I gave this short talk in a meetup in Barcelona with Martin Fowler (https://youtu.be/14-knxKyJCw?t=1h21m5s)
Every day, new security breaches are breaking headlines. Building secure applications is difficult, as vulnerabilities can be hard to predict. However, there are things we can do to make them more resilient. In this short talk, I point to a few best security practices and how to incorporate them into our agile teams.
11. WHAT’S THE CURRENT STATE?
• List of existing systems/applications as well as their users.
• Review of past incidents/attacks
• Review of existing security policies and how they will impact
the scope of the project
15. SECURITY CHECKLIST
• Secret Management tool for the team
• Password Manager
• Keep secrets out of source control
• Dependency checker for the CI/CD pipeline
• Static analysis tools
Cade Cairns - Security Playbook (https://github.com/cairnsc/security-playbook)
16. READY FOR DEV
• Identify security requirements
• Introduce acceptance criteria
Given an unauthenticated user enters the system
When she tries to view her profile
Then she is redirected to the login page
#0
18. IN QA
The system meets the acceptance criteria
CFRs have been taken into account and implemented as part of the
story, if necessary
Established code conventions have been met
Check against attack trees
20. CONTINUOUS IMPROVEMENT
Given an unauthenticated user enters the
system
When she tries to view her profile
Then she is redirected to the login page
#