Skip to content

Instantly share code, notes, and snippets.



Last active Sep 20, 2019
What would you like to do?


This page:



  • Who we are
  • What we work on
    • Prototypes (short term; 6-8 weeks)
    • Product Seeds (medium term: 6-18 months)
  • Before development begins
    • Understanding data classifications
    • Understanding user stories and boundaries
    • Understanding initial complexity
    • Security approach (unique vs routine)


  • Testing for business value?
  • Testing for technology proof?
  • Testing for innovation?
  • 10x problems? 1x problems? 10x outcomes?

How much is enough security?

  • real vs mock data?
  • internal vs external access?
  • customer vs business data?
  • integrations or stand alone?
  • isolated or composed?

Product Seeds

  • Push to market?
  • Early productization?
  • Early user base?
  • Understand software maturity
  • Architecture, code, doc churn
  • Data at rest, in flight
  • Architecture and code auditing
  • Documentation
  • Monitoring and alerting
  • Penetration testing

Other things to think about

  • Use security tools within pipelines (Synk, Xray, Veracode)
  • Automate / automate / automate
    • Developers are lazy (in a good way); if it's automated they'll do it
  • Establish a culture
    • Frequent code review; security aware not focused
    • Reporting bugs/security concerns easy straightforward path (internal/external)
    • Create an understanding with the product owners (business folk) about the understanding of security, the cost, and the risk

Some Cool Links

Security in Agile Development

The Open Web Application Security Project (OWASP)




This comment has been minimized.

Copy link

@ShmouG ShmouG commented Sep 20, 2019

Hey Ryan, quick question about Xray that you suggested. Is it ?


This comment has been minimized.

Copy link
Owner Author

@ryanmr ryanmr commented Sep 20, 2019

Hey Ryan, quick question about Xray that you suggested. Is it ?

Hey Sam, yes - that's right. We have this integrated into our pipeline that uses Drone for orchestrating GitHub code pushes and deployments to servers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment