![Page 1: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/1.jpg)
Join the conversation #devseccon
Developing a
High PerformanceSecurity FocussedAgile Team
By Kim Carter @binarymist
![Page 2: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/2.jpg)
5: Risks?
https://leanpub.com/b/holisticinfosecforwebdevelopers
![Page 3: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/3.jpg)
Step #1
How Development Teams fail
![Page 4: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/4.jpg)
![Page 5: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/5.jpg)
Step #2
How to Succeed with Security as a Development Team
![Page 6: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/6.jpg)
Step #2
How to Succeed with Security as a Development Team
Caveat Emptor
![Page 7: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/7.jpg)
Step #2
How to Succeed with Security as a Development Team
![Page 8: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/8.jpg)
5: Risks?
https://leanpub.com/b/holisticinfosecforwebdevelopers
![Page 9: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/9.jpg)
Red Team
![Page 10: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/10.jpg)
Red Team -> Blue Team
![Page 11: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/11.jpg)
Pen testing @ go live -> within each Sprint
![Page 12: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/12.jpg)
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Cheapest Place to Deal with Defects
Establish a Security Champion
Hand-crafted Penetration Testing
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Security Focussed TDD
Security Regression Testing
![Page 13: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/13.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Hand-crafted Penetration Testing
Security Regression Testing
Cheapest Place to Deal with Defects
![Page 14: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/14.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Hand-crafted Penetration Testing
Security Regression Testing
Cheapest Place to Deal with Defects
![Page 15: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/15.jpg)
5: Risks?This is madness!
How can we do that?
![Page 16: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/16.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Establish a Security Champion
![Page 17: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/17.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Security Regression Testing
Hand-crafted Penetration Testing
![Page 18: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/18.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Pair Programming
![Page 19: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/19.jpg)
![Page 20: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/20.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Code Review
![Page 21: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/21.jpg)
Code Review, Static & Dynamic Analysis
![Page 22: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/22.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Techniques for Asserting Discipline
![Page 23: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/23.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Techniques for Asserting Discipline
Static Type CheckingDbC https://blog.binarymist.net/2010/10/11/lsp-dbc-and-nets-support/
![Page 24: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/24.jpg)
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Cheapest Place to Deal with Defects
Establish a Security Champion
Hand-crafted Penetration Testing
Consuming Free and Open SourceEvil Test Conditions
Security Focussed TDD
Security Regression Testing
Pair Programming
Code Review
Techniques for Asserting Discipline
Risk
![Page 25: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/25.jpg)
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Cheapest Place to Deal with Defects
Establish a Security Champion
Hand-crafted Penetration Testing
Consuming Free and Open SourceEvil Test Conditions
Security Focussed TDD
Security Regression Testing
Pair Programming
Code Review
Techniques for Asserting Discipline
Count
erm
easu
re
![Page 26: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/26.jpg)
Consuming Free and Open Source
curl -sL https://deb.nodesource.com/setup_4.x | sudo -E bash -sudo apt-get install -y nodejs
Risk
![Page 27: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/27.jpg)
Consuming Free and Open Source
● Npm-outdated● Npm-check● David● RetireJS● NSP● Snyk
Tooli
ng
![Page 28: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/28.jpg)
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Establish a Security Champion
Hand-crafted Penetration Testing
Security Focussed TDD
Security Regression Testing
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
![Page 29: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/29.jpg)
5:
![Page 30: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/30.jpg)
5:
![Page 31: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/31.jpg)
5:
![Page 32: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/32.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Evil Test Conditions
![Page 33: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/33.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
Security Focussed TDD
![Page 34: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/34.jpg)
Definition of Done
The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Security Regression Testing
![Page 35: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/35.jpg)
Requirements or design defect found via Product Backlog Item (PBI) collaboration
Length of Feedback Cycle
Cost
Requirements or design defect found in Test Conditions Workshop
Programming or design defect found via Pair Programming
Programming defect found via Continuous Integration
Programming or design defect found via Test Driven Development (T(B)DD)
Requirements or design defect found via Stakeholder Participation
Defect found via pair Developer Testing
Defect found via Independent Review
Requirements defect found via traditional Acceptance Testing
Programming or design defect found via Pair Review
Design defect found via traditional System Testing
Programming defect found via traditional System Testing
Security defect found via traditional external Penetration Testing
![Page 36: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/36.jpg)
Requirements or design defect found via Product Backlog Item (PBI) collaboration
Length of Feedback Cycle
Cost
Requirements or design defect found in Test Conditions Workshop
Programming or design defect found via Pair Programming
Programming defect found via Continuous Integration
Programming or design defect found via Test Driven Development (T(B)DD)
Requirements or design defect found via Stakeholder Participation
Defect found via pair Developer Testing
Defect found via Independent Review
Requirements defect found via traditional Acceptance Testing
Programming or design defect found via Pair Review
Design defect found via traditional System Testing
Programming defect found via traditional System Testing
Security defect found via Security Test Driven Development (STDD) or regression testing
![Page 37: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/37.jpg)
5: Risks?
OK
I’m starting to get it
But what now?
![Page 38: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/38.jpg)
Definition of Done
The Sprint
Security Regression Testing
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Establish a Security Champion
Security Focussed TDD
Pair Programming
Code Review
Techniques for Asserting Discipline
Consuming Free and Open Source
Evil Test Conditions
Cheapest Place to Deal with Defects
Hand-crafted Penetration Testing
Zap-Api & NodeGoat
![Page 39: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/39.jpg)
Step #3 Habits of Top Developers
How to make them part of our lives
All details of this workshop were sorced from part 2 of the Process and Practises chapterof my first book: https://leanpub.com/holistic-infosec-for-web-developers
![Page 40: Developing a high performance security focussed agile team (2 hr workshop)](https://reader036.vdocuments.site/reader036/viewer/2022070516/58ce624a1a28ab2f268b5b29/html5/thumbnails/40.jpg)
Join the conversation #devseccon
@binarymist