security in agile teams
TRANSCRIPT
D o u b l e - c l i c k t o e d i t
SECURITY IN AGILE TEAMSMaria Gomez
@mariascandella
Barcelona June 2017
With great power comes great responsibility“
— uncle Ben
https://flic.kr/p/5UDwbm
BENEFITS
• Higher confidence
• Evolutionary model
• Better testing and planning
• Faster reaction to making improvements or fixes
WHAT’S THE CURRENT STATE?
• List of existing systems/applications as well as their users.
• Review of past incidents/attacks
• Review of existing security policies and how they will impact the scope of the project
WHAT IS THE CURRENT THREAT LANDSCAPE?
https://www.owasp.org/index.php/Application_Threat_Modeling
SECURITY CHECKLIST
• Secret Management tool for the team • Password Manager
• Keep secrets out of source control
• Dependency checker for the CI/CD pipeline
• Static analysis tools
Cade Cairns - Security Playbook (https://github.com/cairnsc/security-playbook)
READY FOR DEV
• Identify security requirements • Introduce acceptance criteria
Given an unauthenticated user enters the system
When she tries to view her profile
Then she is redirected to the login page
#0
IN QA
The system meets the acceptance criteria
CFRs have been taken into account and implemented as part of the story, if necessary
Established code conventions have been met
Check against attack trees
CONTINUOUS IMPROVEMENT
Given an unauthenticated user enters the system
When she tries to view her profile
Then she is redirected to the login page
#
REFERENCES
https://www.thoughtworks.com/insights/blog/incorporating-security-best-practices-agile-teams
https://github.com/cairnsc/security-playbook
https://martinfowler.com/articles/web-security-basics.html
https://www.owasp.org/index.php/Main_Page