Re: Agile (Scrum) best security practices and experiences?

["Dave Wichers" <dave.wichers () aspectsecurity com>]

I did a couple of talks on this. The first was at OWASP AppSec EU 2008.

The talk abstract is here:
http://forum.owasp.org/index.php/AppSecEU08_Agile_Security_Breaking_the_
Waterfall_Mindset

And my slides are available at:
http://forum.owasp.org/index.php/AppSecEU08#Agenda_and_Presentations_-_M
ay_21-22 (search for my name 'Wichers')

I then did a reprise/updated version at OWASP AppSec US in NY in 2008.
The slides and a video of the presentation are available here:
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference 

Erlend Oftedal, of Bekk Consulting, then did a good talk from the
developers viewpoint at OWASP AppSec EU 2009, and the slides are
available here:
http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland#tab=Con
ference_-_May_13 (search for his name). There is a video of his talk
too, but it may be missing the audio (which is a shame).

I felt that my talks were kind of from the macro view of the problem
(i.e., top level down), where Erlend's talk was from the micro view
(bottom up) based on his experiences in the trenches as a developer
learning and trying to do security in agile.

I found both viewpoints useful and complementary.

-Dave

-----Original Message-----
From: sc-l-bounces () securecoding org
[mailto:sc-l-bounces () securecoding org] On Behalf Of Jari Pirhonen
Sent: Tuesday, September 07, 2010 12:42 PM
To: sc-l () securecoding org
Subject: [SC-L] Agile (Scrum) best security practices and experiences?

Hi,

Agile development is spreading fast. I have discussed with many 
agile/Scrum developers and consultants and asked about security 
integration. I have got mostly vague answers about general quality 
enhancements, trusting the team and of course pointers to security 
critical applications they have developed.

I know about Microsoft SDL guidelines w/ agile development guidelines.

Best practical presntation I've seen comes from Nokia, now also 
presented at OWASP, 
http://www.owasp.org/images/c/c6/OWASP_AppSec_Research_2010_Agile_Prod_S
ec_Mgmt_by_Vaha-Sipila.pdf

I've also disccussed about agile/security integration with other 
security professionals and software developers. For example we had a 
good meeting with nice security/developer mix arranged by Agile Finland 
and Finnish Information Security Association. Discussion results 
available here, 
http://confluence.agilefinland.com/display/af/Secure+software+developmen
t+and+agile+methods+-+notes

Now - if anyone could share some *real world* experiences how to make 
agile/Scrum + security succeed without paralysing the agile team, I 
would very much like to hear.

What works, what not? How to start? What tasks/tools gives most benefit?

All other insights are welcome also.

regards,
Jari

--

Jari Pirhonen
@japi999


_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________