background preloader

Agile Secure

Facebook Twitter

Agence nationale de la sécurité des systèmes d'information. Intégrer la sécurité numérique en démarche Agile. Direction interministérielle du numérique et du système d'information et de communication de l'État. Un article de Wikipédia, l'encyclopédie libre.

Direction interministérielle du numérique et du système d'information et de communication de l'État

La direction interministérielle du numérique et du système d'information et de communication de l'État (DINSIC) est une direction placée sous l'autorité du Premier ministre, au sein de l'administration publique française, chargée de coordonner les actions des administrations en matière de systèmes d'information. Elle est considérée comme la direction des systèmes d'information de l’État français. Histoire[modifier | modifier le code] Le 21 septembre 2015, le secrétariat général pour la modernisation de l'action publique prend suite à la direction interministérielle des systèmes d'information et de communication.

Agile Application Security - O'Reilly Media. Agile continues to be the most adopted software development methodology among organizations worldwide, but it generally hasn't integrated well with traditional security management techniques.

Agile Application Security - O'Reilly Media

And most security professionals aren’t up to speed in their understanding and experience of agile development. To help bridge the divide between these two worlds, this practical guide introduces several security tools and techniques adapted specifically to integrate with agile development. Agile Development Using Microsoft Security Development Lifecycle. Writing security acceptance criteria into an Agile story - New Context Security. When organizations write user stories for development it should include security in the acceptance criteria.

Writing security acceptance criteria into an Agile story - New Context Security

The acceptance criteria being a detailed description of the expected features and functionality the story should deliver. Far too often developers and product managers fail to include information security requirements as part of the acceptance criteria. Agile Security: User Stories Vs Acceptance Criteria. Agile Software Development: Don't Forget EVIL User Stories.

Introducing security-focused code reviews into Agile software development methodologies such as Scrum is not easy.

Agile Software Development: Don't Forget EVIL User Stories

Like stepping onto a moving treadmill, it can be done, but it has to be done carefully. Attempting to perform comprehensive code reviews between sprints is one example of how NOT to do it. This is akin to jumping onto a moving treadmill without holding onto the rails first. The point of Scrum is to deliver a small working increment of the software at the end of a sprint. Why should any Scrum team member spend ANY time on fixes for features that are NOT otherwise in a sprint backlog? How then to hold onto the treadmill rails before jumping on? Example #1. The next step is to whip out your permanent marker forever after when the sprint backlog is being penciled in during sprint planning meetings.

The last step is to gate the completion of tasks on the sprint backlog with the successful completion of a security-focused code review. Evil User Stories for Modeling Evil Users. If you're like most Product Owners, you probably have a backlog full of user stories modeling just what you'd like to see your best users do with your product.

Evil User Stories for Modeling Evil Users

You have stories modeling how they get the most out of every feature, how they find every benefit laid out for them, and how they squeeze your best intent out of every corner of your product. Everything you've done has likely been with an eye towards taking care of your best users. But what about your “not so great” users. Minimum Viable Security – Mason. The least you can do to frustrate would-be hackers. 2018 is on track to being the busiest year ever for crypto hacks.

Minimum Viable Security – Mason

As of June of this year, losses from crypto attacks were estimated to total around $2.3 billion, and hackers have shown no signs of slowing down. If you hold or use cryptocurrency in any capacity, it’s worth taking extra precautions to protect your funds from would-be thieves. Taking protective measures does not need to be difficult or stressful — the best way to shield yourself from these attacks is to understand the means by which hackers are entering private systems, understand the entry-points that the hackers may target, and explore simple solutions that can protect against their go-to attack vectors. Minimum Viable Security - Gemini Security SolutionsGemini Security Solutions. Threat Poker. Development of a The BowTie Method: Site Safety. A BowTie is a diagram that visualizes the risk you are dealing with in just one, easy to understand picture.

Development of a The BowTie Method: Site Safety

The diagram is shaped like a bow tie, creating a clear differentiation between proactive and reactive risk management. The power of a BowTieXP diagram is that it gives you an overview of multiple plausible scenarios, in a single picture. In short, it provides a simple, visual explanation of a risk that would be much more difficult to explain otherwise. While the power of BowTie is that it is very easy to understand for everybody, from top management to shop floor, developing a good BowTie is a completely different story. It requires a good knowledge of the BowTie concept, an understanding of the guidelines and how to apply them and a good overview of the subject that is being assessed. There are 3 phases in the development of a BowTie: 1. Hazard The start of any BowTie is the Hazard. Top Event Once the hazard is chosen, the next step is to define the Top Event. Threats Consequences 2.

The bowtie method - CGE Barrier Based Risk Management Knowledge base. AGILITÉ & SÉCURITÉ NUMÉRIQUES Méthode et outils à l’usage des équipes projet (ANSSI)

Threat Modeling - Abuser story (Agile secure / security)