Application Security in an Agile SDLC

Print Friendly, PDF & Email

This is a presentation by Dennis Hurst, from HouSecCon 2015, titled, “Security, Agile, Devops – SDLC”. Dennis is a Founder of Saltworks Security, and is also a founding member of the Cloud Security Alliance.

This video begins at 54 seconds in, to start after the part where they got his microphone working.

This talk is intended both for AppSec folks (not familiar with Agile) and developers (already doing Agile), typically in large corporations that develop web-based applications for internal and external use.

Viewing the video in full screen mode will make the more detailed slides readable.

Here are the key topics covered along with their starting time codes.

  1:47 What AppSec looked like prior to Agile 19:48 Back to Agile Backlog & Vulnerabilities (Bugs)
  3:04 Waterfall SDLC and Security 14:02 AppSec – Tools of the Trade
  5:40 The Theory of Agile SDLC 21:08 Real World Example – Implementing Security into an Agile SDLC
  7:37 Agile Example | STORY: As a kid I would like a place to swing that’s close to my house 34:01 Integrating Static Analysis (a security evaluation) into Scrums
  9:52 Agile Process (what this looks like if you are building software, not a swing) 34:24 DevOps (going live daily; daily automated testing; periodic manual testing; apps react to attacks, notify when under attack, block IPs, etc. to stop attackers before they find known holes not fixed yet)
10:44 Agile Backlog & Vulnerabilities (Bugs) – fitting security tasks into the backlog 38:23 DevOps and Pre-Production Security Review
14:02 AppSec – Tools of the Trade 40:20 Audience Q&A