SlideShare a Scribd company logo

Agile Security—Field of Dreams

Priyanka Aash
Priyanka Aash

PayPal started its Waterfall to Agile transformation journey two years ago. That meant that the software security program had to morph as well. The Field of Dreams question of “if you build it, will they come?” was no longer a valid question! Come hear about real-world insights about integrating security into Agile—approaches, processes and tools put in place and the results from them. (Source: RSA USA 2016-San Francisco)

Technology
1 of 25
Download to read offline
SESSION ID: #RSAC Laksh Raghavan Agile Security – Field of Dreams ASD-R04 Senior Security Strategist PayPal Inc. @laraghavanThe views expressed in this presentation are my own, and not those of PayPal Holdings, Inc. or any of its affiliates.
#RSAC Introduction 2 This presentation is: A case study on how PayPal’s Secure Product Lifecycle (SLPC) had to adapt to Agile Vendor neutral Descriptive This presentation is NOT: Silver Bullet TM Sales pitch Prescriptive- if you implement, your end product may vary
#RSAC PayPal’s Agile Transformation 3 Some interesting stats and facts about our Agile Transformation: Big Bang approach against prevailing wisdom Went from project driven to product aligned 400+ scrum teams across the globe 500+ Change Champions and 165 Transformation team members Every “industry expert” we consulted told us we couldn’t transform at this scale in our designated timeline but we did it!
#RSAC Setting the Stage for Change 4 The PLC process was complicated and inefficient: A nearly 50 step process Separate standards /procedures as PDFs/HTML on an internal portal Manual gates in the lifecycle and human involvement for all projects Threat Model EVERYTHING It was great for security because it, (a) bought us time and (b) created a lot of documentation for review and future reference. But alas… When the president of the company says you’ll become more agile, you do it (no matter how scary).
#RSAC PayPal SPLC - Overview 5 Objective: Reduce the number of vulnerabilities in our products over time by building repeatable/sustainable proactive security practices embedded within our PLC.
#RSAC SPLC Transformation 6 Strategy Institutionalize risk-based thinking and processes Secure by Default – Frameworks, Dev. Tools, etc. Put our bots to work Execution People – Internal PD security champions to help drive focus and attention on software security Process – Integrate seamlessly with our “agile” way of delivering products. Technology – Secure frameworks, libraries and automated tools that enable PD to ship products rapidly *and* securely
#RSAC Typical Challenges 7 Multiple product teams Various time zones Different priorities/risks Multiple coding languages/frameworks Agile vs. Waterfall User Stories vs. Comprehensive Documentation Minutes/Days vs. Weeks/Months
#RSAC My journey and ”Aha” Moment 8 My initial perspective of Agile was: Field of Dreams: “If you build it, they will come” But soon we realized its benefits, too. A reported XSS issue was fixed in minutes rather than hours/days
#RSAC How did we adapt to the change?
#RSAC An exercise in testing (and trusting) the automated process 10 Dynamic/In-Context Security Requirements: Security Stories Automated controls in the lifecycle Secure Frameworks and Security Tools used for all projects & human involvement for critical-risk projects Threat Model only things that aren’t run-of-the-mill web or mobile apps and/or not built on our standardized secure frameworks
#RSAC What were our guiding principles?
#RSAC Security Options Auto-enabled to Protect Developers by Default 12 • If we rely on *every* PayPal developer doing the right thing from a security perspective *every* time he/she writes code, we are doomed to fail! • Wherever possible, security controls are to be made available automatically and turned ON by default • Developers have go out of their way to turn off security controls • Secure-by-default in all layers Perimeter Infrastructure Framework Libraries Dev. Tools Code/Config
#RSAC Stronger reliance on automation 13 • In the world of CI and CD, automating security is your key to success • Developers should NOT have to learn a new tool or go out of their routine dev. tasks and tools to invoke security • Security tools must be seamlessly integrated into our development tools • Automated monitoring and reporting for deviations from our security standards • No need to manually file tickets for issues found by developers within the lifecycle – less red tape and more work done! • That doesn’t mean that there’ll be no measurement: Invest in automated metrics gathering and compliance tracking
#RSAC Federated model that enables scaling 14 Our landscape is huge! • A central InfoSec team with just handful of AppSec experts can never scale by themselves • We needed a federated model of security champions across all delivery groups who can be our eyes and ears: Responsible to ensure their products follow SPLC practices First point-of-contact for SPLC within the product delivery groups Trained and Knowledgeable on our SPLC processes and tools Know who to loop in from InfoSec for what and when Help triage and fix security vulnerabilities
#RSAC So, what did we really change?
#RSAC Key Change #1: Security Stories 16 Holy Grail for any software security professional  Make functional and non- functional requirements equal partners In Agile Speak: Make User Stories and Security Stories equal partners Before: After: Your Favorite Tax Software!
#RSAC Key Change #1: Security Stories, cont. 17 A web-based tool that hooks into the Release Planning (aka Multi-Sprint Planning) process A simple survey that does light-weight threat modelling, generates security stories, and places them in the backlog of the scrum team Tracking and reporting from within our Agile LifeCycle Management tool
#RSAC Key Change #2: Automated controls in CI/CD 18 Hook security checks into the CI/CD processes Start with a warn-only mode and in parallel do your communication/awareness and training sessions to help your developers comply to your security requirements Shift to block mode in a phased manner, as needed When their build turns red or breaks, developers pay attention and fix what they have to!
#RSAC Key Change #3: Security Champions 19 Security Champions across all product teams Started as a volunteer program 80-20 rule in action Transformed the program in 2015 to bring in “dedicated” champions with goals baked into annual performance reviews Train-the-trainers Drive the culture change!
#RSAC And what were the results?
#RSAC Show me the money! 21 Measurable improvements in compliance to security requirements Our modern frameworks and apps built on those frameworks are inherently way more secure than our legacy stacks Improved SLA adherence for fixing application security bugs Early engagement means no or minimal projects hit security roadblocks during launch A quote from our Android App’s Team Manager: “It is great to know that the pentest didn’t find any blockers and it can be largely attributed to the fact that we are following SPLC…”
#RSAC In a Nutshell 22 Challenge everything to drive change! Legacy SPLC Agile Transformed SPLC 200+ PDF/HTML security standards and procedures Security Stories customized for the scenario Manual gates throughout lifecycle Lifecycle relies on automated controls Human involvement for all projects Let the frameworks and tools do the heavy lifting - human involvement for critical risk projects only Threat Model everything Threat Model only critical scenarios
#RSAC Apply What You Have Learned Today 23 By next month you should: Understand how Agile works at your organization and its maturity level Critically analyze your existing SPLC practices In the six months following this presentation you should: Build a roadmap for SPLC transformation Start small and experiment the changes with a few small teams Within a year you should: Pilot with large business unit(s) Take the lessons learned from the pilot and tweak the process/tools for org- wide rollout
#RSAC Questions?
#RSAC Thank you!

Recommended

TOGAF
TOGAFTOGAF
TOGAFAhmed Gamil
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Oscar Ferreira
 
Personal leadership statement
Personal leadership statementPersonal leadership statement
Personal leadership statementDr. Terri Brodeur
 
leadership or followership
leadership or followershipleadership or followership
leadership or followershipVictor Chinnu
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations C...
Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations C...Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations C...
Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations C...Deloitte United States
 
Cybersecurity | Cylus: Railway Cybersecurity
Cybersecurity | Cylus: Railway CybersecurityCybersecurity | Cylus: Railway Cybersecurity
Cybersecurity | Cylus: Railway CybersecurityVertex Holdings
 
GRC Software Implementation Strategy
GRC Software Implementation StrategyGRC Software Implementation Strategy
GRC Software Implementation StrategyPatrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 

Recommended

TOGAF
TOGAFTOGAF
TOGAFAhmed Gamil
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Oscar Ferreira
 
Personal leadership statement
Personal leadership statementPersonal leadership statement
Personal leadership statementDr. Terri Brodeur
 
leadership or followership
leadership or followershipleadership or followership
leadership or followershipVictor Chinnu
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations C...
Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations C...Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations C...
Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations C...Deloitte United States
 
Cybersecurity | Cylus: Railway Cybersecurity
Cybersecurity | Cylus: Railway CybersecurityCybersecurity | Cylus: Railway Cybersecurity
Cybersecurity | Cylus: Railway CybersecurityVertex Holdings
 
GRC Software Implementation Strategy
GRC Software Implementation StrategyGRC Software Implementation Strategy
GRC Software Implementation StrategyPatrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 
Togaf 9 catalogs, matrices and diagrams
Togaf 9 catalogs, matrices and diagrams Togaf 9 catalogs, matrices and diagrams
Togaf 9 catalogs, matrices and diagrams Mohammed Omar
 
It governance
It governanceIt governance
It governanceMahetab Khan
 
We Need To Talk About IT Architecture
We Need To Talk About IT ArchitectureWe Need To Talk About IT Architecture
We Need To Talk About IT ArchitectureAlan McSweeney
 
Servant leadership
Servant leadershipServant leadership
Servant leadershipuniversity of the punjab
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Become a Transformational CIO
Become a Transformational CIOBecome a Transformational CIO
Become a Transformational CIOInfo-Tech Research Group
 
Công nghệ 8 bài 27
Công nghệ 8 bài 27Công nghệ 8 bài 27
Công nghệ 8 bài 27Stephanie Lâm
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptxAhmedRobaid1
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Continuity and Resilience
 
Ethical leadership
Ethical leadershipEthical leadership
Ethical leadershipkdore
 
Enterprise Architecture Governance
Enterprise Architecture GovernanceEnterprise Architecture Governance
Enterprise Architecture GovernanceRakesh Sharan
 
Solution Architecture and Solution Acquisition
Solution Architecture and Solution AcquisitionSolution Architecture and Solution Acquisition
Solution Architecture and Solution AcquisitionAlan McSweeney
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
The Importance of Student Leadership in the Classroom
The Importance of Student Leadership in the ClassroomThe Importance of Student Leadership in the Classroom
The Importance of Student Leadership in the ClassroomAndy Britnell
 
History of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsHistory of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsRob Akershoek
 
Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Office 365 Security: Top Priorities for 30 Days, 90 Days and BeyondOffice 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Office 365 Security: Top Priorities for 30 Days, 90 Days and BeyondPriyanka Aash
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 

More Related Content

What's hot

Togaf 9 catalogs, matrices and diagrams
Togaf 9 catalogs, matrices and diagrams Togaf 9 catalogs, matrices and diagrams
Togaf 9 catalogs, matrices and diagrams Mohammed Omar
 
We Need To Talk About IT Architecture
We Need To Talk About IT ArchitectureWe Need To Talk About IT Architecture
We Need To Talk About IT ArchitectureAlan McSweeney
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
Công nghệ 8 bài 27
Công nghệ 8 bài 27Công nghệ 8 bài 27
Công nghệ 8 bài 27Stephanie Lâm
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Continuity and Resilience
 
Ethical leadership
Ethical leadershipEthical leadership
Ethical leadershipkdore
 
Enterprise Architecture Governance
Enterprise Architecture GovernanceEnterprise Architecture Governance
Enterprise Architecture GovernanceRakesh Sharan
 
Solution Architecture and Solution Acquisition
Solution Architecture and Solution AcquisitionSolution Architecture and Solution Acquisition
Solution Architecture and Solution AcquisitionAlan McSweeney
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
The Importance of Student Leadership in the Classroom
The Importance of Student Leadership in the ClassroomThe Importance of Student Leadership in the Classroom
The Importance of Student Leadership in the ClassroomAndy Britnell
 
History of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsHistory of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsRob Akershoek
 
Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Office 365 Security: Top Priorities for 30 Days, 90 Days and BeyondOffice 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Office 365 Security: Top Priorities for 30 Days, 90 Days and BeyondPriyanka Aash
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 

What's hot (20)

Togaf 9 catalogs, matrices and diagrams
Togaf 9 catalogs, matrices and diagrams Togaf 9 catalogs, matrices and diagrams
Togaf 9 catalogs, matrices and diagrams
 
It governance
It governanceIt governance
It governance
 
We Need To Talk About IT Architecture
We Need To Talk About IT ArchitectureWe Need To Talk About IT Architecture
We Need To Talk About IT Architecture
 
Servant leadership
Servant leadershipServant leadership
Servant leadership
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
Become a Transformational CIO
Become a Transformational CIOBecome a Transformational CIO
Become a Transformational CIO
 
Công nghệ 8 bài 27
Công nghệ 8 bài 27Công nghệ 8 bài 27
Công nghệ 8 bài 27
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000
 
Ethical leadership
Ethical leadershipEthical leadership
Ethical leadership
 
Enterprise Architecture Governance
Enterprise Architecture GovernanceEnterprise Architecture Governance
Enterprise Architecture Governance
 
Solution Architecture and Solution Acquisition
Solution Architecture and Solution AcquisitionSolution Architecture and Solution Acquisition
Solution Architecture and Solution Acquisition
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
 
The Importance of Student Leadership in the Classroom
The Importance of Student Leadership in the ClassroomThe Importance of Student Leadership in the Classroom
The Importance of Student Leadership in the Classroom
 
History of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsHistory of IT Service Management Practices and Standards
History of IT Service Management Practices and Standards
 
Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Office 365 Security: Top Priorities for 30 Days, 90 Days and BeyondOffice 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 

Similar to Agile Security—Field of Dreams

Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 
Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsPriyanka Aash
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Testing infrastructure as code
Testing infrastructure as codeTesting infrastructure as code
Testing infrastructure as codePrancer Io
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
AppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangeAppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangePriyanka Aash
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldMark Nunnikhoven
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsPhillip Maddux
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source softwarePriyanka Aash
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 

Similar to Agile Security—Field of Dreams (20)

Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
 
Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy Products
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Testing infrastructure as code
Testing infrastructure as codeTesting infrastructure as code
Testing infrastructure as code
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
AppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangeAppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture Change
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOps
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Agile Security—Field of Dreams

  • 1. SESSION ID: #RSAC Laksh Raghavan Agile Security – Field of Dreams ASD-R04 Senior Security Strategist PayPal Inc. @laraghavanThe views expressed in this presentation are my own, and not those of PayPal Holdings, Inc. or any of its affiliates.
  • 2. #RSAC Introduction 2 This presentation is: A case study on how PayPal’s Secure Product Lifecycle (SLPC) had to adapt to Agile Vendor neutral Descriptive This presentation is NOT: Silver Bullet TM Sales pitch Prescriptive- if you implement, your end product may vary
  • 3. #RSAC PayPal’s Agile Transformation 3 Some interesting stats and facts about our Agile Transformation: Big Bang approach against prevailing wisdom Went from project driven to product aligned 400+ scrum teams across the globe 500+ Change Champions and 165 Transformation team members Every “industry expert” we consulted told us we couldn’t transform at this scale in our designated timeline but we did it!
  • 4. #RSAC Setting the Stage for Change 4 The PLC process was complicated and inefficient: A nearly 50 step process Separate standards /procedures as PDFs/HTML on an internal portal Manual gates in the lifecycle and human involvement for all projects Threat Model EVERYTHING It was great for security because it, (a) bought us time and (b) created a lot of documentation for review and future reference. But alas… When the president of the company says you’ll become more agile, you do it (no matter how scary).
  • 5. #RSAC PayPal SPLC - Overview 5 Objective: Reduce the number of vulnerabilities in our products over time by building repeatable/sustainable proactive security practices embedded within our PLC.
  • 6. #RSAC SPLC Transformation 6 Strategy Institutionalize risk-based thinking and processes Secure by Default – Frameworks, Dev. Tools, etc. Put our bots to work Execution People – Internal PD security champions to help drive focus and attention on software security Process – Integrate seamlessly with our “agile” way of delivering products. Technology – Secure frameworks, libraries and automated tools that enable PD to ship products rapidly *and* securely
  • 7. #RSAC Typical Challenges 7 Multiple product teams Various time zones Different priorities/risks Multiple coding languages/frameworks Agile vs. Waterfall User Stories vs. Comprehensive Documentation Minutes/Days vs. Weeks/Months
  • 8. #RSAC My journey and ”Aha” Moment 8 My initial perspective of Agile was: Field of Dreams: “If you build it, they will come” But soon we realized its benefits, too. A reported XSS issue was fixed in minutes rather than hours/days
  • 9. #RSAC How did we adapt to the change?
  • 10. #RSAC An exercise in testing (and trusting) the automated process 10 Dynamic/In-Context Security Requirements: Security Stories Automated controls in the lifecycle Secure Frameworks and Security Tools used for all projects & human involvement for critical-risk projects Threat Model only things that aren’t run-of-the-mill web or mobile apps and/or not built on our standardized secure frameworks
  • 11. #RSAC What were our guiding principles?
  • 12. #RSAC Security Options Auto-enabled to Protect Developers by Default 12 • If we rely on *every* PayPal developer doing the right thing from a security perspective *every* time he/she writes code, we are doomed to fail! • Wherever possible, security controls are to be made available automatically and turned ON by default • Developers have go out of their way to turn off security controls • Secure-by-default in all layers Perimeter Infrastructure Framework Libraries Dev. Tools Code/Config
  • 13. #RSAC Stronger reliance on automation 13 • In the world of CI and CD, automating security is your key to success • Developers should NOT have to learn a new tool or go out of their routine dev. tasks and tools to invoke security • Security tools must be seamlessly integrated into our development tools • Automated monitoring and reporting for deviations from our security standards • No need to manually file tickets for issues found by developers within the lifecycle – less red tape and more work done! • That doesn’t mean that there’ll be no measurement: Invest in automated metrics gathering and compliance tracking
  • 14. #RSAC Federated model that enables scaling 14 Our landscape is huge! • A central InfoSec team with just handful of AppSec experts can never scale by themselves • We needed a federated model of security champions across all delivery groups who can be our eyes and ears: Responsible to ensure their products follow SPLC practices First point-of-contact for SPLC within the product delivery groups Trained and Knowledgeable on our SPLC processes and tools Know who to loop in from InfoSec for what and when Help triage and fix security vulnerabilities
  • 15. #RSAC So, what did we really change?
  • 16. #RSAC Key Change #1: Security Stories 16 Holy Grail for any software security professional  Make functional and non- functional requirements equal partners In Agile Speak: Make User Stories and Security Stories equal partners Before: After: Your Favorite Tax Software!
  • 17. #RSAC Key Change #1: Security Stories, cont. 17 A web-based tool that hooks into the Release Planning (aka Multi-Sprint Planning) process A simple survey that does light-weight threat modelling, generates security stories, and places them in the backlog of the scrum team Tracking and reporting from within our Agile LifeCycle Management tool
  • 18. #RSAC Key Change #2: Automated controls in CI/CD 18 Hook security checks into the CI/CD processes Start with a warn-only mode and in parallel do your communication/awareness and training sessions to help your developers comply to your security requirements Shift to block mode in a phased manner, as needed When their build turns red or breaks, developers pay attention and fix what they have to!
  • 19. #RSAC Key Change #3: Security Champions 19 Security Champions across all product teams Started as a volunteer program 80-20 rule in action Transformed the program in 2015 to bring in “dedicated” champions with goals baked into annual performance reviews Train-the-trainers Drive the culture change!
  • 20. #RSAC And what were the results?
  • 21. #RSAC Show me the money! 21 Measurable improvements in compliance to security requirements Our modern frameworks and apps built on those frameworks are inherently way more secure than our legacy stacks Improved SLA adherence for fixing application security bugs Early engagement means no or minimal projects hit security roadblocks during launch A quote from our Android App’s Team Manager: “It is great to know that the pentest didn’t find any blockers and it can be largely attributed to the fact that we are following SPLC…”
  • 22. #RSAC In a Nutshell 22 Challenge everything to drive change! Legacy SPLC Agile Transformed SPLC 200+ PDF/HTML security standards and procedures Security Stories customized for the scenario Manual gates throughout lifecycle Lifecycle relies on automated controls Human involvement for all projects Let the frameworks and tools do the heavy lifting - human involvement for critical risk projects only Threat Model everything Threat Model only critical scenarios
  • 23. #RSAC Apply What You Have Learned Today 23 By next month you should: Understand how Agile works at your organization and its maturity level Critically analyze your existing SPLC practices In the six months following this presentation you should: Build a roadmap for SPLC transformation Start small and experiment the changes with a few small teams Within a year you should: Pilot with large business unit(s) Take the lessons learned from the pilot and tweak the process/tools for org- wide rollout