I did a couple of talks on this. The first was at OWASP AppSec EU 2008.

The talk abstract is here:

And my slides are available at:
ay_21-22 (search for my name 'Wichers')

I then did a reprise/updated version at OWASP AppSec US in NY in 2008.
The slides and a video of the presentation are available here:

Erlend Oftedal, of Bekk Consulting, then did a good talk from the
developers viewpoint at OWASP AppSec EU 2009, and the slides are
available here:
ference_-_May_13 (search for his name). There is a video of his talk
too, but it may be missing the audio (which is a shame).

I felt that my talks were kind of from the macro view of the problem
(i.e., top level down), where Erlend's talk was from the micro view
(bottom up) based on his experiences in the trenches as a developer
learning and trying to do security in agile.

I found both viewpoints useful and complementary.


-----Original Message-----
From: sc-l-boun...@securecoding.org
[mailto:sc-l-boun...@securecoding.org] On Behalf Of Jari Pirhonen
Sent: Tuesday, September 07, 2010 12:42 PM
To: sc-l@securecoding.org
Subject: [SC-L] Agile (Scrum) best security practices and experiences?


Agile development is spreading fast. I have discussed with many 
agile/Scrum developers and consultants and asked about security 
integration. I have got mostly vague answers about general quality 
enhancements, trusting the team and of course pointers to security 
critical applications they have developed.

I know about Microsoft SDL guidelines w/ agile development guidelines.

Best practical presntation I've seen comes from Nokia, now also 
presented at OWASP, 

I've also disccussed about agile/security integration with other 
security professionals and software developers. For example we had a 
good meeting with nice security/developer mix arranged by Agile Finland 
and Finnish Information Security Association. Discussion results 
available here, 

Now - if anyone could share some *real world* experiences how to make 
agile/Scrum + security succeed without paralysing the agile team, I 
would very much like to hear.

What works, what not? How to start? What tasks/tools gives most benefit?

All other insights are welcome also.



Jari Pirhonen

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates

Reply via email to