Professional Documents
Culture Documents
Can We Be Both?
P
AppSe Copyright © 2006 - The OWASP Foundation
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
The Agile Practitioner’s Dilemma
Agile Forces: Secure Forces:
More responsive More aggressive
to business regulatory
concerns environment
Background
Dan Cornell
Principal of Denim Group, Ltd.
MCSD, Java 2 Certified Programmer
Source: http://www.agilemanifesto.org/
OWASP AppSec Seattle 2006 6
Agile’s Core Values
Communication
Simplicity
Feedback
Courage
Quality Work
• Developer: estimates,
The Driving Metaphor consequences and
detailed scheduling
Shared Vision
Collective Ownership
Test Driven
Continuous Integration
Coding Standards
Pair Programming
OWASP AppSec Seattle 2006 10
Definition of Secure
Sources:
“Writing Secure Code” 2nd Ed., Howard & LeBlanc
Threat Modeling
Security Testing
Requirements
Design
Implementation
Verification
Release
(Waterfall!)
Source: http://www.ddj.com/dept/architect/191800169
SCRUM
Develop an Build
Overall Features Planning
Model List
Startup Phase
Design Build
by by
Feature Feature
Construction Phase
Source: http://featuredrivendevelopment.com/
OWASP AppSec Seattle 2006 23
SCRUM
Source: http://www.controlchaos.com/
OWASP AppSec Seattle 2006 24
MSF for Agile Software Development
Daily Stand-ups
Continuous Integration
Code Scanning Tools
Security Testing Tools
Developer’s Checklist
Communication
Simplicity
Feedback
Courage
Trustworthy
Dan Cornell
dan@denimgroup.com
Website: www.denimgroup.com
Blog: www.agileandsecure.com