![Technical debt in cyber ark [agile practitioners-2015]](https://cdn.slidesharecdn.com/ss_thumbnails/technicaldebtincyberarkagile-practitioners-2015-150201082255-conversion-gate01-thumbnail.jpg?width=560&fit=bounds)
Ad
More Related Content
What's hot (20)
Similar to How to Build Security and Risk Management into Agile Environments (20)
Ad
Recently uploaded (20)
Ad
How to Build Security and Risk Management into Agile Environments
- 1. How to Build Security and Risk Management into Agile Environments By Dan Blum October 11, 2017 1Copyright @ 2017, Security Architects, LLC
- 2. Today’s Speaker http://www.security-architect.com 2 Security Architects Partners: A highly-experienced group of trusted advisors Founded and directed Burton Group consulting practices Co-developed, and perfected Burton Group's Reference Architecture Acquired by, and played key roles at, the world-famous Gartner, Inc. With core expertise in: Security Programs, Risk Management, Identity Management, Cloud Security, Application Security, and much more. Dan Blum Managing Partner, Principal Consultant • Leads and delivers large identity & security consulting projects, spanning multiple industries • Specializing in data protection and risk management • Full security program roadmap • Identity management strategies • Data protection – IAM, DLP, encryption, and privacy • Enterprise authorization frameworks • Cloud security strategies • Privileged access management • Former Gartner Golden Quill award winner and honored as Privacy by Design Ambassador Copyright @ 2017, Security Architects, LLC
- 3. Challenges Good practices Agile risk management 3 Agenda Copyright @ 2017, Security Architects, LLC
- 4. Many organizations have adopted the agile methodology and/or moved to DevOps and CICD support models Often, these practices leave Information security pros tearing their hair out! Insisting on traditional waterfall-based security processes is not an option “Business developers come to central IT asking for solutions to a problem and are told it will take 6 months. Then it’s late. They won’t be back.” – Corporate Client 4 Problem Statement: Is Agile Security an Oxymoron? Copyright @ 2017, Security Architects, LLC
- 5. 5 Agile Terminology Key points Now a dominant programming paradigm Learn by doing - Emphasis on starting small and iterating Some companies even use agile project delivery methods for ALL projects Small cross-functional teams given end to end responsibility for the product Agile
- 6. 6 Avoid “Bad Agile” Source: Adapted from http://blog.crisp.se/2014/10/08/henrikkniberg/what-is-scrum No plan No specs Rough, adaptive plan Rough, adaptive specs Overly- detailed plan Overly- detailed specs Good Agile! Waterfall?Bad Agile! Iterative spec update
- 7. 7 CI/CD Terminology Key points Integrated “DevOps” teams gain efficiency, may lose separation of duty Automated “infrastructure-as-code” Continuous deployment = lights out data center Code Unit test Integrate Acceptance test Deploy to production Manual Continuous Delivery Continuous Deployment AutoAutoAuto Code Unit test Integrate Acceptance test Deploy to production AutoAutoAutoAuto DEV OPS
- 8. 8 Hey Security Pro: It’s not all Bad! Key points Now a dominant programming paradigm Learn by doing - Emphasis on starting small and iterating Some companies even use agile project delivery methods for ALL projects Small cross-functional teams given end to end responsibility for the product Maybe they could assume more responsibility for security… Agile
- 9. 9 Hey Security Pro: It’s not all Bad! Key points Integrated “DevOps” teams gain efficiency, may lose separation of duty Automated “infrastructure-as- code” Microservices used to bring agility and portability Continuous deployment = lights out data center Reduced malware dwell time in frequently- refreshed production images No “remote in” for production support
- 10. Challenges Good practices Agile risk management 10 Agenda Copyright @ 2017, Security Architects, LLC
- 11. 11 Shift-Left Security into the CI/CD Pipeline Plan Code Test Release DeployPackage Run Monitor Dynamic app sec testing Apply prod security config Vuln/Config mgmt Dynamic app sec testing Static app sec testing SDLC security & training DEV Audit Pen Test Vuln scan PROD
- 12. 12 Integrate Security and Development Teams Source: Full stack agile blog http://www.full-stackagile.com/2016/02/14/team-organisation-squads-chapters-tribes-and-guilds/
- 13. Standardize SDLC methodologies used in the company Integrate security-related documentation and other processes into standard issues-tracking systems Automation is good, but not everything can be automated Use “Breaker” role Separation of duty where needed 13 More Good Practices Copyright @ 2017, Security Architects, LLC
- 14. Challenges Good practices Agile risk management 14 Agenda Copyright @ 2017, Security Architects, LLC
- 15. 15 ISO 31000: Traditional Risk Management Framework Copyright @ 2017, Security Architects, LLC Establishing the Context Risk Assessment Identification Analysis Evaluation Risk Treatment Communication Monitoring and Review
- 16. 16 Adapted for the Agile Enterprise Copyright @ 2017, Security Architects, LLC
- 17. 17 High-Level Overview of the Agile Risk Process Copyright @ 2017, Security Architects, LLC
- 18. 18 Instrumentation is Key! • Instrumentation, procedures, and tools we’ve tailored for squads • Risk profile • Issue-to-risk triage • Lightweight risk assessment • Focused risk assessment tools we’ve developed for the experts • Threat class heat map • Threat actor library • Control effectiveness assessment method • Control library • Risk advisory memos • Strategic risk register Copyright @ 2017, Security Architects, LLC Squads are doing a lot! The Experts
- 19. 19 Factor Analysis of Information Risk (FAIR) Meets Agile • Use of quantitative estimates in lightweight risk assessments • The quantitative approach has value even with low precision estimates; it makes them comparable for the purposes of roll-up, analytics, and continuous improvement • Use of loss expectancy model and other advanced FAIR concepts in • Developing risk models used for both operational and strategic focused risk assessments Source: Open Group Standard Risk Taxonomy (O-RT), Version 2.0
- 20. Embrace agile security – the Change is Good We should have had “Shift-left” and “integrated security and development” all along! Build risk-informed operational risk management into the agile process Escalate strategic risk management to the pros Align on the Open FAIR models 20 Conclusion Copyright @ 2017, Security Architects, LLC
- 21. Ask me Anything! Dan Blum Security Architects Partners http://security-architect.com [email protected] +1 (301) 585-4717 21
Editor's Notes
- #6: http://www.seleniumframework.com/cucumber-2/make-a-case/continuous-test-automation/ http://www.bmc.com/blogs/9-steps-building-pipelines-continuous-delivery-deployment/ http://electric-cloud.com/resources/continuous-delivery-101/continuous-deployment/
- #8: Related reading http://www.softcrylic.com/blogs/testing-strategies-continuous-delivery/ http://www.seleniumframework.com/cucumber-2/make-a-case/continuous-test-automation/ http://www.bmc.com/blogs/9-steps-building-pipelines-continuous-delivery-deployment/ http://electric-cloud.com/resources/continuous-delivery-101/continuous-deployment/
- #9: http://www.seleniumframework.com/cucumber-2/make-a-case/continuous-test-automation/ http://www.bmc.com/blogs/9-steps-building-pipelines-continuous-delivery-deployment/ http://electric-cloud.com/resources/continuous-delivery-101/continuous-deployment/