1 of 27

What is Agile and

How Can I Use it Well?

Nicole Schwartz

@CircuitSwan (formerly @AmazonV)

1

@CircuitSwan

2 of 27

Who am I?

I currently work at an insurance company with over 30,000 employees.

I formerly worked with ARAMARK (Information Technology) and Rackspace (Enterprise, and Public Cloud).

I first transitioned from Waterfall to Agile in 2005.

The views, thoughts, and opinions expressed are my own and not that of any current or former company or organization.

2

@CircuitSwan

3 of 27

Key Points

What is Agile?

How do you work with Agile Teams?

3

@CircuitSwan

4 of 27

How Do Teams Manage Work?

4

Waterfall

Agile (Scrum)

@CircuitSwan

5 of 27

How Do Teams Manage Work?

5

Waterfall

Agile (Scrum)

@CircuitSwan

Q: Who here knows that their company is using Scrum? Kanban? Lean? Something Else? I will be using Scrum methodology in my examples - the ideas are the same but the rules and terms vary slightly

In Agile a feature or deliverable is completed in an iteration, called a sprint

Each sprint lasts usually 1 to 3 weeks
The sprint contains all of the work needed for that features delivery.

user requirements, development, the testing of this one feature

Each iteration contains a kick off, daily check ins, and a demo at the end to gather feedback

Agile Is designed for things that have many unknowns and frequent scope changes, like software

“Fail fast” meaning not putting lots of time into features that customers don’t want, or responding to business and market changes. Since you only do a first simple feature you saved money and time from completing and entire feature set.

https://en.wikipedia.org/wiki/File:Pert_example_gantt_chart.png

https://commons.wikimedia.org/wiki/File:Agile_Project_Management_by_Planbox.png

6 of 27

Agile Methodologies

Scrum
Scale Agile Framework for enterprise (SAFe)
Kanban
Lean
Extreme Programming (XP)

6

@CircuitSwan

7 of 27

What *is* Agile

Deliver feature by feature
CI/CD (Continuous Improvement / Continuous Delivery)
Feedback Driven
Fail fast
Reduce Waste

This has given us: DevOps / DevSecOps

7

@CircuitSwan

Agile focuses on small, fast continuous delivery, aka CI/CD
Devops (Developers who also are operations aka admins) rose along with Agile so agile teams could maintain speed by being self sufficient and deploy their own code generally by utilizing automation.

Recently this has given rise to DevSecOps

DevOps (a clipped compound of "development" and "operations") is a software engineering culture and practice that aims at unifying software development (Dev) and software operation (Ops). The main characteristic of the DevOps movement is to strongly advocate automation and monitoring at all steps of software construction, from integration, testing, releasing to deployment and infrastructure management. DevOps aims at shorter development cycles, increased deployment frequency, and more dependable releases, in close alignment with business objectives.^[1]^[2]^[3]^[4]

https://en.wikipedia.org/wiki/DevOps

8 of 27

Agile Manifesto

Individuals and interactions over processes and tools

Working software over comprehensive documentation

Customer collaboration over contract negotiation

Responding to change over following a plan

8

@CircuitSwan

9 of 27

What isn’t Agile

Either / Or instead of balancing the 4 principles

No Documentation

Minimal Viable Product (MVP) ≠ Untested, Not Secure

Buzzword Only

9

@CircuitSwan

10 of 27

You are outnumbered

The Agile development teams

Outnumber the security staff

Are producing more deployments, faster

10

@CircuitSwan

11 of 27

OK, What about you?

We now know what Agile is and isn’t...

How do you, the security team, use this knowledge to work with your companies Agile developers?

11

@CircuitSwan

12 of 27

We are all working for the same company

What are they trying to accomplish? Help!

Nothing is ever 100% secure

The development team is not your enemy

Everyone wants the company to be profitable

12

@CircuitSwan

13 of 27

Where to Start?

Business buy in on the importance of security

Target: Agile Developers’ Managers

Social Engineering - for good!

13

@CircuitSwan

14 of 27

Now What?

Scope / Definition of Done on Agile Teams

Product Owner
Team Lead
etc.

14

@CircuitSwan

15 of 27

Get Involved

Stakeholder (optional attendee)

Kick-Off Meetings
Feature Demos

Keep line of communication open

Be a resource

15

@CircuitSwan

16 of 27

Policies

Easy to find / search

Written for muggles

Reference “how to” in policies where possible

Security is easy to contact with questions

16

@CircuitSwan

17 of 27

Education

On-demand training by domain

https://www.codebashing.com/

Document available on-demand tools

Static Code Analysis
Server automated scanning
Website automated scanning

17

@CircuitSwan

18 of 27

Meetings

Low Pressure

Talk them through your thought process

Educate them on Why

Coach them on threat modeling

18

@CircuitSwan

Finally, when they do reach out, make sure they will keep reaching out.

Make meetings with you as low pressure as possible, you want people to be comfortable to discuss anything

Help talk through what you are looking for so that they can bring things to make the meeting easy - a data flow diagram, api doc?

They can be feeding you more data they didn’t think was relevant if they hear what you really are after.

Understanding WHY means as they are planning and architecting, they will remember your process and the next review will be easier.

Work with teams to help them come up with their own threat modeling.

If they come up with the worst thing that could happen if something doesn’t work as planned

perhaps they can better find the correct policy or procedure, or decide it’s time to reach out for more help during design discussions

19 of 27

19

@CircuitSwan

20 of 27

20

X

@CircuitSwan

21 of 27

Don’t let them run wild

How about [$this] instead?

Have you considered [$thing]?

There is a more secure way to do that, let me send you...

21

@CircuitSwan

22 of 27

When you aren’t involved...

22

@CircuitSwan

23 of 27

You (Security)

Get Buy-In
Become integrated into the Definition of Done
Be a partner
Clear Policies
Education
Be available (with low stress meetings)
Don’t be the “No”

23

@CircuitSwan

24 of 27

Agile

Is focused on fast delivery of features

Values feedback

Business believe they will increase productivity by 50%

24

@CircuitSwan

25 of 27

Summary

You are on team business
Developers are not the enemy
Developers should be on team security
Agile is not the enemy
100% secure isn’t going to happen

25

@CircuitSwan

26 of 27

Resources

26

@CircuitSwan

27 of 27

Thank You

Slides will be available on my blog

https://agileamazonv.blogspot.com/

If you print, make sure to read the presenter notes

Contact me: @CircuitSwan (Formerly @AmazonV)

27

@CircuitSwan