Agile Manchester talk - Agile in Security (Intro (Who am i , What do i do…
Agile Manchester talk - Agile in Security
Security vs Usability - security is complex, how do we incorporate this into our process
Still on our agile journey
We create security software to be deployed in our customers environnent
We don't own production
Software is deployed to a customers environment, we don't host it, they do.
The sheer variability of environments makes it impossible to test, or even consider everything
We don't have access to monitor production
Can't monitor system usage and get logs back from live environments
Customer environments are locked down
We can't freely access production. We have to schedule support sessions
The customer may have a lot of change control processes
Large customers have different teams which deal with different parts of the system, can be difficult to get things done quickly
Security - like some other domains, can be pretty sensitive.
Customers want an awful lot of information about our software and how its going to interact with their environment / other applications
Doesn't make us special, lots of domains are like this, just means we have our own set of unique challenges
Deployment - can be tricky in large enterprises - lots of moving parts to get in place
Some customers want to deploy to test first
We're about making usable security, but ultimately, security can still be difficult to configure
There are thousands of 3rd party applications out there, we can't ensure compatibility
Lots of customers don't want to upgrade
Due to the nature of it, can be a big undertaking
Encouraging logging which will help us support the system but doesn't give too much info away - ie passwords / connection strings
our software interacts v deeply with the operating system.
We can't do monitoring and logging in live.
Difficult to do experiments in production (A/B)
Tricky to engage users
Beta testing / Alpha testing
User acceptance testing difficult
Failing fast means failing early
Instilling security mindset throughout development
Sharing of knowledge throughout the business
Security testing - can be v technical, scary to some testers
NCC training in pen testing web applications
'Go to' people in the team, knowledge sharing
Threat modelling sessions
Who am i
What do i do ?
What am i talking about ?
Difficulties in talking about what we do
What are the goals of the talk
Who we are
What we do
Where are we on our agile journey
Adopting Agile ways can come with challenges in any environment. When you are working on an endpoint security product these challenges can be numerous. I'll talk about some of the difficulties we've faced around delivering products in an agile way within a Security context, for example:
Security by design ,
Testing and test automation,