SlideShare a Scribd company logo

Security Certification or How I Learned to Stop Worrying & Love Stories - Andrew Hood - AgileNZ 2017

Download as PPTX, PDF
AgileNZ Conference
AgileNZ Conference

Many organisations have created security certification and accreditation processes. While these (sometimes) worked well in large waterfall projects, the transition to Agile projects break these frameworks. About Andrew Hood: Andrew has been working for over 20 years in the IT Networking and Security sectors including a range of companies from tiny dot coms to major international telecommunications companies. Having moved to New Zealand 10 years ago, Andrew is now responsible for the operational IT Security for one of the largest government departments. All of this means that he believes that there is nothing new in the IT industry, just different ways of learning from the same mistakes. Occasionally he wonders if we could stop making the same mistakes in the first place and if Agile might be a way of doing so.

Presentations & Public Speaking
1 of 12
Security Certification Or: How I Learned to Stopped Worrying and Love Stories Andrew Hood IT Security Manager Ministry of Social Development
About me • I have no formal Agile qualifications • Not been a developer for over 21 years • Worked globally doing large scale data networks • Moved into IT Security • About as Waterfall as you can possibly get
About that title…
Security Certification and Accreditation A method of understanding the Information security risk of a service and ensuring that risk owners are aware of the risk - Section 4 of NZISM(plus most of section 3, bits of section 5,6,8,9 and lots of the rest of the 655 pages of the manual) Certification: • Documenting the residual risks in a system • Documenting the controls used to mitigate risks • Verifying that controls are mitigating the risk Accreditation: • Accepting the residual risks for that information type
Four Rules of Agile Security 1: IT Security is a Non-functional requirement 2: Failure to meet requirements generates risk 3: Risk controls are functional requirements 4: You must know your risk at all times
DevelopmentPlanning Epic As a _____ I need _____ So that _____ Acceptance Criteria Backlog Dev Standards Testing Output Story Feature • Start to write security into functional and non-functional requirements - use your Acceptance Criteria • Do you have secure coding standards? Make them part of your DoD, like automated OWASP security testing passed • Try to not write security stories • Specific security controls are functional requirements • Works for other non-functional like Performance • Learning or Earning security? All security stories must have business value – otherwise why are you doing them? Stage 1: Security in Stories
DevelopmentPlanning Epic As a _____ I need _____ So that _____ Acceptance Criteria Backlog Dev Standards Testing Output Story Feature Security Processes Risk Security Risk Management Plan (SRMP) • Security Risk Management Plan – know your risks, mitigation controls and plans for remediation • Your test failures are creating risk so: 1. Track them! 2. This is manual process • SRMP needs pre-loading with standard risks and controls (which feed your functional requirements) Stage 2: SRMP
Security Processes DevelopmentPlanning Epic As a _____ I need _____ So that _____ Acceptance Criteria Risk Backlog Security Risk Management Plan (SRMP) Dev Standards Testing Output Story Feature Statement Of Applicability Security Risk AssesmentSecurity Risk Assesment • SRA – The Security Risk Assessment • Manually created and normally slow • Point in time risk snapshot for Certification and Accreditation • The technical part of the SRA is a snapshot of the SRMP Stage 3: C&A
Security Processes DevelopmentPlanning Epic As a _____ I need _____ So that _____ Acceptance Criteria Risk Statement Of Applicability Security Risk Assesment Backlog Security Risk Management Plan (SRMP) Security Risk Assesment Dev Standards Testing Output Story Feature Defects • Lets join the dots together! • You controls for Risks are updating your backlog with new functional requirements for future stories • Risk can now be linked to Epic or Feature • Risk is now seen as part of a functionality, not total service • Stops go-live risk paralysis (at the last minute) Stage 4: Link Risks to Benefits
Stage 5: Maturity • Is this all too hard… or easier and cheaper? 1. You will find issues earlier and quicker 2. Resources costing may be lower 3. Key resources can work more projects simultaneously 4. As maturity increases, development standards and story requirement become re-usable 5. You will need Embedded Security resources in story writing sessions until mature • Ahhhh… but what about Penetration Testing?
So what next? • Work on your standards first • Don’t expect BA/Dev/Testers to be able to do it by themselves – help train them • Find IT Security people willing to work this way • Hug your IT Security Manager and tell them to stop worrying and love stories instead
Thanks for listening

Recommended

Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systemsDevOps Indonesia
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 

Recommended

Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systemsDevOps Indonesia
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
DSOMM
DSOMMDSOMM
DSOMMpenetration Tester
 
Jenkins Test Automation with codeBeamer ALM
Jenkins Test Automation with codeBeamer ALMJenkins Test Automation with codeBeamer ALM
Jenkins Test Automation with codeBeamer ALMIntland Software GmbH
 
Doing Security Testing in Agile with ease
Doing Security Testing in Agile with easeDoing Security Testing in Agile with ease
Doing Security Testing in Agile with easeKarundeep Gill
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept PresentationAbhay Bhargav
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous IntegrationStephen de Vries
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingCenzic
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CDHoang Le
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Sauce Labs
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integrationdrluckyspin
 
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...Perforce
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeGene Gotimer
 
SRE vs DevOps
SRE vs DevOpsSRE vs DevOps
SRE vs DevOpsLevon Avakyan
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...AgileNZ Conference
 
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017AgileNZ Conference
 

More Related Content

What's hot

Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Jenkins Test Automation with codeBeamer ALM
Jenkins Test Automation with codeBeamer ALMJenkins Test Automation with codeBeamer ALM
Jenkins Test Automation with codeBeamer ALMIntland Software GmbH
 
Doing Security Testing in Agile with ease
Doing Security Testing in Agile with easeDoing Security Testing in Agile with ease
Doing Security Testing in Agile with easeKarundeep Gill
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept PresentationAbhay Bhargav
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous IntegrationStephen de Vries
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingCenzic
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CDHoang Le
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Sauce Labs
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integrationdrluckyspin
 
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...Perforce
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeGene Gotimer
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 

What's hot (20)

Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
DSOMM
DSOMMDSOMM
DSOMM
 
Jenkins Test Automation with codeBeamer ALM
Jenkins Test Automation with codeBeamer ALMJenkins Test Automation with codeBeamer ALM
Jenkins Test Automation with codeBeamer ALM
 
Doing Security Testing in Agile with ease
Doing Security Testing in Agile with easeDoing Security Testing in Agile with ease
Doing Security Testing in Agile with ease
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CD
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecCon
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a Time
 
SRE vs DevOps
SRE vs DevOpsSRE vs DevOps
SRE vs DevOps
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 

Viewers also liked

Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...AgileNZ Conference
 
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017AgileNZ Conference
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017AgileNZ Conference
 
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...AgileNZ Conference
 
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017AgileNZ Conference
 
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017AgileNZ Conference
 
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017AgileNZ Conference
 
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017AgileNZ Conference
 
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017AgileNZ Conference
 
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017AgileNZ Conference
 
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017AgileNZ Conference
 
Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017AgileNZ Conference
 
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj... Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...AgileNZ Conference
 
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017AgileNZ Conference
 
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017AgileNZ Conference
 
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017AgileNZ Conference
 
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017AgileNZ Conference
 
The Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif MansourThe Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif MansourAgileNZ Conference
 

Viewers also liked (20)

Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
Breaking Through the Transformation Pain Barrier - Julie Lindenberg & David M...
 
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
The Foundations of Business Agility - Shane Hastie - AgileNZ 2017
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
 
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
A Leadership Survival Guide to Transformation - Aldo Rall & Andy Cooper - Agi...
 
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
Being Agile vs Agile Doing - Luke Hohmann - AgileNZ 2017
 
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
Scaling Scrum Without Crushing Its Soul - Patricia Kong - Agile NZ 2017
 
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
The Art of Dual-track Delivery - Ant Boobier - AgileNZ 2017
 
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
Scrumdiddlyumptious & the Killjoys - Mia Horrigan - AgileNZ 2017
 
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
Business Agility: Leadership, Teams & the Work - Jude Horrill - AgileNZ 2017
 
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
Becoming Agile: Agile Transitions in Practice - Rashina Hoda - AgileNZ 2017
 
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
Agile-ish – How to Build a Culture of Agility - Lynne Cazaly - AgileNZ 2017
 
Kim Carter (BinaryMist)
Kim Carter (BinaryMist)Kim Carter (BinaryMist)
Kim Carter (BinaryMist)
 
Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017Build for Speed - Gareth Evans - AgileNZ 2017
Build for Speed - Gareth Evans - AgileNZ 2017
 
Sandy Mamoli (Nomad8)
Sandy Mamoli (Nomad8)Sandy Mamoli (Nomad8)
Sandy Mamoli (Nomad8)
 
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj... Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
Making Agile Leadership Work: A Journey From Coach to Manager - Martin Cronj...
 
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
Radical Transformation - Edwin Dando & Dan Teo - AgileNZ 2017
 
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
Connecting the Dots: Agile, DevOps, Lean IT - Mike Orzen - AgileNZ 2017
 
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
Automated Agility?! Let's Talk Truly Agile Testing - Adam Howard - AgileNZ 2017
 
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
Territory Beyond Agile – Optimised Business Outcomes - Paul Eames - AgileNZ 2017
 
The Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif MansourThe Art of Building a Roadmap - Sherif Mansour
The Art of Building a Roadmap - Sherif Mansour
 

Similar to Security Certification or How I Learned to Stop Worrying & Love Stories - Andrew Hood - AgileNZ 2017

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLPRobert Kloots
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk ManagementAhmed Sayed-
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementIvanti
 
OOSE-PRESENTATION.pptx
OOSE-PRESENTATION.pptxOOSE-PRESENTATION.pptx
OOSE-PRESENTATION.pptxRanjitKdk
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritykarthikvcyber
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 

Similar to Security Certification or How I Learned to Stop Worrying & Love Stories - Andrew Hood - AgileNZ 2017 (20)

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
Risk Analysis.pdf
Risk Analysis.pdfRisk Analysis.pdf
Risk Analysis.pdf
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
 
risk managment and quality
risk managment and qualityrisk managment and quality
risk managment and quality
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
 
OOSE-PRESENTATION.pptx
OOSE-PRESENTATION.pptxOOSE-PRESENTATION.pptx
OOSE-PRESENTATION.pptx
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecurity
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 

More from AgileNZ Conference

Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017AgileNZ Conference
 
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...AgileNZ Conference
 
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...AgileNZ Conference
 
Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017AgileNZ Conference
 
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...AgileNZ Conference
 
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017AgileNZ Conference
 
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017AgileNZ Conference
 
Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)AgileNZ Conference
 

More from AgileNZ Conference (11)

Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
Improv-e Your Innovation - Jakob Jurkiewicz - AgileNZ 2017
 
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
Chocolate, Cider & Product Ownership - Penny Goodwin & Chetan Parbhu - AgileN...
 
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
Inclusive Collaboration – How Our Differences Can Make the Difference - Aaron...
 
Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017Born to Learn - Aurelien Beraud - AgileNZ 2017
Born to Learn - Aurelien Beraud - AgileNZ 2017
 
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
Making the Invisible Visible: Showing WIP & Flow at Portfolio Level in Waterf...
 
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
Shaking Leads to a Shake Up - Russel Garlick - AgileNZ 2017
 
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
Modern Agile – What's It Good For? - Jacob Creech - AgileNZ 2017
 
Gavin Coughlan (Boost)
Gavin Coughlan (Boost)Gavin Coughlan (Boost)
Gavin Coughlan (Boost)
 
Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)Claire Jaycock & Ant Boobier (BNZ)
Claire Jaycock & Ant Boobier (BNZ)
 
Ahmed Sidky (ICAgile)
Ahmed Sidky (ICAgile)Ahmed Sidky (ICAgile)
Ahmed Sidky (ICAgile)
 
Anthony Marter (Orion Health)
Anthony Marter (Orion Health)Anthony Marter (Orion Health)
Anthony Marter (Orion Health)
 

Recently uploaded

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfMahamudul Hasan
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalFabian de Rijk
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...amilabibi1
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...David Celestin
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 

Recently uploaded (15)

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 

Security Certification or How I Learned to Stop Worrying & Love Stories - Andrew Hood - AgileNZ 2017

  • 1. Security Certification Or: How I Learned to Stopped Worrying and Love Stories Andrew Hood IT Security Manager Ministry of Social Development
  • 2. About me • I have no formal Agile qualifications • Not been a developer for over 21 years • Worked globally doing large scale data networks • Moved into IT Security • About as Waterfall as you can possibly get
  • 4. Security Certification and Accreditation A method of understanding the Information security risk of a service and ensuring that risk owners are aware of the risk - Section 4 of NZISM(plus most of section 3, bits of section 5,6,8,9 and lots of the rest of the 655 pages of the manual) Certification: • Documenting the residual risks in a system • Documenting the controls used to mitigate risks • Verifying that controls are mitigating the risk Accreditation: • Accepting the residual risks for that information type
  • 5. Four Rules of Agile Security 1: IT Security is a Non-functional requirement 2: Failure to meet requirements generates risk 3: Risk controls are functional requirements 4: You must know your risk at all times
  • 6. DevelopmentPlanning Epic As a _____ I need _____ So that _____ Acceptance Criteria Backlog Dev Standards Testing Output Story Feature • Start to write security into functional and non-functional requirements - use your Acceptance Criteria • Do you have secure coding standards? Make them part of your DoD, like automated OWASP security testing passed • Try to not write security stories • Specific security controls are functional requirements • Works for other non-functional like Performance • Learning or Earning security? All security stories must have business value – otherwise why are you doing them? Stage 1: Security in Stories
  • 7. DevelopmentPlanning Epic As a _____ I need _____ So that _____ Acceptance Criteria Backlog Dev Standards Testing Output Story Feature Security Processes Risk Security Risk Management Plan (SRMP) • Security Risk Management Plan – know your risks, mitigation controls and plans for remediation • Your test failures are creating risk so: 1. Track them! 2. This is manual process • SRMP needs pre-loading with standard risks and controls (which feed your functional requirements) Stage 2: SRMP
  • 8. Security Processes DevelopmentPlanning Epic As a _____ I need _____ So that _____ Acceptance Criteria Risk Backlog Security Risk Management Plan (SRMP) Dev Standards Testing Output Story Feature Statement Of Applicability Security Risk AssesmentSecurity Risk Assesment • SRA – The Security Risk Assessment • Manually created and normally slow • Point in time risk snapshot for Certification and Accreditation • The technical part of the SRA is a snapshot of the SRMP Stage 3: C&A
  • 9. Security Processes DevelopmentPlanning Epic As a _____ I need _____ So that _____ Acceptance Criteria Risk Statement Of Applicability Security Risk Assesment Backlog Security Risk Management Plan (SRMP) Security Risk Assesment Dev Standards Testing Output Story Feature Defects • Lets join the dots together! • You controls for Risks are updating your backlog with new functional requirements for future stories • Risk can now be linked to Epic or Feature • Risk is now seen as part of a functionality, not total service • Stops go-live risk paralysis (at the last minute) Stage 4: Link Risks to Benefits
  • 10. Stage 5: Maturity • Is this all too hard… or easier and cheaper? 1. You will find issues earlier and quicker 2. Resources costing may be lower 3. Key resources can work more projects simultaneously 4. As maturity increases, development standards and story requirement become re-usable 5. You will need Embedded Security resources in story writing sessions until mature • Ahhhh… but what about Penetration Testing?
  • 11. So what next? • Work on your standards first • Don’t expect BA/Dev/Testers to be able to do it by themselves – help train them • Find IT Security people willing to work this way • Hug your IT Security Manager and tell them to stop worrying and love stories instead