fragile to agile... on time, on budget and with acceptable risks
TRANSCRIPT
![Page 1: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/1.jpg)
![Page 2: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/2.jpg)
Fragile to AgileOn time, on budget and with
acceptable risksBruno Motta Rego
![Page 3: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/3.jpg)
Agenda• Scenario.• Classical vs Agile.• Time, Budget & Risk.
![Page 4: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/4.jpg)
SCENARIO
01.
![Page 5: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/5.jpg)
Business & People• TTM– Move much faster, move more agile…
• Workforce are changing. – Gen Y is overconfident in its security knowledge.– Gen Y less sophisticated security due to cost and barriers.
THE GENERATION GAP IN COMPUTER SECURITY: A SECURITY USE SURVEY FROM GEN Y TO BABY BOOMERSSource: 2012 Dimensional Research.
![Page 6: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/6.jpg)
CLASSICAL VS AGILE“WE NEED TO BE AGILE, BUT NOT FRAGILE.”
@RUGGEDSOFTWARE
02.
![Page 7: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/7.jpg)
Classical• Security team is involved.• One, two or three years project cycle.• Well-defined phases, waterfall-style.• Service requests.• Security is vitally important...
![Page 8: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/8.jpg)
Agile• Security team is engaged.• One, two or three weeks or sprint cycles.• Iterative, phase less.• Continuous integration & delivery.• Security is vitally important...
![Page 9: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/9.jpg)
XING• New Gens changes environment for collaboration.• Needs emerge on each week cycle.• Global scarcity of professionals and talents.• Products vs headcount.• Security is vitally important...
![Page 10: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/10.jpg)
TIME, BUDGET & RISK“IT’S NOT ENOUGH TO DO YOUR BEST; YOU MUST KNOW WHAT TO DO, AND THEN DO YOUR BEST”
WILLIAM EDWARDS DEMING
03.
![Page 11: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/11.jpg)
Time Continuous Integration (CI)
• Rugged Software.– Automated several engines security test and bug track.
• Threat Modeling - Secure Design Training.– Architects and engineers responsible for security design.
• Amplify Inputs & Feedback Loops.– Bug bounty program, bug track decision, quality reports.
![Page 12: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/12.jpg)
Budget Continuous Delivery (CD)
• Improve deployment frequency.– Spread security posture pushing security hardening
automatically.– Automated several engines security test and bug track.
• Amplify Inputs & Feedback Loops.– CIA self-monitor, quality reports & compliance reports.
![Page 13: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/13.jpg)
Risk• Amplify Inputs to Support Decisions.– Security tests reports, quality reports & compliance
reports as vendor assessment, PCI, etc…• Risk Evaluation, Decision and Learning.– Engage the Privacy & Legal Teams.– Incremental adoption of non automated process.– Document the risks accepted and define a cycle loops.
![Page 14: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/14.jpg)
CHALLENGES
04.
![Page 15: Fragile to Agile... On time, on budget and with acceptable risks](https://reader036.vdocuments.mx/reader036/viewer/2022070521/58f052071a28abe7068b45cd/html5/thumbnails/15.jpg)
THANK YOU
Facebook, LinkedIn & Twitter
@brunomottarego
References
RSA Conference 2015Continuous Security: 5 Ways DevOps Improves SecurityDavid Mortman, Joshua Corman
Securing Boomers, Gen Xers, and Millennials: OMG We are so Different! Todd Fitzgerald
ResearchTHE GENERATION GAP IN COMPUTER SECURITY: A SECURITY USE SURVEY FROM GEN Y TO BABY BOOMERS2012 Dimensional Research.
Manifesto Agilehttp://www.agilemanifesto.org/