A 200-Year-Old Company Inside Out or how we implemented security into software development
200 years ago ...
Waterfall Problems • Not Adopting to Change Once a plan is made, the waterfall follows that plan no matter what. • No Feedback from Downstream Stages The implementation phase does not get any feedback from the testing phase • Testing Only at the End The testing phase is one of the last phases. So the whole system is most probably built on a pile of bugs
Scrum Problems • Mini Waterfall Sprint • Sprint Lengths are Arbitrary • Operations is not Calculated for
Kanban
Why Kanban? • Open • No Arbitrary Sprints • Operations Built-In
The Three Ways System Fast Continuous Thinking Feedback Improvement
Security?
We Need More Security!
100 10 1 Dev Ops Sec
DevSecOps
Automate the Shit out of It
The Equifax Breach
Downloads of Vulnerable Struts Versions 120000 Struts Vulnerability announced / fixed Breach Discovered Breach Happened Breach Dislosed 100000 80000 60000 40000 20000 0 Mar.17 Apr.17 May.17 Jun.17 Jul.17 Aug.17 Sep.17 Oct.17 Nov.17 Dec.17 Jan.18 Feb.18 Downloads
“ Emphasize performance of the entire system and never pass a defect downstream .“ (Gene Kim)
Lots of Tools OWASP Sonatype Jfrog Xray Dependency Check Nexus Pro
Integrate into Your Build Pipeline
Visualize
Break the Build
How to Change?
How to Change? • Get Management on Board • Bottom Up • Small Steps • Review Changes • Don‘t be afraid of Failure
Recommend
More recommend