filmov
tv
Scaling Security in Agile Scrum - Chris Eng - OWASP AppSec California 2015
Показать описание
AppSec California 2015 - Day 2, Track 1, Slot 3
Title
Scaling Security in Agile Scrum
Abstract
Agile Scrum is here to stay, and security teams are finding themselves under-resourced and unprepared for the pace of modern software development. “Best-practices” models for Agile security make too many simplifying assumptions about how software is built. These models impose impractical requirements without providing the necessary support or expertise.
In the real world, development teams know that software development often includes multiple Scrum teams working on various components of a larger project that will eventually be integrated. They also recognize that only the most well-funded and resourced enterprises and ISVs have the bandwidth to execute on the idealized Agile SDL. Smaller organizations, or development teams without vast resources are forced to adapt and make tradeoffs that often include sacrificing security.
In this session, I’ll discuss how our company has incorporated security into our own Agile development lifecycle for a product that involves about ten Scrum teams working in concert to ship monthly releases. I’ll explain how we’ve optimized the way our security research team interacts with our engineering teams and accommodates their processes. I’ll also share some of the lessons we’ve learned along the way, including things that haven’t worked as well as we thought. I’ll also describe how we’re organically “growing” more security experts within the organization. Security practitioners will be able to leverage our experiences to work more effectively with their own Agile Scrum teams.
Bio
Chris Eng has over 15 years of application security experience. As vice president of research at Veracode, he leads the team responsible for integrating security expertise into Veracode’s technology. Throughout his career, he has led projects breaking, building and defending web applications and commercial software for some of the world’s largest companies.
Chris is a frequent speaker at premier industry conferences, such as BlackHat, RSA, OWASP, and CanSecWest, where he has presented on a diverse range of application security topics, including cryptographic attacks, agile security, mobile application security, and security metrics. Chris has been interviewed by Bloomberg, Fox Business, CBS, and other media outlets with regard to security trends and noteworthy events. Additionally, he has served on the advisory board of the SOURCE Boston conference since its inception.
Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California. He is an unabashed supporter of the Oxford comma and hates it when you use the word “ask” as a noun.
-
Title
Scaling Security in Agile Scrum
Abstract
Agile Scrum is here to stay, and security teams are finding themselves under-resourced and unprepared for the pace of modern software development. “Best-practices” models for Agile security make too many simplifying assumptions about how software is built. These models impose impractical requirements without providing the necessary support or expertise.
In the real world, development teams know that software development often includes multiple Scrum teams working on various components of a larger project that will eventually be integrated. They also recognize that only the most well-funded and resourced enterprises and ISVs have the bandwidth to execute on the idealized Agile SDL. Smaller organizations, or development teams without vast resources are forced to adapt and make tradeoffs that often include sacrificing security.
In this session, I’ll discuss how our company has incorporated security into our own Agile development lifecycle for a product that involves about ten Scrum teams working in concert to ship monthly releases. I’ll explain how we’ve optimized the way our security research team interacts with our engineering teams and accommodates their processes. I’ll also share some of the lessons we’ve learned along the way, including things that haven’t worked as well as we thought. I’ll also describe how we’re organically “growing” more security experts within the organization. Security practitioners will be able to leverage our experiences to work more effectively with their own Agile Scrum teams.
Bio
Chris Eng has over 15 years of application security experience. As vice president of research at Veracode, he leads the team responsible for integrating security expertise into Veracode’s technology. Throughout his career, he has led projects breaking, building and defending web applications and commercial software for some of the world’s largest companies.
Chris is a frequent speaker at premier industry conferences, such as BlackHat, RSA, OWASP, and CanSecWest, where he has presented on a diverse range of application security topics, including cryptographic attacks, agile security, mobile application security, and security metrics. Chris has been interviewed by Bloomberg, Fox Business, CBS, and other media outlets with regard to security trends and noteworthy events. Additionally, he has served on the advisory board of the SOURCE Boston conference since its inception.
Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California. He is an unabashed supporter of the Oxford comma and hates it when you use the word “ask” as a noun.
-