Building in Security at Agile Speed

Setting the StageIntroductionCurrent EventsThe State of Software SecurityWhat Is Secure Software?Developing an SDL Model That Can Work with Any Development MethodologyOur Previous Secure Development Lifecycle Design and MethodologyOvercoming Challenges in Making Software SecureMapping the Security Development Lifecycle (SDL) to the Software Development Life Cycle (SDLC)Software Development MethodologiesWaterfall DevelopmentIterative Waterfall DevelopmentAgile DevelopmentScrumLean DevelopmentThe Progression from Waterfall and Agile to Scrum: A Management PerspectiveDevOps and CI/CDCloud ServicesPlatform ServicesAutomationGeneral Testing and Quality AssuranceSecurity TestingDevSecOpsEducationArchitects and Principal EngineersPulling It All Together Using Visual AnalogiesTetris Analogy for Agile, Scrum, and CI/CDNesting Doll Analogy for Solution DevelopmentDevOps Operations "Moving Down" Rather Than Moving Left Kettlebell AnalogyDevOps Best PracticesOptimizing Your Team SizeSummarySoftware Development Security Management in an Agile WorldIntroductionBuilding and Managing the DevOps Software Security OrganizationUse of the Term DevSecOpsProduct Security Organizational StructureThe Right Organizational LocationThe Right PeopleThe Right TalentSoftware Security ArchitectsSoftware Security ChampionsSoftware Security Program ManagementSoftware Security Organizational Realities and LeverageSoftware Security Organizational and People Management TipsSecurity Tools, Automation, and Vendor ManagementSecurity Tools and AutomationSecurity Tools for the SDLStatic AnalysisDynamic AnalysisFuzz TestingDevOps Tools: Going Beyond the SDLVendor ManagementManaging COTS Security ProductsManaging Open Source Security ProductsOpen Source LicensesOpen Source Due DiligenceDevOps Security Incident ResponseInternal Response to Defects and Security Vulnerabilities in Your Source CodeExternal Response to Security Vulnerabilities Discovered in Your Product Source CodePost-Release PSIRT ResponseOptimizing Post-Release Third-Party ResponseISO 29147 and ISO 30111Key Success FactorsSecurity Training ManagementSecurity Budget ManagementPreparing and Delivering the Budget MessageOther Things to Consider When Preparing Your BudgetSecurity Governance, Risk, and Compliance (GRC) ManagementSDL Coverage of Relevant Regulations, Certifications, and Compliance FrameworksThird-Party ReviewsPost-Release CertificationsPrivacyPrivacy Impact Assessment (PIA) Plan InitiatedPrivacy Implementation AssessmentFinal Privacy ReviewPost-Release Privacy ResponseSecurity Metrics ManagementThe Importance of MetricsSDL Specific MetricsAdditional Security Metrics Focused on Optimizing Your DevOps EnvironmentMergers and Acquisitions (M&A) ManagementLegacy Code ManagementSummaryA Generic Security Development Lifecycle (SDL)IntroductionBuild Software SecurelyProduce Secure Code"Coding Is Fraught with ErrorEffective Secure Coding TrainingManual Code ReviewStatic AnalysisThird-Party Code AssessmentPatch (Upgrade or Fix) Issues Identified in Third-Party CodeDetermining the Right Activities for Each ProjectThe SDL Determining QuestionsWhat Changes Are Proposed?Will Any Third-Party Software Be Added?Will Data About Human Entities (Personally Identifying Information) Be Added?Will This Organization or Any of Its Partners Host Any of the Systems?Are There Any Web Protocol Inputs?Are There Non-Web Inputs to the Program?Is This a Major Release?Architecture and Design"Nimble GovernanceTestingFunctional TestingDynamic TestingWeb (Protocol and Input) ScanningFuzz TestingAttack and Penetration TestingIndependent TestingAssess and Threat Model Build/Release/Deploy/Operate ChainAgile: SprintsKey Success Factors and MetricsSummarySecure Design through Threat ModelingThreat Modeling Is FoundationalSecure Design PrimerAnalysis TechniqueBefore the Threat ModelPre-Analysis KnowledgeATASM ProcessTarget System DiscoveryA Short “How To” PrimerEnumerate CAVSTRIDEATASMElevation of Privilege Card GameATT&CK & CAPEC (from Secrets)Continuous Threat Modeling ProjectOWASP® Threat ModelingStructure, Detail, and AbstractionRating RiskIdentifying Defenses. Which Defenses for What System?Threat Model AutomationSummaryEnhancing Software Development Security Management in an Agile WorldIntroductionBuilding and Managing the DevOps Software Security OrganizationContinuous and Integrated SecuritySecurity Mindset versus Dedicated Security OrganizationOptimizing Security to Prevent Real-World ThreatsStrategic, Tactical, and User-Specific Software AttacksStrategic AttacksEspionageOrganized CrimeSocio-Political AttacksCyber WarfareTactical AttacksUser-Specific AttacksSecurity Tools, Automation, and Vendor ManagementDevOps Security Incident ResponseOrganizational StructureProactive HuntingContinuous Detection and ResponseSoftware Bill of MaterialsOrganizational ManagementSecurity Training ManagementPeopleProcessTechnologySecurity Budget ManagementSecurity Governance, Risk, and Compliance (GRC) ManagementSecurity Metrics ManagementMergers and Acquisitions (M&A) ManagementLegacy Code ManagementSummaryCulture HackingIntroductionCulture Must ShiftHack All LevelsExecutive SupportMid-Management Make or BreakAccept All HelpTrust DevelopersBuild a Community of PracticeThreat Model Training Is for EveryoneAudit and Security Are Not the Same ThingAn Organizational Management PerspectiveSecurity Cultural ChangeSecurity Incident ResponseSecurity TrainingSecurity Technical Debt (Legacy Software)Summary/ConclusionAppendix A: The Generic Security Development Lifecycle
Next >