Skip to content

Instantly share code, notes, and snippets.

@ryanmr ryanmr/security-notes.md

Last active Sep 20, 2019
Embed
What would you like to do?

Speakers

This page: adept.work/st8109umn1

Topics

Introduction

  • Who we are
  • What we work on
    • Prototypes (short term; 6-8 weeks)
    • Product Seeds (medium term: 6-18 months)
  • Before development begins
    • Understanding data classifications
    • Understanding user stories and boundaries
    • Understanding initial complexity
    • Security approach (unique vs routine)

Prototypes

  • Testing for business value?
  • Testing for technology proof?
  • Testing for innovation?
  • 10x problems? 1x problems? 10x outcomes?

How much is enough security?

  • real vs mock data?
  • internal vs external access?
  • customer vs business data?
  • integrations or stand alone?
  • isolated or composed?

Product Seeds

  • Push to market?
  • Early productization?
  • Early user base?
  • Understand software maturity
  • Architecture, code, doc churn
  • Data at rest, in flight
  • Architecture and code auditing
  • Documentation
  • Monitoring and alerting
  • Penetration testing

Other things to think about

  • Use security tools within pipelines (Synk, Xray, Veracode)
  • Automate / automate / automate
    • Developers are lazy (in a good way); if it's automated they'll do it
  • Establish a culture
    • Frequent code review; security aware not focused
    • Reporting bugs/security concerns easy straightforward path (internal/external)
    • Create an understanding with the product owners (business folk) about the understanding of security, the cost, and the risk

Some Cool Links

Security in Agile Development

The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page

Snyk https://snyk.io/

Veracode https://www.veracode.com

@ShmouG

This comment has been minimized.

Copy link

ShmouG commented Sep 20, 2019

Hey Ryan, quick question about Xray that you suggested. Is it https://jfrog.com/xray/ ?

@ryanmr

This comment has been minimized.

Copy link
Owner Author

ryanmr commented Sep 20, 2019

Hey Ryan, quick question about Xray that you suggested. Is it https://jfrog.com/xray/ ?

Hey Sam, yes - that's right. We have this integrated into our pipeline that uses Drone for orchestrating GitHub code pushes and deployments to servers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.