Security in the wild

Being at the top of the food chain

Who Am I

Renato Rodrigues - @simpsOn - //pathonproject..com

Agenda

The world as we know it

Facing the world

Survival mode

The world as we know it

Implementation of new features
New technology hype(s)

Distorted notion of time

New issues arise every day

 

 Security is not part of the process!

 

Facing the world

Software Dev. Life Cycle

Requirements

Who is going to use the system?

How will they use the system?  

What data should be input into the system?  

What data should be output by the system?


Requirement Specification document

Requirements

Product Team

Security Perceptions

Security Work

Improvements

Design

System Design helps in:

  - specifying hardware and system requirements;

  - defining the overall system architecture (interactions,       structures, technologies,...).


Implementation and Support Documentation

Design

Architecture Teams

Security Perceptions

Security Work

Improvements

Code

The work is divided into modules/units and actual coding is started. During this phase, the code should be the developer's main focus.


Real Product

Code

Development Teams

Security Perceptions

Security Work

Improvements

Testing

After code development, it is necessary to test it against the requirements to verify that the product addresses the needs collected during the requirements stage.


Product Validation!

Testing

QA Teams

Security Perceptions

Security Work

Improvements

Cross Initiatives

Security Clinics

Security in SCRUM

Security Champions

Security Clinics

- Current sprint User stories/tasks;
Do a quick threat model.

- What is the roadmap;
​Anticipate potential weaknesses.
- If there are known issues to be addressed, what is the status?
Check if they need help to fix it!  
- Show something cool and give them a Security Update!

Talk about:

Fortnightly meetings to catch up on the teams’ work

Security in SCRUM

Try to detect and eliminate vulnerabilities as early as possible in the development lifecycle.

Security Champions

Are advocates of security inside the team and point of contact for the solution;

The champions have a good understanding of the technology, an interest in ensuring better security for the team's product;

They are a key point on the road to SSDLC;

Act as a bridge between domains.

Deployment

After successful testing, the product can finally be delivered/deployed to the customer.


Live to the world!

Deployment

DevOps Teams

Security Perceptions

Security Work

Improvements

S. Software Dev. Life Cycle

Thank you for your time!

Renato Rodrigues - @simpsOn - //pathonproject..com

Made with Slides.com