developing a high performance security focussed agile team (2 hr workshop)
TRANSCRIPT
Join the conversation #devseccon
Developing a
High PerformanceSecurity FocussedAgile Team
By Kim Carter @binarymist
5: Risks?
https://leanpub.com/b/holisticinfosecforwebdevelopers
Step #1
How Development Teams fail
Step #2
How to Succeed with Security as a Development Team
Step #2
How to Succeed with Security as a Development Team
Caveat Emptor
Step #2
How to Succeed with Security as a Development Team
5: Risks?
https://leanpub.com/b/holisticinfosecforwebdevelopers
Red Team
Red Team -> Blue Team
Pen testing @ go live -> within each Sprint
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Cheapest Place to Deal with Defects
Establish a Security Champion
Hand-crafted Penetration Testing
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Security Focussed TDD
Security Regression Testing
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Hand-crafted Penetration Testing
Security Regression Testing
Cheapest Place to Deal with Defects
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Hand-crafted Penetration Testing
Security Regression Testing
Cheapest Place to Deal with Defects
5: Risks?This is madness!
How can we do that?
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Establish a Security Champion
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Security Regression Testing
Hand-crafted Penetration Testing
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Pair Programming
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Code Review
Code Review, Static & Dynamic Analysis
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Techniques for Asserting Discipline
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Techniques for Asserting Discipline
Static Type CheckingDbC https://blog.binarymist.net/2010/10/11/lsp-dbc-and-nets-support/
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Cheapest Place to Deal with Defects
Establish a Security Champion
Hand-crafted Penetration Testing
Consuming Free and Open SourceEvil Test Conditions
Security Focussed TDD
Security Regression Testing
Pair Programming
Code Review
Techniques for Asserting Discipline
Risk
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Cheapest Place to Deal with Defects
Establish a Security Champion
Hand-crafted Penetration Testing
Consuming Free and Open SourceEvil Test Conditions
Security Focussed TDD
Security Regression Testing
Pair Programming
Code Review
Techniques for Asserting Discipline
Count
erm
easu
re
Consuming Free and Open Source
curl -sL https://deb.nodesource.com/setup_4.x | sudo -E bash -sudo apt-get install -y nodejs
Risk
Consuming Free and Open Source
● Npm-outdated● Npm-check● David● RetireJS● NSP● Snyk
Tooli
ng
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Establish a Security Champion
Hand-crafted Penetration Testing
Security Focussed TDD
Security Regression Testing
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
5:
5:
5:
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Evil Test Conditions
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Security Focussed TDD
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Requirements or design defect found via Product Backlog Item (PBI) collaboration
Length of Feedback Cycle
Cost
Requirements or design defect found in Test Conditions Workshop
Programming or design defect found via Pair Programming
Programming defect found via Continuous Integration
Programming or design defect found via Test Driven Development (T(B)DD)
Requirements or design defect found via Stakeholder Participation
Defect found via pair Developer Testing
Defect found via Independent Review
Requirements defect found via traditional Acceptance Testing
Programming or design defect found via Pair Review
Design defect found via traditional System Testing
Programming defect found via traditional System Testing
Security defect found via traditional external Penetration Testing
Requirements or design defect found via Product Backlog Item (PBI) collaboration
Length of Feedback Cycle
Cost
Requirements or design defect found in Test Conditions Workshop
Programming or design defect found via Pair Programming
Programming defect found via Continuous Integration
Programming or design defect found via Test Driven Development (T(B)DD)
Requirements or design defect found via Stakeholder Participation
Defect found via pair Developer Testing
Defect found via Independent Review
Requirements defect found via traditional Acceptance Testing
Programming or design defect found via Pair Review
Design defect found via traditional System Testing
Programming defect found via traditional System Testing
Security defect found via Security Test Driven Development (STDD) or regression testing
5: Risks?
OK
I’m starting to get it
But what now?
Definition of Done
The Sprint
Security Regression Testing
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Zap-Api & NodeGoat
Step #3 Habits of Top Developers
How to make them part of our lives
All details of this workshop were sorced from part 2 of the Process and Practises chapterof my first book: https://leanpub.com/holistic-infosec-for-web-developers
Join the conversation #devseccon
@binarymist