fragile to agile... on time, on budget and with acceptable risks

Fragile to AgileOn time, on budget and with

acceptable risksBruno Motta Rego

Agenda• Scenario.• Classical vs Agile.• Time, Budget & Risk.

SCENARIO

01.

Business & People• TTM– Move much faster, move more agile…

• Workforce are changing. – Gen Y is overconfident in its security knowledge.– Gen Y less sophisticated security due to cost and barriers.

THE GENERATION GAP IN COMPUTER SECURITY: A SECURITY USE SURVEY FROM GEN Y TO BABY BOOMERSSource: 2012 Dimensional Research.

CLASSICAL VS AGILE“WE NEED TO BE AGILE, BUT NOT FRAGILE.”

@RUGGEDSOFTWARE

02.

Classical• Security team is involved.• One, two or three years project cycle.• Well-defined phases, waterfall-style.• Service requests.• Security is vitally important...

Agile• Security team is engaged.• One, two or three weeks or sprint cycles.• Iterative, phase less.• Continuous integration & delivery.• Security is vitally important...

XING• New Gens changes environment for collaboration.• Needs emerge on each week cycle.• Global scarcity of professionals and talents.• Products vs headcount.• Security is vitally important...

TIME, BUDGET & RISK“IT’S NOT ENOUGH TO DO YOUR BEST; YOU MUST KNOW WHAT TO DO, AND THEN DO YOUR BEST”

WILLIAM EDWARDS DEMING

03.

Time Continuous Integration (CI)

• Rugged Software.– Automated several engines security test and bug track.

• Threat Modeling - Secure Design Training.– Architects and engineers responsible for security design.

• Amplify Inputs & Feedback Loops.– Bug bounty program, bug track decision, quality reports.

Budget Continuous Delivery (CD)

• Improve deployment frequency.– Spread security posture pushing security hardening

automatically.– Automated several engines security test and bug track.

• Amplify Inputs & Feedback Loops.– CIA self-monitor, quality reports & compliance reports.

Risk• Amplify Inputs to Support Decisions.– Security tests reports, quality reports & compliance

reports as vendor assessment, PCI, etc…• Risk Evaluation, Decision and Learning.– Engage the Privacy & Legal Teams.– Incremental adoption of non automated process.– Document the risks accepted and define a cycle loops.

CHALLENGES

04.

THANK YOU

Facebook, LinkedIn & Twitter

@brunomottarego

References

RSA Conference 2015Continuous Security: 5 Ways DevOps Improves SecurityDavid Mortman, Joshua Corman

Securing Boomers, Gen Xers, and Millennials: OMG We are so Different! Todd Fitzgerald

ResearchTHE GENERATION GAP IN COMPUTER SECURITY: A SECURITY USE SURVEY FROM GEN Y TO BABY BOOMERS2012 Dimensional Research.

Manifesto Agilehttp://www.agilemanifesto.org/