D o u b l e - c l i c k t o e d i t

SECURITY IN AGILE TEAMSMaria Gomez

@mariascandella

Barcelona June 2017

Developer

Architect

CoachTech lead

Speaker

Security Expert

Developer

Architect

CoachTech lead

Speaker

Security Expert

With great power comes great responsibility“

— uncle Ben

https://flic.kr/p/5UDwbm

https://flic.kr/p/c12Ad

We could do better

BENEFITS

• Higher confidence

• Evolutionary model

• Better testing and planning

• Faster reaction to making improvements or fixes 

INCEPTION

WHAT’S THE CURRENT STATE?

• List of existing systems/applications as well as their users.

• Review of past incidents/attacks

• Review of existing security policies and how they will impact the scope of the project

WHAT WILL BE BUILT?

WHAT IS THE CURRENT THREAT LANDSCAPE? 

https://www.owasp.org/index.php/Application_Threat_Modeling

DELIVERY

SECURITY CHECKLIST

• Secret Management tool for the team • Password Manager

• Keep secrets out of source control

• Dependency checker for the CI/CD pipeline

• Static analysis tools

Cade Cairns - Security Playbook (https://github.com/cairnsc/security-playbook)

READY FOR DEV

• Identify security requirements • Introduce acceptance criteria

Given an unauthenticated user enters the system

When she tries to view her profile

Then she is redirected to the login page

#0

IN DEV

IN QA

The system meets the acceptance criteria

CFRs have been taken into account and implemented as part of the story, if necessary

Established code conventions have been met

Check against attack trees

IN PROD

Incident Report Plan

CONTINUOUS IMPROVEMENT

Given an unauthenticated user enters the system

When she tries to view her profile

Then she is redirected to the login page

#

REFERENCES

https://www.thoughtworks.com/insights/blog/incorporating-security-best-practices-agile-teams

https://github.com/cairnsc/security-playbook

https://martinfowler.com/articles/web-security-basics.html

https://www.owasp.org/index.php/Main_Page

@mariascandella

THANKS!