From the Trenches: Real-World Agile SDLC

Presented at AppSec USA 2013, Nov. 20, 2013, 11 a.m. (50 minutes)

Ideally, all organizations would incorporate security into their Agile development processes; however, best-practices Agile SDL models typically assume a simplified, idealized model of how software is built. These models also impose impractical requirements without providing the necessary support or expertise.  In reality, software development often involves multiple Agile teams working on various components of a larger product, and only the most well-resourced enterprises or ISVs have the bandwidth to execute on the ideal Agile SDL, while smaller organizations are forced to adapt and make tradeoffs. In this session, we'll discuss how Veracode has incorporated security into our own Agile development lifecycle for a product that involves anywhere from two to seven Scrum teams working in concert to ship monthly releases. We do this without designating any security experts full-time to the project.  We'll explain how we've evolved our practices to optimize the way our security research team interacts with our engineering teams and accommodates their processes. We'll also talk about some of the lessons we've learned along the way, including things that haven't worked or wouldn't scale, and how other organizations can use our experience to integrate security practices into their own Agile development programs.

Presenters:

  • Chris Eng - VP Research - Veracode
    Chris Eng is vice president of research at Veracode, where he leads the team responsible for integrating security expertise into Veracode's core product offerings. Prior to Veracode, he was technical director at Symantec (formerly @stake) and an engineer at the National Security Agency. Chris is a frequent speaker at premier industry conferences, and he has been featured in media outlets such as Bloomberg, Fox Business, and CBS. He currently serves on program committees for the O'Reilly Security Conference and the Kaspersky Security Analyst Summit and was a founding member of the SOURCE Boston advisory board. Chris is an unabashed supporter of the Oxford comma and hates it when you use the word "ask" as a noun. @chriseng

Links:

Similar Presentations: