Agile Scrum is here to stay, and security teams aren’t adapting quickly enough. “Best-practice” Agile SDL models aren’t very helpful because they assume a simplified, idealized model of how software is built. In the real world, software development often involves multiple Scrum teams working on various components of a larger product. As a result, application security teams find themselves under-resourced and unprepared for the pace of modern software development.
In this session, Chris will discuss how his company has incorporated security into their own Agile development life-cycle for a product that involves about ten Scrum teams working in concert to ship monthly releases. Chris will explain how he has optimized the way his security research team interacts with his engineering teams and accommodates their processes. Chris will also share some of the lessons he has learned along the way, including things that haven’t worked or wouldn’t scale. Security practitioners will be able to leverage these experiences to work more effectively with their own Agile Scrum teams.
October 22, 2014 | Management (718b) | 14:40 – 15:40