agile security the good
play

Agile Security The Good The Bad (and mostly) The Ugly Daniel - PowerPoint PPT Presentation

Dec 18, 2023 •573 likes •906 views

Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places

  1. Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber

  2. ~whoami • Current: Security Leader @ CyberArk – Product security – Strategy and process driven – A pain in the insecurity ’ s a$$ • Past @ multiple places – Consulting, Research, PT

  3. ~whereami • CyberArk – Privileged account security – Look us up (we ’ re hiring  ) www.cyberark.com/

  4. ~quote “ When you need to shoot, shoot - don ’ t talk ”

  5. ~scenes • Agile, a reminder • SDLC and Agile • Collaboration with R&D for security • Crunching numbers – Why is this issue so important?

  6. So … Agile? Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan

  7. So … Agile? Scrum: Sprint Product Sprint Deliverables Backlog Backlog

  8. So … Agile? Kanban:

  9. Security Frameworks & Dev Reflecting on Agile: “ Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale. ”

  10. Security Frameworks & Dev • Vendor SDLC programs <Compatibility issues> – Microsoft – SAP – Cisco – Etc.. • Maturity Models – OWASP SAMM – BSIMM • NIST

  11. Security Frameworks & Dev Bryan Sullivan (Microsoft) @ BlackHat 2010

  12. Security Frameworks & Dev (Microsoft SDL for Agile)

  13. Security Frameworks & Dev

  14. Security Frameworks & Dev Reflecting on Agile: “ Welcome changing requirements, even late in development. ”  Threat modeling not only for new features, but also for CHANGED features

  15. Security Frameworks & Dev Threat Modeling • Approach: – Attack / software / asset centric • Mapping – Assets / Actors / Entry points • Flow – Data / Process / Logic Not as lightweight as expected from a sprint task

  16. Security Frameworks & Dev Coordinating with Product Owner Emperor of the backlog • Product ’ s roadmap • ‘ Sensitive ’ features attention • Setting security sprints (bucket security tasks) • Cut-off for most important threats

  17. Security Collaborations Reflecting on Agile: “ The most efficient and effective method of conveying information to and within a development team is face-to-face conversation. ”

  18. Security Collaboration

  19. Security Collaborations Pop Quiz • Sprint of 2 weeks • Overlooking 4 teams • Participating in every daily (15 minutes long) 10 days X 4 teams X 15 min. = 10 hours ~ 1 day = 10% of your time

  20. Security Frameworks & Dev Security Champions Team ’ s “ security bouncer ” • Why? – Probably knows the product better – Reports back on security aspects • Who ? – Curious , security friendly • Growth potential – join the dark side

  21. Security Collaborations Reflecting on Agile: “ The best architectures, requirements, and designs emerge from self- organizing teams. ”  Teams contain different positions, responsibilities, practices and quite versatile

  22. Security Collaborations The Team Team Leader Developer / Architect QA  The Security Guy System Analyst

  23. Security Collaborations Customized Training • Stop using ‘ one session fits all ’ • Create tracks per position • Use examples from your products • Track, certify, re-certify Flexibility in carrying out security tasks

  24. Security Collaborations Training Name Developer Architects Functional Security QA Team PM Analyst Team Leaders Basic Security Yes Yes Yes Yes Yes Yes (no Optional Training test) Optional Optional Yes Yes Opt. Opt. Optional Security Analysis Secure Design Optional Yes Optional Yes Opt. Opt. Optional Secure Yes Yes Optional Yes Opt. Yes (no Optional Development test) Optional Optional Optional Yes Yes Opt. Optional Security Testing Optional Optional Optional Yes Opt. Opt. Optional Adv. Security Testing Risk Optional Optional Optional Yes Opt. Yes (no Yes (no Management test) test)

  25. Crunching Numbers Track of insecure software: Release • Requirements • Researching • Design • Exploiting • Distributing • Coding • Pivoting • Deploying • Testing • Feedback / IR Development Abuse

  26. Crunching Numbers “ We will fix it post release! ” Jeremiah Grossman WhiteHat Security AppSec Israel 2015

  27. Crunching Numbers “ Ok. BUT – if our software causes a breach, the customer will surely detect it. ” Global Advanced Threat Landscape Survey CyberArk 2015

  28. Crunching Numbers “ I ’ m sure that there are other factors for a breach than bad practices of development and deployment ” Global Advanced Threat Landscape Survey CyberArk 2015

  29. Crunching Numbers “ It doesn ’ t matter as a lot of companies secure their networks anyways against breaches ” Analyzing Real-World Exposure to Windows Credential Theft Attacks CyberArk Labs 2015

  30. Crunching Numbers (Size does not matter, in this case.) Analyzing Real-World Exposure to Windows Credential Theft Attacks CyberArk Labs 2015

  31. Conclusions • Agile is a modern methodology for software development which is commonly used – In theory – security could be integrated – In practice – there are some glitches • Don ’ t be afraid to adjust (use the in this ppt) • There is a long chain of product security – SDLC is first in line – You really don ’ t want to experience security incident down the chain

  32. Questions? Thank you! Daniel Liber Daniel.Liber@CyberArk.com https://il.linkedin.com/in/liberdaniel CyberArk http://www.cyberark.com/

Recommend

Jean Tabaka, Rally Software @jeantabaka growth good change weird An Agile Adoption Story

Jean Tabaka, Rally Software @jeantabaka growth good change weird An Agile Adoption Story

Applying Design Thinking and Complexity Theory in Agile Organizations Jean Tabaka, Rally Software @jeantabaka growth good change weird An Agile Adoption Story 2002 5000 14 7 1 1 Bureaucracy Cookbook Agile Algorithm

1.54k views • 137 slides
The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme TOC How did I get here What is CivicActions What is compliance Making compliance fun Culture

1.24k views • 89 slides
SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R

SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R

SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R A C K Vendor? Customer? In-house team? New to agile? Some agile? 100% agile? Questions, feedback on Twitter #SellingAgile The Story 1.

918 views • 54 slides
Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Pole Vaulting over Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places Consulting, Research,

581 views • 32 slides
The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE Collaboration 2009 Fermi Symposium 2 - 5 November 2009, Washington AGILE on PSLV-C8 Sriharikota, India The AGILE April 15, 2007 Payload: the most

853 views • 38 slides
Agile Scaling without Blueprints Track: On the Boundaries of Agile Goto, Berlin, 04-dec-2015

Agile Scaling without Blueprints Track: On the Boundaries of Agile Goto, Berlin, 04-dec-2015

Agile Scaling without Blueprints Track: On the Boundaries of Agile Goto, Berlin, 04-dec-2015 Stefan Roock stefan.roock@it-agile.de @StefanRoock Scaling in the good old days ( 2005) 4 teams, 20-25 developers 13 teams, 65

417 views • 28 slides
Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without Increasing the Headcount Anderson Maranho Ventura Dadario Information Security Flare Security, So Paulo, Brazil anderson@dadario.com.br

428 views • 3 slides
&quot;Agile at Scale w ith Scrum: The Good, the Bad, and the Ugly&quot; Presented by: Heather

&quot;Agile at Scale w ith Scrum: The Good, the Bad, and the Ugly&quot; Presented by: Heather

AT9 Concurrent Session 11/8/2012 3:45 PM &quot;Agile at Scale w ith Scrum: The Good, the Bad, and the Ugly&quot; Presented by: Heather Gray, Cisco Systems Steven Spearman, AgileEvolution Brought to you by: 340 Corporate Way, Suite 300, Orange

582 views • 17 slides
Bibliography [Agile Alliance2001] Agile Alliance, Principles: The Agile Alliance (2001),

Bibliography [Agile Alliance2001] Agile Alliance, Principles: The Agile Alliance (2001),

Bibliography [Agile Alliance2001] Agile Alliance, Principles: The Agile Alliance (2001), http://www.agilealliance.org/ . [Alexander2002] I. Alexander, Initial Industrial Experience of Misuse Cases in Trade-Off Analysis, pp. 1113 in

503 views • 12 slides
Implementing Security into Agile SDLC Anderson Dadario, CISSP, CSSLP Flare Security Globalcode

Implementing Security into Agile SDLC Anderson Dadario, CISSP, CSSLP Flare Security Globalcode

Implementing Security into Agile SDLC Anderson Dadario, CISSP, CSSLP Flare Security Globalcode O pen4education # whoami Anderson Dadario Consultant at Flare Security 5+ years working with development &amp; infosec Globalcode

523 views • 38 slides
S t r e t c h i n g the Agile Envelope Agile Software Development Meets Corporate Deployment

S t r e t c h i n g the Agile Envelope Agile Software Development Meets Corporate Deployment

XP07 S t r e t c h i n g the Agile Envelope Agile Software Development Meets Corporate Deployment Procedures: Stretching the Agile Envelope David Leip Olly Gotel ibm.com Chief Innovation Dude Department of Computer Science Agile Methods

123 views • 10 slides
When Software Security Meet Agile (Ant) yftzeng@gmail.com

When Software Security Meet Agile (Ant) yftzeng@gmail.com

When Software Security Meet Agile (Ant) yftzeng@gmail.com 2019-03-21 Introduction &amp; Research interest 13 4

964 views • 78 slides
Being Agile, Being Good Stephanie Troeth Paris Web, 2009 Stephanie Troeth co-founder/CTO, Book

Being Agile, Being Good Stephanie Troeth Paris Web, 2009 Stephanie Troeth co-founder/CTO, Book

Being Agile, Being Good Stephanie Troeth Paris Web, 2009 Stephanie Troeth co-founder/CTO, Book Oven Previously: UX consultant and mercenary product manager for startups Director of Interactive Technology at an agency What I

902 views • 72 slides
Scaling Agile to the Enterprise Enabling the Agile Enterprise Strategically Aligned, Throughput

Scaling Agile to the Enterprise Enabling the Agile Enterprise Strategically Aligned, Throughput

Scaling Agile to the Enterprise Enabling the Agile Enterprise Strategically Aligned, Throughput Focused, Human Powered Dennis Stevens Enterprise Agile Coach www.leadingagile.com OPM3: Deputy Project Manager www.dennisstevens.com PMI Agile

851 views • 71 slides
How to Measure Your Security: Holding Security Vendors Accountable OK, Rant On. How good is

How to Measure Your Security: Holding Security Vendors Accountable OK, Rant On. How good is

How to Measure Your Security: Holding Security Vendors Accountable OK, Rant On. How good is your Detection Thingy that costs me Arm/Leg/$? Its really fricking good! Trust Me! Im your sales rep. Let me see the

364 views • 12 slides
Agile Development emmet labs David Verba david@adaptivepath.com Agile Introduction Agile

Agile Development emmet labs David Verba david@adaptivepath.com Agile Introduction Agile

Agile Development emmet labs David Verba david@adaptivepath.com Agile Introduction Agile Manifesto Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract

582 views • 31 slides
Duke Workshop PnT Agile Practice pnt-agile@redhat.com RED HAT CONFIDENTIAL - INTERNAL USE ONLY

Duke Workshop PnT Agile Practice pnt-agile@redhat.com RED HAT CONFIDENTIAL - INTERNAL USE ONLY

Duke Workshop PnT Agile Practice pnt-agile@redhat.com RED HAT CONFIDENTIAL - INTERNAL USE ONLY AGENDA What is Agile Why Metrics ? Agile Report explanations RED HAT CONFIDENTIAL - INTERNAL USE ONLY THE HISTORY OF AGILE RED

774 views • 44 slides
Agile Software Development 1 / 26 Agile Processes Agile Manifesto (http://agilemanifesto.org/)

Agile Software Development 1 / 26 Agile Processes Agile Manifesto (http://agilemanifesto.org/)

Agile Software Development 1 / 26 Agile Processes Agile Manifesto (http://agilemanifesto.org/) value: Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over

694 views • 26 slides
The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks

The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks

W8 Concurrent Session Wednesday 11/12/2008 12:45 PM 2:15 PM The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks Presented by: Mike Cottmeyer VersionOne Presented at: Agile Development Practices

646 views • 60 slides
Agile for the Government Product Owner Agile Government Leadership Outcomes for today

Agile for the Government Product Owner Agile Government Leadership Outcomes for today

Agile for the Government Product Owner Agile Government Leadership Outcomes for today www.AgileGovLeaders.org/Academy Why you should do this course Lesson 1: Introduction To Agile Lesson 1: Reading List What Is Agile? Why Agile In

411 views • 24 slides
&quot;Performance and Security Testing in Agile Development&quot; Presented by: Tracy DeDore

&quot;Performance and Security Testing in Agile Development&quot; Presented by: Tracy DeDore

AW4 Class 6/9/2010 12:45:00 PM &quot;Performance and Security Testing in Agile Development&quot; Presented by: Tracy DeDore Hew lett-Packard Brought to you by: 330 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904

489 views • 24 slides
ASPECTS: Agile Spectrum Security G.C. Polyzos, G. Marias, S. Arkoulis, P. Frangoudis Athens

ASPECTS: Agile Spectrum Security G.C. Polyzos, G. Marias, S. Arkoulis, P. Frangoudis Athens

ASPECTS: Agile Spectrum Security G.C. Polyzos, G. Marias, S. Arkoulis, P. Frangoudis Athens University of Economics and Business {polyzos,marias,arkoulistam,pfrag}@aueb.gr M. Fiedler, A. Popescu Blekinge Institute of Technology

555 views • 9 slides
Page 1 Information Security In an Agile Environment Bologna 29 Ottobre 2016 Page 2 Welcome

Page 1 Information Security In an Agile Environment Bologna 29 Ottobre 2016 Page 2 Welcome

Page 1 Information Security In an Agile Environment Bologna 29 Ottobre 2016 Page 2 Welcome Giacomo Collini Director of Information Security @ King.com Page 3 Chi Sono 2002-2006 2006-2012 2014- Page 4 Chi Sono

805 views • 45 slides
Leveraging Kanban to Create the Agile Organization As Agile is more accepted as the way to

Leveraging Kanban to Create the Agile Organization As Agile is more accepted as the way to

Leveraging Kanban to Create the Agile Organization As Agile is more accepted as the way to develop software in organizations, some software teams and groups within IT are also becoming Agile, but with using Kanban as their chosen Agile

458 views • 27 slides

More recommend