This document discusses moving from a classical to an agile approach for software development while maintaining security. It outlines the differences between classical and agile methods, with agile utilizing shorter sprint cycles and continuous integration and delivery. To manage time, budget, and risk with an agile approach, the document recommends automating security testing, involving security teams earlier, and establishing feedback loops through bug reporting and quality/compliance reports. Challenges include engaging different generations with varying security knowledge and adapting processes to support incremental changes while documenting accepted risks.

2. Fragile to Agile
On time, on budget and with acceptable risks
Bruno Motta Rego

3. Agenda
• Scenario.
• Classical vs Agile.
• Time, Budget & Risk.

4. SCENARIO
01.

5. Business & People
• TTM
– Move much faster, move more agile…
• Workforce are changing.
– Gen Y is overconfident in its security knowledge.
– Gen Y less sophisticated security due to cost and barriers.
THE GENERATION GAP IN COMPUTER SECURITY: A SECURITY USE SURVEY FROM GEN Y TO BABY BOOMERS
Source: 2012 Dimensional Research.

6. CLASSICAL VS AGILE
“WE NEED TO BE AGILE, BUT NOT FRAGILE.”
@RUGGEDSOFTWARE
02.

7. Classical
• Security team is involved.
• One, two or three years project cycle.
• Well-defined phases, waterfall-style.
• Service requests.
• Security is vitally important...

8. Agile
• Security team is engaged.
• One, two or three weeks or sprint cycles.
• Iterative, phase less.
• Continuous integration & delivery.
• Security is vitally important...

9. XING
• New Gens changes environment for collaboration.
• Needs emerge on each week cycle.
• Global scarcity of professionals and talents.
• Products vs headcount.
• Security is vitally important...

10. TIME, BUDGET & RISK
“IT’S NOT ENOUGH TO DO YOUR BEST; YOU MUST KNOW WHAT TO DO, AND THEN DO YOUR BEST”
WILLIAM EDWARDS DEMING
03.

11. Time Continuous Integration (CI)
• Rugged Software.
– Automated several engines security test and bug track.
• Threat Modeling - Secure Design Training.
– Architects and engineers responsible for security design.
• Amplify Inputs & Feedback Loops.
– Bug bounty program, bug track decision, quality reports.

12. Budget Continuous Delivery (CD)
• Improve deployment frequency.
– Spread security posture pushing security hardening
automatically.
– Automated several engines security test and bug track.
• Amplify Inputs & Feedback Loops.
– CIA self-monitor, quality reports & compliance reports.

13. Risk
• Amplify Inputs to Support Decisions.
– Security tests reports, quality reports & compliance
reports as vendor assessment, PCI, etc…
• Risk Evaluation, Decision and Learning.
– Engage the Privacy & Legal Teams.
– Incremental adoption of non automated process.
– Document the risks accepted and define a cycle loops.

14. CHALLENGES
04.

15. THANK YOU
Facebook, LinkedIn & Twitter
@brunomottarego
References
RSA Conference 2015
Continuous Security: 5 Ways DevOps Improves Security
David Mortman, Joshua Corman
Securing Boomers, Gen Xers, and Millennials: OMG We are so Different!
Todd Fitzgerald
Research
THE GENERATION GAP IN COMPUTER SECURITY: A SECURITY USE SURVEY
FROM GEN Y TO BABY BOOMERS
2012 Dimensional Research.
Manifesto Agile
http://www.agilemanifesto.org/