It's a falacy that software built using an agile process cannot be made secure but this statement is often heard.  Reasons given by naysayers often include: Sprints are too short to integrate security analysis, agile doesn't value formalizing the architecture/design and security analysis needs this, and agile doesn't value the types of documentation necessary for security to be validated.  In this presentation, Mr. Payne dispells these myths and discusses an approach for integrating security analysis into an agile development process.  Participants will learn how to identify both bugs and flaws during agile software development and how disciplined continuous integration / continuous delivery significantly assists the security process. Topics discussed within an agile context will include: secure requirements, threat modeling, architectural risk analysis, secure code review, security testing, penetration testing.  Examples of building and deliverying secure software for both commercial and government agencies will be given.

 
1 favorite thumb_down thumb_up 0 comments visibility_off  Remove from Watchlist visibility  Add to Watchlist
 

Outline/structure of the Session

1. The Myths of Secure Agile

2. Security analysis during initial planning

- Secure stories

- Non-functional requirements

- Threat modeling / architectural risk analysis

3. Security analysis during Sprints

- Threat modeling / architectural risk analysis

- Secure code review (tools & techniques)

- Functional security testing & the agile testing process

- Wrapping it all up in CI/CD

4. Security analysis during the End Game

- End-to-end security testing

- Penetration testing / red teaming

- Compliance / Audit

5. Examples of secure software built using agile

6. Wrapup

Learning Outcome

Participants will learn how to best incorporate necessary security methods/tasks into the entire agile development process.  Myths regarding security and agile will be dispelled.  An approach for leveraging continuous integration / continuous delivery to ease the security analysis process will be presented.

Target Audience

All agile roles will benefit from this presentation

schedule Submitted 3 years ago

Comments Subscribe to Comments

comment Comment on this Proposal

  • Liked Max Saperstone
    keyboard_arrow_down

    Max Saperstone - Implementing Effective Testing for Behavior Driven Development using Cucumber-JVM

    60 mins
    Talk
    Intermediate

    Behavior Driven Development allows for high level, plain English tests to be written, and to describe and exercise a system. Unfortunately it is difficult to have these tests encompass all interfaces of a software system, and to reuse them in multiple scenarios. Specifying these tests to run at different levels and times without duplicating work is non-trivial, and frequently produces lots of rework. This presentation will focus on cucumber to provide a robust framework for BDD, but any BDD framework can easily be substituting following guildelines and practices covered in this talk. This is not your typical Cucumber tutorial. We will mostly be focusing on how to utilize Cucumber's flexible structure in combination with the Java language how to write singular tests to run over multiple testing interfaces. This framework will build on the Cucumber basics to provide a generic model that also builds on the standard reports, giving additional information for debugging and traceability purposes. Test runners and inputs will also be discussed, to understand how to create more dynamic testing scenarios.

  • Liked Jeff Nielsen
    keyboard_arrow_down

    Jeff Nielsen - The Power of Commitments

    Jeff Nielsen
    Jeff Nielsen
    SVP of Engineering
    3Pillar Global
    schedule 3 years ago
    Sold Out!
    60 mins
    Workshop
    Beginner

    Doing what you say you will do, when you say you will do it, is one of the key ways to build a relationship of trust. Conversely, nothing erodes trust more quickly than a couple of missed deadlines or broken promises.

    The ability to make and keep commitments is one of the hallmarks of a true Software Craftsman. Likewise, the most effective teams harness the power of commitment to forge strong and healthy partnerships with their customers. This is a surprisingly rare skill, but one that can be learned and improved.

    In this session we'll look at the different kinds of commitments we make as individuals and teams. We'll distinguish between commitments and predictions. We'll reflect on why we sometimes commit when we shouldn't and vice versa. Most importantly, we'll practice some crucial "commitment conversations." 

  • Liked shentonfreude
    keyboard_arrow_down

    shentonfreude - Making a Better Salad: Behavior-Driven Development with Lettuce

    30 mins
    Tutorial
    Intermediate

    Is your organization still using brittle GUI driven-tools to ensure applications can be tested? Do you find these difficult to map to the user stories that describe product owner/business needs? One of the current Agile practices to doing this is Behavior-Driven Development (aka Acceptance Test-Driven Development) and writing user stories and acceptance criteria in a Specifications by Example format.  This has real power in that business people can understand the tests and the delivery team can ensure the code meets the tests, thus they serve as an example.

     

    This tutorial will give a short background on Specs by Example/BDD and the show you how to write such tests in Lettuce.  You will gain a deeper understanding of how you can apply this to writing your applications.

     

  • Liked Dragos Dumitriu
    keyboard_arrow_down

    Dragos Dumitriu - Why Kanban May Be Your Most Effective Tool for Improving Efficiencies in Operations and Maintenance, Business Process Management, and COTS Implementations

    Dragos Dumitriu
    Dragos Dumitriu
    Agile Coach
    CC Pace
    schedule 3 years ago
    Sold Out!
    60 mins
    Talk
    Intermediate

    Are you finding the demands to your team overwhelming and the process chaotic? Are your customers saying your team takes too long to deliver or that they have no idea what your team is busy doing? Do you have a growing backlog with requests months to years old? Are people with critical skills not available when you need them? Do you feel like priorities are changing all the time? On top of your ever-growing delivery workload, are you able to develop the capabilities of your team?

    The situations above reflect common challenges for software development teams and for IT Organizations in both private and public sectors.  Kanban is being used worldwide as a management method that helps teams pull themselves out of these sinkholes and dramatically reduce work delivery times, increase productivity and improve project visibility. The method’s rapid success is based on its adaptability to existing situations and on its evolutionary capabilities to evolve along with the challenges it must solve. When implemented correctly, it is relatively easy to adopt, encounters minimal resistance to change and quickly enhances morale and trust in organizations.

    This presentation aims to provide an introduction to Kanban core practices and why they work and practical insights into where the method might best fit within your organization or agency.