Secure Coding mailing list archives
Re: Agile (Scrum) best security practices and experiences?
From: "Dave Wichers" <dave.wichers () aspectsecurity com>
Date: Wed, 8 Sep 2010 01:33:10 -0400
I did a couple of talks on this. The first was at OWASP AppSec EU 2008. The talk abstract is here: http://forum.owasp.org/index.php/AppSecEU08_Agile_Security_Breaking_the_ Waterfall_Mindset And my slides are available at: http://forum.owasp.org/index.php/AppSecEU08#Agenda_and_Presentations_-_M ay_21-22 (search for my name 'Wichers') I then did a reprise/updated version at OWASP AppSec US in NY in 2008. The slides and a video of the presentation are available here: http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Erlend Oftedal, of Bekk Consulting, then did a good talk from the developers viewpoint at OWASP AppSec EU 2009, and the slides are available here: http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland#tab=Con ference_-_May_13 (search for his name). There is a video of his talk too, but it may be missing the audio (which is a shame). I felt that my talks were kind of from the macro view of the problem (i.e., top level down), where Erlend's talk was from the micro view (bottom up) based on his experiences in the trenches as a developer learning and trying to do security in agile. I found both viewpoints useful and complementary. -Dave -----Original Message----- From: sc-l-bounces () securecoding org [mailto:sc-l-bounces () securecoding org] On Behalf Of Jari Pirhonen Sent: Tuesday, September 07, 2010 12:42 PM To: sc-l () securecoding org Subject: [SC-L] Agile (Scrum) best security practices and experiences? Hi, Agile development is spreading fast. I have discussed with many agile/Scrum developers and consultants and asked about security integration. I have got mostly vague answers about general quality enhancements, trusting the team and of course pointers to security critical applications they have developed. I know about Microsoft SDL guidelines w/ agile development guidelines. Best practical presntation I've seen comes from Nokia, now also presented at OWASP, http://www.owasp.org/images/c/c6/OWASP_AppSec_Research_2010_Agile_Prod_S ec_Mgmt_by_Vaha-Sipila.pdf I've also disccussed about agile/security integration with other security professionals and software developers. For example we had a good meeting with nice security/developer mix arranged by Agile Finland and Finnish Information Security Association. Discussion results available here, http://confluence.agilefinland.com/display/af/Secure+software+developmen t+and+agile+methods+-+notes Now - if anyone could share some *real world* experiences how to make agile/Scrum + security succeed without paralysing the agile team, I would very much like to hear. What works, what not? How to start? What tasks/tools gives most benefit? All other insights are welcome also. regards, Jari -- Jari Pirhonen @japi999 _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Agile (Scrum) best security practices and experiences? Jari Pirhonen (Sep 07)
- Re: Agile (Scrum) best security practices and experiences? Dave Wichers (Sep 08)
- Message not available
- Re: Agile (Scrum) best security practices and experiences? Jari Pirhonen (Sep 08)
- Re: Agile (Scrum) best security practices and experiences? Rohit Sethi (Sep 09)
- Re: Agile (Scrum) best security practices and experiences? Antti Vähä-Sipilä (Sep 14)
- Re: Agile (Scrum) best security practices and experiences? Jari Pirhonen (Sep 08)