Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Wednesday, November 20 • 12:00pm - 12:50pm
Case Study: 10 Steps to Agile Development without Compromising Enterprise Security

Sign up or log in to save this to your schedule and see who's attending!

Video of session:
https://www.youtube.com/watch?v=Y31qgnF-Bzg&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=30

In an Agile, fast paced environment with frequent product releases, security code reviews & testing is usually considered a delaying factor that conflicts with success. Is it possible to keep up with the high-end demands of continuous integration and deployment without abandoning security best practices?

We started our journey seeking a way to reduce friction, risk and cost driven from identifying vulnerabilities too late, when already in Production. After a long way and many lessons learned, we have successfully added in-depth security coverage to more than 20 SCRUMS and up to 1M lines of code. We are happy to share our insights, tips and experience from that process.

LivePerson is a provider of SaaS based technology for real-time interaction between customers and online businesses. Over 1.5 billion web visitors are monitored by the platform on a monthly basis. LivePerson's R&D center consists of hundreds of developers who work in an Agile and Scrum based methods, closely tied with our Secure Software Development Lifecycle.

In order to achieve best results and reduce friction, we have tailored the SSDLC to the standard SCRUM process and added security coverage (both operational + technical controls) for each phase starting with a mutual Security High Level Design post release planning with Software Architects, defining technical security controls and framework in sprint planning, implementation of ESAPI and Static Code Analysis at the CI, manual code reviews, Automated Security Tests during QA and a penetration test as part of the release.

This session will include detailed information about the methodologies and operational cycles as well as measureable key success factors and tips related to implementation of tools and technologies in our use (e.g. ESAPI package, Static Code Analysis as a Maven Step, Vulnerability Scanning plugins)

References:

OWASP ESAPI https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Writing Secure Code, Second Edition, Michael Howard and David LeBlanc, Microsoft Press The Burp Suite http://portswigger.net/burp/

OWASP Developer Guide http://ignum.dl.sourceforge.net/project/owasp/Guide/2.0.1/OWASPGuide2.0.1.pdf

Speakers
avatar for Yair Rovek

Yair Rovek

Security Specialist, LivePerson
A technical information security specialist with more than 25 years of experience and strong knowledge in Network and Web Applications.


Wednesday November 20, 2013 12:00pm - 12:50pm
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Attendees (107)