Agilely Compliant Yet Insecure - Tom Ruff

but I'd like to talk a little bit about today's to the title here actually complying insecure kids it Souls for creating secure software in the natural environment start with a little bit about me way back when when it's not where big 20 was the hot divide 25 years of paperwork Ronnie I looked it up to live my TV started writing basic programming so it's and peeps and go to I used to love it sees later on the life of her graduated college system administrator on various linux systems some of us which later became solaris EES minutes and then on the back to school and got the degree of programs started on kar see if anybody home

that's a trooper gave our single which became a sec and I put him in job for 15 years I've done assembly on various different platforms to 888 390 that then I went into project management a little bit and enough finally evolved I would consider myself a recovery developer security so Thursday this test is no joke the GM certified secure go programmers I have heard from hours after observer and also as I pass out stickers everybody a few minutes ago or just Cal upon things of you for fine I bought all of my kids playing in a few weeks ago and this is my assistant Brutus you know I get tired of Cody here on quick agenda talk about state

software we'll talk about what agile is for those who may not have been exposed for easily don't fall into the trap it was it was made mostly right here in Asheville my fellow Americans then we'll talk about the importance that powerline spaces wrap up with the short conclusion and anybody's got any questions or if you've got questions along the way or if I start centering just raise your hand

let's talk let's talk about scope the software for a minute for people who are really new to this environment there's literally dozens and dozens of hardware platforms you got processors in your problems Intel processors of your desktop lers AMD processors there's hundreds of different platforms we've got dozens of operating systems got Linux how many flavors of Linux OSX which is built on Linux all the Android operating system is also there long things windows to hundreds of programming languages I just saw one of our developers recently something called R which I've never seen before go pearl match Python sees it was like Java so you've got all these different types of applications around the house of

thousands of professional developers which I was one for a while hundreds of thousands of applications and there's I should the billions they're good as long as kind of running well the dreams of lines of code running in this room there's billions of lines together they run it in the world and it pretty much affects everything games entertainment Thank You Bonnie I've been to an ATM machine or heard about database problems or wheelies without matter taxes you can go online and pay your taxes now so that's become a target people are trying to have people there to get more information say South Carolina got hacked four years ago and everybody here they may be issued refund their banking information was

compromised health care what he said I've updated all the computers for for billing and patient records in Piana which was also crazy things like heart monitors at this in-home people homeland that are connected via Wi-Fi sending the information directly back to the clinicians which is great because you can get real-time information of education but it's really bad because you can actually collect real-time data about somebody deserving for pacemakers heaven Bluetooth turned on I can't imagine it being an attack that I can't imagine being in fact that drivers can't imagine a person who would actually do it you know they're in somebody's heart least intrusive clocks energies we all have meter readers anymore guys don't walk out and look at the side of

your house even when leaders report back over the network transportation cars look at the new Tesla drives available pretty much as long as you're not sitting in the back watching a Harry Potter movie nine communication devices we've all gotten I see that's cellphones in the rim we straighten this broadcast live out to the whole world so lots of months of things along there and the problems that you find in this software are numerous this is natural ultimately a base for the four years the number of reporting poner abilities in the software is a year after you actually say well since 2015 which is a good sign I think we went down as far as the effect on the economy

reports that the cost of cybercrime was 20% more than 1000 2014 20 percent higher probably going to be higher than that this year the federal government passed legislation holding companies liable Hitler for example you expose medical records you were negligent in doing so cups of ten thousand dollars per record so ten thousand dollars per person error affected civil liability suits I read recently that earlier today there was a picture of Target when they were talking about very part state hack target settings for ten million dollars plus lawyer fees plus court costs from the hacker they add back imagine what that does to your company's bottom line you gotta write a check for 10 million bucks here's the part that our federal

government does not understand as DoD contractor for six years compliance does not equal security compliance deeply reduces your attack surface if you look at things that are exposed to the internet that you see when you do you know doing any of the sites that did the scans even Google's you see people who are putting their their databases directly out on the Internet it's crazy you're you're opening the door for attachment me different be different papers we're sorry Polly ball the attacks together so you can send one one string to a server got to hit multiple layers all at the same time so there's all the vulnerabilities all the openings just a little quote from about 30 years

ago down sis you security should be a part of the DevOps cycles security might be built in the applications not bolted on active I don't know how many shops tree minion but I've been cleaning shops where build this application they run a stand against it gonna get the end and then they spend hundreds of hours and lots of money on software or hardware trying to protect against the vulnerabilities for this year than ever will be catch from their building their first ones that's a lot of money out of the company's pocket they clearly good to say so there's the state of our software so now I want to talk a little bit about what actually is

for those who kind of been exposed to agile development actually began way back in the nineteen eighties when I was still in high school prior to that development really looked like a relay race would have your design team would come up with or your product team would come up with an idea then they were asked to come up with the design idea who were pass it to the development team who would actually start developing developing it and then that would go to the testing team that could be just functional and load testing and then they would pass it up to the security testing team so you had all these gates where things were checked along agile

along the and as you have a fully self-contained team that goes through the whole process so that will start going through the process and then as a product its release they'll actually start the next development process so you get a lot of overlaps that you're also expecting some things I hope that I'm just a little bit actually get a little bit ahead of myself so instead of having this nice discrete sequential old manageable stages simultaneous inorganic but it's also has taken away some of the check marks that you had in past and waterfall group another run another quick quote here from a very large three-letter software vendor as I started bringing agile into their environment they said

headquarters involvement is limited to providing guidance money and moral support at the outset on a day to day basis top management seldom intervenes the team is free to set its own direction and one of their top management folks said as ever management we're just venture capitalists these teams ask for money we give them money we go away with latency or videos back while that does encouraged a lot of things I'll talk about it also cause shortly don't give your own as you saw my bio I am a certified scrum master I've worked in different scrum teams on two different comments I'll describe master for three teams in Stuttgart for a period of time so there are advantages

to it but time to that you know get a chance to take a look at the agile manifesto in theory it's beautiful practice it's a little normal challenge so who didn't support of that in just a minute along the way for those of you who are PMP certified I'm not yet OB in September as well Dalton was headed to the inbox 2013 the parks management book of knowledge and speed practice of media organizations all over the world including stacker loops so as I said the tracks been said the babies right there it looks it looks really awesome so somebody comes along with a new idea had to have that patient this requiring think they did that this three letters

company was saying somebody comes up with an idea they take a box full of Mundi the end of the scene and they're empowered to take the idea and make it into a reality the question is for those of us here is going to be a secured reality or is it art so so let's talk about the advantages I have glass half-full kind of guy most of the time almost my children here at the back and I'd argue with that so it truly does get the build developers a lot more visibility to control the project part of what the development teams have been playing about at waterfall as it takes you two years to come up with a plan of

how we're going to do all this and by the time we get a plan and you can actually start working on it's too late the landscape is changed look at the difference between an iPhone 4 and iPhone 6 the world changed a lot that's a two-year senior changed we take the landscape today and we compare it to two years from now they were actually goes anywhere the landscape will change dramatically so by giving us those disability getting involved earlier it was started building things earlier you also get their input for things like if I call it your honor have a petabyte of data searchable by any field be parsed fields I wanted to return back in less than 10 seconds most

developers might balk at that but my game is starting early and taking the things of things it actually does work also another thing they want to take advantage of them is just like we're saying take it off year old spirit if you haven't eaten this box of money tell them that they're responsible for what's going on it's almost like having your own small business without risking your paycheck and keep that bottom line that's going to get over the end the more advantages developers say you know you always keep shrinking our window keep asking for more learn more yeah one of the key ideas behind agile development is it says to paint sustainable pace for your development

so what's supposed to happen over if you're doing scrum what's supposed to have another person three cycles is you're supposed to figure out how much work continue to actually do team of people is down there we did from there for the next cycle and the next cycle and the next cycle after that the development team only accepts that amount of work so if they can do 16 units of work in two weeks from then on they're not going to accept a deadline that includes one of the seams to get his work within those two weeks so that it is something you don't have the people working for three or four o'clock in the morning trying to get so

ready to pass off to the operations team to deploy at the last minute the other side of it is it's working properly it encourages developers to meet your commitments for the last five Sprint's hero I turned out singing units and for this friend we only have 35 that's going to look really bad to to your product owner to your product management to your manager so there's a little push to make sure that you're at least yeah besides my work it should be getting out when it's working the next thing is every sprint you've reprioritize the entire list of work that hasn't been completed yet so if you figure out that the iPhone 7 is going to have a super camera and

you're working for Samsung maybe you make it more important to get a better camera into your products in the iPhone so it allows you to adjust to market changes whenever pieces delivers production ready codecov each development cycle so the idea is if I had to stop it over right now and just release this product everything that I've done in the past is done to talk about and say ready to go out to the public now the other side of the room for the activity people absolutely positively requires the maturity building team I've seen the government I've seen any commercial senior out of the United States we want to use scrum we want to be angel' we're going to be

more successful when you take a bunch of kids with less than two years of experience so this it works out as well as for the issues on your own fleet so that's disadvantage another piece of it way back to anything we've gone from team to team to team it was an architecture role no form of agile that I've seen Simo so is there an inherent System Architect role explain - bad shortage the other thing is is like I said you're putting here your revile you a to your priorities every two weeks and some some occasions so if you've got a version one dollar that's sitting out there you finish the development cycle because you're working on 1.3 or whatever have

been released yet well they find the security bug you wonder your number one priority for the next screen is that we fix the security bug in one of what that comes with a functional user bug and something that's dependent on ie 10 that the user can use it then all of a sudden you lose a spring or two Springs or three Springs just playing lock them all off the bugs that you didn't pick up a lot of the way because you didn't have the pieces that you used to have gateways with the functional testing in the load testing security testing once again you're so focused on these two weeks mall cyclists you can't see the

forest because of the trees are you looking at what's the next two weeks they give me what's the next two weeks they didn't what's the next two weeks can give you and human you can very easily lose your lose your way we ended up building something that was not even remotely where you started developers in the ring of my Avery for this one but you can't believe very heavily on third-party libraries that's good that's bad I love us more a little bit and then the other piece of it is now that you have all these functions in one team and remember you know a standard agile team is supposed to be a max of seven people so you've gotta have a few

design development testing security platform knowledge operating system knowledge your Salonga - that's all on this small team and what tends to happen is you can happens on my team right now my current job I'm the Java gap I'm the only guy on the team who's ever written Java so that comes down the pipe this job they do get up to talk to you there's Tom's work with next week and so by doing that you're defeating what you were trying to get to talk about the minute little fixing another disadvantage from a hiring perspective you gotta have people who are going to be super organized they've gotta have a lot of different backgrounds and they gotta be willing to use it as a manager

when I was a manager of features that I had one brilliant talented individual do a new job with a new Linux but all he wanted to do was develop code so I needed something done to the platform to make it run better he had no interest in helping so he's gonna have multi-discipline backgrounds and people are willing to use it now now for my favorite part about absolutely player for each development cycles a finite amount of time two weeks you're doing it right you get a kick off our mighty build at 10 o'clock on Friday morning at firstly morning or whatever it is and that's it nothing else gets a little bit this is supposed to be production rated better

now if I actually the belt berth wins it done what's the developer gets up when the tests pass New Testament why here a little part of our head of some of the know some integration testing automated tests from the bat came all the way to the UI I can stand something with that okay but most most developers you ask as soon as it compiled in your IDE we're done if you ask the tester it's when the functional test pass that you ask the building manager he's gonna say when all the automated tests pass if you ask somebody who has to deal with customers on a regular basis like me I'm going to tell you that when the coding

is done when the functional tests pass when the security tests pass when the load testing pass is caught help me try to do something it runs great at 4,000 bits per second to 160,000 days per second and it blows up and it only happens on this one customer doesn't want to go with customs that it's documented oh my goodness don't get impatient and it's documented correctly and it's in documents that the customer can actually get to so the definition is very fluid when you get into a more mature shop the chair developers who've actually had to get on customer calls once in a while they understand all these things with the kids who are coming straight out of

school lots of lunch so that's actually in my it's one of my faces the way any strike this is true the so can we fix it that's the big thing I mean apples popular it's growing there's amazing success stories with there's also epic playlists so the first thing you got to do is focus on your team you have to build your team very very careful cross-functional team members without growing trees and they're not cheap trust me you're gonna hire me it's not cheap at the same time if you've got your group set 7-5 6-7 how many things on your team's what do you want me to can afford one big guys that's it if you look at what we just

got bought out of here do you think it'd just be cool and it would say they can say they say you have to get experienced people on your team once you have this the burnout but really you've only got time to pull up one person with each team and if you also look at the notes of the clan that was where I got my start master certification they say teach stability instability usability keep stability I will argue that there's one thing that's more important than team stability having the right mix of people to do job I've got my team has been together for two years and I'm going into I've been doing backend stuff going into where the barking now I've

got to have somebody a way of steering have to if I break up my team and go through the three Springs to get our work measured out again it's hosta doing business lots of people do the same thing with the wrong solution a lot worse still focusing on your team with great power comes great responsibility close uh take my grandfather told me when I was probably seven or eight years old when he was actually let me drive the riding lawnmowers penalties were treated like startups each person has to overrun weight each person has to be willing to give up can't watch mr. robot models have watched on TV all morning before go to work or have to cancel

dinner reservations to take care there's a team that I'm really really really posted many names but for the last five strands in a row they hit it 120 units large completed 45 and 45 is the high-water mark of a man since the sequel if you commit to it get it done those of you who played baseball volleyball if you your mind you've got a good needs bus doesn't matter how far the wind pushes it you got to go giddy same thing here I say the team sits down and says we commit to doing this work you got to get it done if you don't you're gonna disappoint your team you're gonna disappoint the product owner for

sure is he taking that was ready to release this one management take the bottom line and the other piece is that you're taking this has someone who's not skipping mr. robot when they be - you gotta find a way to bring back you do your part who you're working together help your teammates make sure that they there are collaborations I'll say it again right here at the bottom I'll start at the bottom and go up don't single out the top a guy I'm just handed the Java stuff they go through it and rest it in higher up pair programming is not just about code reviews about coming up with different ideas it's also about bringing up to the ugandan team or

somebody root I'm awful like c-sharp get them into the Java world so that way the team can't actually develop so that you're all Swiss Army knives of different pieces which don't as soon as I'm gonna Laurie night then things gonna be in trouble I forgot I had that skills anymore communicate all the things it can be distracting I've got unfortunate cheese HipChat there's our chat on every chapter I keep it up in the background all the time I come across something interesting it goes after the rest of my team so we're not redoing the same stuff over and over again stand-ups are awesome the hardest thing I had to get across to the teams in Germany 8:30 stand up

a 30 Santa and don't just show up with a pep comedy in my hand in your hand and say yeah I'm working on whatever you told me to work on yesterday able to take sip your coffee in hand moving back to the next person show up you wake communicate things actually talk about what you're doing you have a problem don't be embarrassed to bring it up use your two minutes wisely we're going into the next person this is the other people sometimes about something that you could have stayed over stakeholder involvement let's talk about stakeholders for say 40 somebody who has a security focus it's got to be a stakeholder scumble is gonna work probably Congress typically

business analysts or investors gotta have somebody discuss security focus as one of your stakeholders and then the stakeholders showing up every two weeks to reveal it's gotta happen either the ones who are security folks so they can take a look at it and make sure that you're doing things as you say to share together the next one from an operational standpoint thank you sir yes keep it simple son modern applications especially like the one that I work on it has hundreds of boudoirs and as it Belle Christopher line or block these third-party solutions you see somebody who wants to do something ingredient somebody wants to be somebody to go somebody wants to do something in Python

from an operational standpoint it's impossible its way the long-term costs developers are expensive like I said I wasn't cheap when I was alone but the developer works on something for a few months operational guys are gonna have to support this stuff for five years seven years so even if it takes a little bored all the time upfront got to keep things simple honest I'll explode here everything should be made as simple as possible but not simpler and then I've got another one I picked up along the way there are two ways of constructing a software design one way is to make it so simple that they're obviously a deficiency and the other way is to make it so complicated there are

no obviously dishes the second one will cost you a lot of money down the river I mentioned it what the operational guys work 24 by 7 and they're having this board Sam different programming language is running on a couple of different platforms it's going to cost you in the long run and my last regular slide here you got to understand your wrists it's why when you're stakeholders has got to be a security focus first know your application top to bottom then you get the worst feeling when I've got me in developing the engineering groups previously is that somebody on Apple TV can you help me figure out why it's not returning probably safely bill did that

bills lunch he'll be back by 2:30 you can't do that in the natural environment you just can't everybody's going to be Swiss Army knife enough like to be able to help sixteen-year-old kid I would break down up here in front from the office building I'm not mechanically I've never ridden camp in my entire life but I'll open it and I'll tap around on some of the theory that I know try to know if the kid get the car started mmm when I'm dealing with a customer I'm a 16 year old kid at 19 he'll so the team's he'll be able to do that history environment AWS gives you some grand Offices of security when they said

if you're be seeing kids it there's vulnerability zin then so whatever involvement revealed at all make sure you do some spacing security testing their test your code unit tests are not good enough ever because there's no negative testing there when the developer writes the unit test he writes it based on what he expects the code to do he's not gonna throw it be polish training edit that we saw earlier this morning into a text box and send it through your way back to see what happens he will there's an abuser story about that no no he will that's how you get those injecting a neurological process

history third-party solutions I'll be Nam Java for a second stress is a perfect example they shipped out example code that many developers including myself owners are starting blind stress copy paste it into our hobby who started the application running will see there was process cost like scripting vulnerabilities information leakage there were no finally blocks so regarding solutions before you actually build a beauty environment it's a matter of time I would say an hour to test upfront is better than holding a whole bunch of stuff on and trying to test it later if you have to switch it out you pay three times as much trainer development teams I'm not kidding that GI pass was hard

I've been doing this a long time so get them out there send them to a send them to a conference like this the money is definitely going to be worth it in the long run Sam's horses aren't cheap 20 bucks then 500 bucks exists but in the end days off prior encounters reduces your risks if you've got a static HTML website somebody Commons cross-site scripting unit if it's not persistent maybe you don't need to make that number one priority to peace but if it it's back to word with you somebody access to one hundred thousand medical records and that's a little bit different sort go go prioritizing write a few questions at this one at least everybody looks like

this go away this was the nozzle which is kind of again what say you it's defined by the team so if you did convene an hour's worth work they can be half a day's work work a day's work so it all depends on the team kind of figures out a baseline so if I'm writing a function to do it takes this long to do it that's my smallest unit at work so yeah when I look at the requirements that are coming in for the next story user story I can take that small piece of work and say huh I should take about ten times as long so it's gonna take ten minutes alone so it's a it's a relative

scale every team has a different value for sure cashiers table so I aren't a media story points which is going to put these onions and so let's say we're doing backlog grooming on a Monday The Offspring so maybe we have a story like um as a user I want to see that I have this information on my export business so during that as a developer rule look at that that we use zero points if villains never use that protectively is no real like it's a type of a circle let him practice everything's at least one point so one point like have either no time up to a couple or to two points is half a

day ish in a cyber green higher are three points is a whole day five points means it's a little bit more than a day but you're into them that it really needs to be more than one story and eight points means you know maybe be broken up further before here with the estimated because of the law of averages that actually helps you track velocity very well as simple as that is so when your gut checking to say he is like this work they know maybe you're going between literally developers if you're playing poker to decide like what value for the site back and that's where that comes from tip as the chain works together lead is shocked with me

accurate using this mechanism at pretty humor as long as you don't fly off to do pieces look that does he does so yeah I mean you can also put it a little more practical let's say it takes me 45 minutes to buy a half an acre which is what my house is off another time we've got to go to mode somebody else's yard it's got a half an acre on a pretty flat land you should take me 45 minutes but if I'm going to go mode five acres up on the side of the Eagles Nest mount it just lady has a nice summer cottage up there it should take me about six times as long so then

that's kind of how you estimate you're working this unit server started it's really a teenager coach integra grade right episode so the main thing is consistency obviously you can shift over time but you're not listening up your metric every time to pick it up it is sorry it tries to solve a fundamental problem in the development in that development is inherently difficult as to be accurate because there's so many parts that are sort of up in the air life until you build it you don't really know what's gonna build it it's not like a house birds very measured like measurements and this is what you might horse Causton and we need this many other that's very very I'm sorry that's

why I'm just going to say for those of you who've downloaded the slides from the website when they're posted I've got references to everything I referenced along the way

[Applause]