A 200-Year-Old Company Inside Out or how we implemented security - - PowerPoint PPT Presentation

A 200-Year-Old Company Inside Out

• r how we implemented security into software development

200 years ago ...

• Not Adopting to Change

Once a plan is made, the waterfall follows that plan no matter what.

• No Feedback from Downstream Stages

The implementation phase does not get any feedback from the testing phase

• Testing Only at the End

The testing phase is one of the last phases. So the whole system is most probably built on a pile of bugs

Waterfall Problems

• Mini Waterfall Sprint
• Sprint Lengths are Arbitrary
• Operations is not Calculated for

Scrum Problems

Kanban

• Open
• No Arbitrary Sprints
• Operations Built-In

Why Kanban?

The Three Ways

System Thinking Fast Feedback Continuous Improvement

Security?

We Need More Security!

100 10 1 Dev Ops Sec

DevSecOps

Automate the Shit out of It

The Equifax Breach

20000 40000 60000 80000 100000 120000 Mar.17 Apr.17 May.17 Jun.17 Jul.17 Aug.17 Sep.17 Oct.17 Nov.17 Dec.17 Jan.18 Feb.18 Downloads

Downloads of Vulnerable Struts Versions

Struts Vulnerability announced / fixed Breach Happened Breach Discovered Breach Dislosed

“Emphasize performance of the entire system and never pass a defect downstream.“ (Gene Kim)

Lots of Tools

OWASP Dependency Check Sonatype Nexus Pro Jfrog Xray

Integrate into Your Build Pipeline

Visualize

Break the Build

How to Change?

• Get Management on Board
• Bottom Up
• Small Steps
• Review Changes
• Don‘t be afraid of Failure

How to Change?