Robin will be presenting the following session
filter_list help_outline
  • Kelsey van Haaster
    keyboard_arrow_down

    Kelsey van Haaster / Robin Doherty - How not to make the news - Build security into your Agile project from the ground up.

    90 Mins
    Workshop
    Intermediate

    When a group of stakeholders and team members come together to plan a new product or feature, they often focus on identifying stories that deliver end user value through solving a business problem, delighting the customer or disrupting a competitor. While these are critical stories, they are not the whole picture. Every product has non-functional or cross-functional stories which must be played.

    Security stories are an important part of these but are often not considered at all. When they are considered, they are often an afterthought or are assumed to be part of the project infrastructure. Trying to bolt on security as an afterthought in this way is a mistake that can lead to disaster at one extreme, and compromises to reduce product usability or don't support good end-user security practices at the other.

    The challenge, of course, is that from the stakeholder perspective, security is not seen as a priority. This workshop is for software delivery teams who want to learn how to change this perspective and work with their stakeholders to help them to understand more about the importance of security. The goal is to help technical and non-technical stakeholders understand security and why it should be given priority and built into their product from the ground up. We show participants how to facilitate a structured meeting or workshop with their stakeholders where they use a simplified threat modelling technique to identify risks. The outcome is the identification of user stories (or evil user stories) which when played will mitigate identified risks.

1. Who are you?

Robin is ThoughtWorks Australia's Security Champion. He provides information security assurance and secure delivery uplift. Robin also organises Hack for Privacy, a network of technologists who care about privacy and digital rights, and Internet Freedom Hack, an annual weekend hackathon to advance those causes, and he writes and speaks regularly on topics related to security and privacy. He believes that the software industry is culpable in the demise of privacy and that most people are in denial about the current state of software security.