processes and operating environments? 

    In this talk I’ll walk through each of the seven Lean principles and unveil how -- on two Federal Government scaled-agile engagements -- specific lean-agile processes and approaches were tailored for program delivery success, while remaining compliant with agency mandates.   

  • Liked Nayan Hajratwala
    keyboard_arrow_down

    Nayan Hajratwala - Building a Continuous Deployment Pipeline from Scratch

    45 mins
    Tutorial
    Intermediate

    Confused about Continuous Integration vs Delivery vs Deployment? Not sure how to take the next step towards Continuous Deployment?

    In this session, Nayan will remove the confusion around the "Continuous" terms. He'll then show you how to go from Commit to Production with no manual steps, while remaining confident that your production system remains stable. We will do this with a variety of open source tools -- from traditional build & integration tools to modern deployment environments & monitoring. You'll leave the session inspired and ready to build your own Continuous Deployment Pipeline when you get back to work.

  • Liked Phillip Manketo
    keyboard_arrow_down

    Phillip Manketo / Dave McMunn - Building Strong Foundations…. Underwriting Fannie Mae’s Agile Transformation

    45 mins
    Experience Report
    Advanced

    Over the course of the last two and one-half years, Fannie Mae has worked aggressively to transform itself from a heavily silo’d and firmly entrenched command and control culture, following a gated workflow, with long release cycles, to an Agile organization.  Today, Fannie Mae is a more dynamic value oriented organization that is responsive to stakeholders, focused on achieving greater efficiency by enabling fast-feedback loops, as well as using empirical data to optimize mature and persistent agile values and practices.  

     

    Within the larger context of the transformation to enterprise agility, this Experience Report will focus on the case for change, Fannie Mae’s journey and the corresponding challenges, benefits and key learnings realized.  Our conclusion, while it is important to build bridges with business stakeholders, mature agile teams, leverage automation and embrace the values and principles of the agile manifesto… a successful and longstanding transformation is dependent upon the unrelenting focus on changing the ecosystem supporting the organization’s change at the outset.

  • Liked Rob Myers
    keyboard_arrow_down

    Rob Myers - How Agile Technical Practices Facilitate Disruptive Innovation

    45 mins
    Talk
    Advanced

    Leaders of development teams want to be able to adapt their existing product to innovative ideas and shifting market conditions. This is often the reason organizations "go Agile," yet this flexible ability to deliver rich business value is often frustratingly out of reach.

    Agile teams and their management are also familiar with the value of individual development practices. For example, Test-Driven Development's ability to catch defects early, and to provide the team with the ability to confidently extend the product. What Rob has found by working with a number of teams, each for six months or more, is another much greater--and more rare--source of business value resulting from diligent attention to software craftsmanship and the resulting two-way trust that forms between Development and Product.

    You will hear a handful of surprising (but real) first-person tales, each detailing a time when changing market forces, dramatic pivots, disruptive technological changes, or insightful requests were managed by the delivery team within a single two-week sprint. Each of these "Black Swan User Stories" (Rob's term for powerful, risky, and unforeseen user-stories) resulted in multiplying user productivity, opening whole new markets, or delighting and retaining critical customers.

    What we found in each case was that rapid completion of our Black Swan User Stories was the result of diligent, disciplined application of a few Agile technical practices; and that this resulted in the concrete realization of organizations' long-held expectations for Agile software development.

  • Liked Mathias Eifert
    keyboard_arrow_down

    Mathias Eifert - Agile Essentialism – Getting past rule-based Agile

    45 mins
    Workshop
    Intermediate

    Are you sometimes overwhelmed by the never-ending stream of Agile teachings you’re supposed to know and have at your fingertips to address every possible situation in the proper Agile way?

    Sure, Agile is a “mindset” and you’re supposed to “own your process” but the reality is, that’s not how we teach or learn or usually even talk about Agile. Instead, we are bombarded with ever more retro formats, technical practices, prioritization techniques, facilitation tips, and other snippets of wisdom that we should all know before we can be considered good Agilists. And if your job title is Scrum Master or Agile Coach, the range of things you’re expected to master only expands.

    In this session, Mathias Eifert will share how he found his footing in a vast sea of loosely connected Agile rules, processes, techniques and tools by recognizing that a small number of fundamental concepts can help with finding answers that are “good enough” as a starting point to tackle most new contexts or problems. Together, we will examine how many established Agile approaches can be traced back to these essential concepts and hopefully help each attendee a little further along on their journey from rules-based Agile to fundamental understanding.