This page: adept.work/st8109umn1

• Geno Bassett
• Ryan Rampersad / @ryanmr
• Digital Labs

• Who we are
• What we work on
  • Prototypes (short term; 6-8 weeks)
  • Product Seeds (medium term: 6-18 months)
• Before development begins
  • Understanding data classifications
  • Understanding user stories and boundaries
  • Understanding initial complexity
  • Security approach (unique vs routine)

• Testing for business value?
• Testing for technology proof?
• Testing for innovation?
• 10x problems? 1x problems? 10x outcomes?

How much is enough security?

• real vs mock data?
• internal vs external access?
• customer vs business data?
• integrations or stand alone?
• isolated or composed?

• Push to market?
• Early productization?
• Early user base?

• Understand software maturity
• Architecture, code, doc churn
• Data at rest, in flight
• Architecture and code auditing
• Documentation
• Monitoring and alerting
• Penetration testing

• Use security tools within pipelines (Synk, Xray, Veracode)
• Automate / automate / automate
  • Developers are lazy (in a good way); if it's automated they'll do it
• Establish a culture
  • Frequent code review; security aware not focused
  • Reporting bugs/security concerns easy straightforward path (internal/external)
  • Create an understanding with the product owners (business folk) about the understanding of security, the cost, and the risk

Security in Agile Development

The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page

Snyk https://snyk.io/

Veracode https://www.veracode.com