PG - What is Agile and How Can I Use it Well? - Nicole Schwartz

hey everybody I'm circuits 1 and I'm gonna be telling you a little bit about agile and how security team should work with agile development teams I'm assuming you all are either new to agile or at least early on in the maturity cycle or maybe just looking for some crazy ideas so Who am I am why the hell am I talking about this I've been doing agile since around 2000 four or five somewhere in there I worked with Aramark Rackspace now I'm with a really big insurance provider and in these positions I've done business analyst program manager product manager etc I've even done some assistant min and I've either been managing the teams using agile or I've been a participant so I

mostly used Kanban and scrum but I've had exposure to other stuff by the way everything I say here doesn't represent my employers or anybody else so today I'm gonna tell you about a mishap one of my friends mine had and how agile doesn't get used well by some companies and I'm gonna tell you how your company can hopefully do it a little bit better so at first we're gonna explain what is agile because I'm assuming you all kind of don't have a in-depth understanding we're gonna do a high-level summary and then second how do you the security team actually integrate with those agile development teams all right so how do teams actually manage work right now

most teams use waterfall and waterfall means that you're going to work in a six to 12-month cycle you're gonna get a whole bunch of features in this big release and you're gonna have a big marketing thing around it you do everything in order so first you collect all the requirements do all the development then do all the testing oh no we found some bugs go all the way back up to the start of the waterfall and go it down again so these are Gantt charts and most says use these it's actually great if you don't have scope changes all the time so if you're building a house cool if you're buildings where yeah we have a [ __ ] ton

of bugs all right so what's better to do when you have a lot of scope just agile in this case I'm gonna be talking specifically about scrum so scrum does things in little tiny cycles that are 1 to 3 weeks long and you're concentrating on one maybe two features so instead of a whole package set of features you're just getting that one or two you do the requirements the dev the testing for that whole thing and so you start off with your kickoff meeting at your stakeholders on decide what you're doing work on it have daily check-ins and at the end you presented to all of your stakeholders so everybody's on the same page and you get it out the door the

idea is that you're gonna fail fast so if you release something and everybody gives you feedback this sucks you don't bother to go on to the next feature you either improve it or maybe you throw out that whole feature chain for those of you who are gamers you know how there's like chains of things that connect well a lot of times program managers have this feature with all these other follow-up features if nobody likes them don't do them it's a waste of money so this is potentially saving you a lot of money all right so agile methodology is who here knows that they use scrum okay right good some what about Kanban lean stream programming all right so all of these

are sets of rules for how to implement agile agile is a large framework with four rules all of these have a lot more rules which are basically for people to sell books because they came up with their own special flavor of doing it you can google them and get the specific differences but really they all are going for the same end goal and just have a different set of rules in terms so I'm using scrum terms here you can find out what the equivalent is or catch me for a drink after and ask me so what is agile you're delivering feature by feature you want to do continuous integration and continuous delivery what does that mean that means that the

developers are putting things out you know once a week once every other week and that's going out the door all the way to production this is gonna be feedback driven us and it goes out the door the stakeholders give you feedback the customers give you feedback quick you cycle back in again that means you're failing fast again don't do the whole tree if nobody's actually using the feature which reduces waste well end result of this is now DevOps is a thing why is DevOps a thing well if I'm having to get this out the door really fast and I'm waiting on the ops team to deploy my code that's gonna slow me down and since this is all about

fast they're like we're developers we're just gonna figure out how to do it ourselves if they do it well that's ok if they don't talk about a huge security hole this is why you need to get integrative teams also recently dev psych ops has popped up and that's a whole nother animal all right so what are the actual four rules for agile it's these but keep in mind these are scale so everything in bold is more important than the things that are not you can't either or this the goal here is that when you evaluate the work you have or evaluate what you're doing this is how you balance your trade-offs and your decisions you

want to be collaborating with people you want to value the individuals on your teams and what they know they know a lot of stuff instead of just we must fellow this processor are also responding to change this is super key this is why it's all about the feedback loop and security needs to get in that feedback you loop all right what is an agile either-or I'm not gonna do that documentation that's not important no that's not acceptable if your dev teams are doing that please kick them for me or send me and I'll kick them also minimal Viable Product keyword viable if there's security holes in it tell them it's not [ __ ] viable also agile being

just a buzzword we're gonna do agile and we're not gonna do any trading and we're not gonna read any books no that doesn't work then you're just saying stuff and not actually doing anything all right so you're outnumbered you have the security team you've got tons of development teams and they're producing a lot more stuff a lot faster than they used to so remember I was telling you about the failed case from earlier well in this case there's a security team and the company went to a summit and they decided hey let's go spend up a whole bunch of agile development teams so they spun up a whole bunch and really didn't give training to the whole company so

surprise we now have all a bunch of people doing a whole bunch of stuff and nobody really knows what they're doing all right so what about you we know what agile is and you the security team are now we're gonna figure out how to use this to your advantage you need to exploit the system if you don't know how to do that maybe you're in the wrong career path all right so we're all working for the same company what are they trying to accomplish they're trying to put out some software they're trying to make some money that's kind of what you want the company to do right nothing's ever gonna be 100% secure if you believe that know that no

how about ninety percent secure with 10% you can mitigate also that when teams not your enemy they're trying to get the features out because that's what they're being told to do so the trick is can you get security to be one of the requirements so they can't put it out the door and secure and we all like to get paid right so they're making stuff so you can both get paid so you're on the same team all right so where do you start your developers have managers and those managers also have managers can you go get someone on your team who's good with social engineering to chat with them maybe try hey this other company in our industry

had a breach and it cost them a ton in fees and a ton of terrible PR we don't want to be that group can we get a little more integrated so this doesn't happen to us or hey our customers really value security and that's a choice they make when they're picking between the different vendors if we can advertise how great our security is we're gonna get more people choosing us because that's an important factor in the purchases here or maybe even hey remember when we release that thing and there was the giant gap and I made you guys redo it it took two months at dev time we don't want to get in that situation again that was a waste of time

for everyone right so whatever you need to use to leverage this is going to be super hard get your best social engineer on here but I lost my wake again do whatever you need to do get them to buy in that security is important and the dev teams need to listen to you all right so now they have to listen to you what do you do now find the product owner the product owner defines the scope which specifically in scrum is called definition of done this means until you hit all of these checkboxes you do not get to go to production so if passes security scan or passes security review is in there they have to

think about you when they're initially starting to do the development while they're doing the development at the end when they're trying to get it out the door so if you can get into there you are in a last minute thought they're actually gonna architect you in not because they love you but because they want to be done with their stuff however you get buy-in that's fine so my friends case the problem kind of ran into here where the dev teams didn't consider security or requirement so when they suddenly were like yeah we get to do CI CD this is great we're gonna do whatever it is we want and we're not gonna bother checking in with security

so specifically they were giving Google Cloud accounts and this was brand new for the company and so there was no policies in place around this well what they managed to do was waste and at least a full-time employees salary in one month on just spinning up nonsense and not really having a rule around like hey we should spin these down when we're not using them or maybe you keep track of how many we spin up at a time when we click the button a million times so it could have been a little weirder but take what you can get all right you've got buy-in and now what do you do the part of the definition of

John and the developer managers care about you well you need to get to be an optional attendee why do I want to be an optional attendee well again if you're outnumbered lots of them a few of you and you look at the features that are going out you can be like don't care don't care don't care [ __ ] I need to go to those meetings so this way you don't spend your whole day in meetings you can do your own threat modeling here so stakeholders in scrum are probably the key thing that's going to get invited to the kickoff meetings where they go over hey here's what we're gonna do in the next three weeks and also the feature

demos at the end that says this is what we did in these three weeks and we're about to kick this out the door so that gives you an idea of what's coming down the pike and what you can do about it keep the line of communication open be easy to find if you're not easy to find they've to go out of their way they're not going to bother that's extra work for them make sure you've got you know chat or email whatever it is they can ask you quick questions also be a resource if they ask you a question don't just respond with yeah I don't know what you're doing I'll get back to you later be like hey maybe you can talk

to so-and-so that team did it before or hey talk to this group they did it before look here's a great article in the internet read that you don't have to spoon-feed them but at least point them in the right place all right so you're involved you're showing up to meetings what now well it's all great if they know that they need to be secure but there remains to be some written policies that they can actually follow because again you don't scale so take what's in your head write it down make it available make it easy to find in search because again if it's not easy and they can't find it they're just going to be like there isn't a policy

right what also sure it's written so that anyone the developers the project managers the business people can read it and understand it because if it's super technical they're either gonna zone out and not understand it and just kind of ignore it so if you can reference a how-to so if we're talking about hey you need to have HTTPS here as a policy if you've got a website up going we are within my company do I get these certificates otherwise BAM I'm gonna pull out my credit card go to GoDaddy get a certificate and then you've got some shadow IT going on and I'm sure we all don't want shadow IT right all right again be easy to contact

with questions all right education so everyone has the stuff that when you go on board a developer you have to learn this you have to learn that you have to go through this little training course well that's all very generic to the company usually can you work with the onboarding team to get very specific stuff so that PHP or c-sharp secure code training can be involved as part of that onboarding process this way security sort of knows or developers know what security is thinking about when they start coding there's things like code bashing comm which is a resource there's a lot of resources out there or if you have your own internal team that can

build something you can make something in-house but you don't have to so alright you've got them taught about here's how you do secure coding for us specifically but what about things that you have available that they can actually use is there an API for your static code analysis or is that they can trigger and if there is teach them how to use that API remember their DevOps now and that's cool so they should be able to do that and so every time they do a builds they can get that report back they don't need to wait on you to tell them oh you failed this web scan you need to go fix this and that so if

it's easy for them to do that then you're gonna be fine because they're gonna do the scans and come back to you after they've got a clean one maybe they to do it three times but at least you didn't have to sit there and explain it to them alright finally you've got policies you've got involved and now you're gonna be in the meetings well make these meetings low-key if they're super stressful again people automatically resist things that are scary or difficult so if it is intimidating to go meet with security because they're like are all the time I'm gonna avoid these meetings well alright low pressure everyone's here at the meeting you're going through their architecture diagram

don't just read it and then tell them where the problems are tell them what parts are good and what parts are bad and what you're thinking as you go through it you're gonna be training them so that they give you better information next time that they architect it better the next time around maybe even educate here's why I'm thinking of us there's this particular vulnerability out there that affects us because we're using Windows servers or because we're using Linux servers and they can incorporate that into their choices the next round finally they can start doing their own threat modeling if you've walked them through this enough times when they're architecting they're gonna be able to

say okay the worst case scenario I run into here is my web servers gonna 404 not a big deal I can email security they probably don't need to have a meeting with me but I'll keep them in the loop Oh in this particular case this user could potentially have access to this other user stuff we need to make sure that's written well let me make sure security double checks this and I let them know that's the worst-case scenario here it's gonna make your job easier because they're gonna be on Team security suddenly don't say the word no automatic defense mechanisms go up people stop listening to you so no no's on the other hand do not let them do stupid [ __ ]

so there's nice ways to say no like how about this instead or have you considered this or hey here's another way to do this there's a lot of ways to say no that are not using the word now get practiced at them go back to social engineering again I was talking about that you guys need to get it finding the exploits in the agile system and also social engineering the system so if you can work with people's psychology and not get them to turn off they'll actually listen to you alright so as I was saying the friend lots of cloud accounts spun out totally outnumbered and luckily they only lost one full-time employee salary worth on some servers

that really wasn't too bad was it like in here nothing has exploded yet what should have happened well if development management was involved as soon as they found out they had Google Cloud accounts they've been like yeah Google cloud accounts hey security is there a policy oh there's not a policy yet will there any guidelines we should follow okay we'll follow these guidelines and circle back when you have something and maybe those guidelines would've been linked don't spin up anything in the prod environment and hey make sure you keep track of what you've spun up so we can check it later wouldn't it been great but it would have been something instead they didn't think

about security at all they just ran off and did their own thing and had to get somebody chasing them down after like you know run away cats nobody likes runaway cats alright in summary you get buy-in make sure you're integrated into the definition of done so that they can't not think about you be a partner have clear policies get them some training in education be available don't be stressful again stressful equals shadow IT lack of education equals shadow IT shadow IT will cost you more time and energy than you think don't be no I know the cats cute but don't be no all right so we went through everything what really is agile it's fast delivery of

features it values feedback and why are businesses doing it they're all told they can get 50% productivity increase note this is if you follow everything you're supposed to if you're doing it properly if you've trained everyone they're not actually doing this in both 50% and bam they're gonna want to do it so this is why you're gonna be stuck with it it's not going away it is kind of a buzzword maybe you can be like hey this is awesome we like agile can we get some training now so we can actually do it right alright so in summary you are actually on team business because you like paychecks right the developers really aren't the enemy they're just

trying to get their thing done and they're really excited about writing code they should also be on Team security if you educate them a lot of them might be like oh you know a little bit tinfoil hat their insecurities land but at least they're gonna start knowing what you're looking for and maybe they'll actually start to understand what's up and maybe they'll even come to b-sides also agile is not the enemy either like a lot of companies do it wrong so it seems like it's the enemy but just try and improve it and do it right if you're doing it right you'll actually enjoy it a bit more and 100% security is not going to happen I said

it before I'm gonna say it again 90% is good because you can mitigate around the 10% you know if you get shadow IT there is no mitigation around stuff you don't know here's a whole bunch of resources that you can actually get when I post this up on Twitter and here's my blog where it's going to be posted there's my Twitter and I have a lot of presenter notes in here with like links to resources so if you pull down the PowerPoint make sure you read the notes thank you awesome work so we've got time for questions anybody have any questions just raise your hand she'll pick you and I'll bring you a microphone no questions

so I have a question Nicole you I love that hundred percent secure is not viable yeah right they're like not gonna happen what are some like fights that I'm not gonna ask that you've seen because then we leak IP whatever but like that you recommend like maybe we give this one up in exchange for this so when you're having people do RESTful API or at least when we were doing that one of my companies you'll get into a lot of fights where we want it to have these twelve things all securing the front end you can actually do a lot of cleanup in the middle layer and so instead of making sure everything is implemented on the front end just

catch it in the middle before it goes to the back and this way if you have ten different teams doing the api's and you send everyone through the same middle layer you can recycle that code that's filtering for you know quotes or whatever else and not everyone has to rewrite it and if you get ten people rewriting it the same way you're also gonna have somebody who implements it wrong so if you can centralize any of that stuff and be like okay guys we'll let you skip that but you need to run through this middle layer that's probably gonna make your life a little bit easier because if they realize they keep having to do the same work over and

over they might roll their eyes more Thanks one more question in the front just one second thank you have you had any occasion to train developers on on what the categories of security problems are like explain why across that scripting vulnerability is bad and what you can do with it as an attacker so there are some groups I think Cisco's actually pretty good at this and some other teams I know who do actually run people through some like exercises in a sandbox to just explain here's what happens or show them news articles so at least they have an idea of the different types usually it comes in conjunction with the OS top 10 training so I think that tends to be

valuable I think it would be nice if there was better in a box training for developers because a lot of times if you just read something or see it it's not gonna sink in as much as like oh this is what this particular thing means so cisco has been I think the best at that that I know of all right there you have to boot the mic so one thing that actually we started doing it my employer that's been very handy has been so the wasp has a couple of vulnerable VMs or vulnerable store products you know like web apps and stuff like that where it's not only finding you know what the bug is and exploiting it

you also have to go in and fix it so we're making all our developers go through a couple of these just in a sandbox VM just to go through the motions of you know finding exploiting and fixing just so that everybody's on the same page and that has been actually a great deal of fun for them because they always hear about these things they never get to do them as much like lock-picking you know it's one thing to pick a lock but when you realize this is the same one on the front of your house okay no now it makes sense anybody else [Music] well my question is you've talked about the agile process as it should be what

have you seen in the way of people saying oh well we're using agile so we can't do this we don't need to do this this is the way it is what's that what's the the things you've seen where people have tried to make use of the process to say screw you we can't do security basically I think most companies when they start before they've been doing it for a while they're like the book said this or the consultant did said this and so you know I must do XYZ and I'm gonna ignore you since I am the agile coach for a large insurance company I actually have the power to go in and say like

haha that's cute here look I have other references that show you're wrong that doesn't always go over well especially when say IBM was the consultant who originally came in and explained agile poorly but generally I've found going into the product owner and having quotes from books Jeff Sutherlands do twice the work and half the time I believe is the title of it it's in the resource guide is a really good resource to find specific quotes and be like this is the guy who started the whole agile movement and this is what he says and this is not aligning so I'm sorry but I don't know where you got your data but you're wrong so using facts politely is helpful but

yeah a lot of times they're just like I don't have to worry about this because it says I just need to get it out to production by this date not that it needs to work it's like what part of working code did you miss in the agile manifesto also the edge of a manifesto printed out have it around because like that whole working code and collaboration pieces you can point back to them and be like these are this is the gospel let's follow it all right and I think maybe time for one more question if it's short yeah all right thanks thank you so much Nicole [Applause]