O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Agile Application Security

Book Description

As the fastest growing, most commonly adopted development lifecycle, agile software development enables organizations to react quickly to rapidly changing customer requirements and market conditions without heavy capital investment or long delays. But many people in the software industry believe that this finely tuned balance of processes, patterns, and practices is difficult to integrate with traditional security management techniques.

With this practical guide, you’ll learn a range of security tools and techniques specifically adapted to integrate with agile development. These practices aim to bridge the divide between these two worlds and bring security confidence and consciousness without compromising innovation, flexibility, and speed.

Table of Contents

  1. 1. Agile Security
    1. Welcome to Agile Application Security
    2. How does this book help you?
      1. The Agile Practitioner
      2. The Security Practitioner
      3. The Agile Security Practitioner
    3. How to read this book?
      1. Part 1 - Fundamentals
      2. Part 2 - Agile and Security
      3. Part 3 - Pulling it all together
  2. 2. Getting started with security
    1. This isn’t just a technology problem
    2. Not just for geeks
    3. Security is about risk
      1. Vulnerability, Likelihood and Impact
      2. We are all vulnerable - Vulnerability
      3. Not impossible just improbable - Likelihood
      4. Measuring the cost - Impact
      5. Risk can be minimised, not avoided
      6. We live in an imperfect world and have to make hard decisions
    4. Threat Actors and Knowing your enemy
      1. There is an attacker for everyone
      2. Motivation, Resources, Access
    5. Security Values : Protecting our data, systems and people
      1. Confidentiality, Integrity and Availability
      2. Non-repudiation
      3. Compliance, regulation and security standards
    6. Common Security Misconceptions/Mistakes
      1. Security is absolute
      2. Security is a point that can be reached
      3. Security is static
      4. Security requires special <insert item/device/budget>
    7. So welcome, let’s get started
  3. 3. Welcome to the agile revolution
    1. Agile, a potted landscape
    2. Scrum, the most popular of agile methodologies
      1. Sprints and Backlogs
      2. Stand-Ups
      3. Scrum Feedback Loops
    3. Extreme Programming
      1. The Planning Game
      2. The On-site Customer
      3. Pair Programming
      4. Test Driven Development
      5. Shared Design Metaphor
    4. Kanban
      1. Kanban Board: Make Work Visible
      2. Constant Feedback
      3. Continuous Improvement
    5. Lean
    6. Agile methods in general
    7. What about DevOps?
    8. Agile and security
  4. 4. Agile Enablers
    1. Build Pipeline
    2. Automated Testing
    3. Continuous Integration
    4. Infrastructure as Code
    5. Release Management
    6. Visible Tracking
    7. Centralised Feedback
    8. The only good code is deployed code
    9. Operating Safely and at Speed
  5. 5. Working with your existing agile lifecycle
    1. Traditional Application Security Models
    2. Per iteration rituals
      1. Tools embedded in the lifecycle
    3. Pre iteration involvement
      1. Tooling for planning and discovery
    4. Post iteration involvement
      1. Tools to enable the team
      2. Compliance and audit tools
    5. Setting Secure Baselines
    6. What about when you scale?
    7. Building security teams that enable
      1. Building tools that people will use
      2. Documenting security techniques
    8. Key Takeaways
  6. 6. Security and Requirements
    1. Dealing with Security in Requirements
    2. Agile requirements: telling stories
      1. What do stories look like?
      2. Conditions of Satisfaction
    3. Tracking and managing stories: the Backlog
    4. Dealing with Bugs
    5. Getting Security into Requirements
      1. Security Stories
      2. Privacy, Fraud, Compliance… and Encryption
      3. SAFECode Security Stories
    6. Security Personas and Anti-Personas
    7. Attacker Stories: Put your Black Hat on
      1. Writing Attacker Stories
    8. Attack Trees
      1. Building an attack tree
      2. Maintaining and using attack trees
    9. Infrastructure and Operations Requirements
    10. Key Takeaways
  7. 7. Agile Vulnerability Management
    1. Vulnerability Scanning and Patching
      1. First, understand what you need to scan
      2. Then, decide how to scan and how often
      3. Managing Vulnerabilities
    2. Dealing with Critical Vulnerabilities
    3. Securing your Software Supply Chain
      1. Vulnerabilities in Containers
      2. Fewer, Better Suppliers
    4. How to fix Vulnerabilities in an Agile Way
      1. Test Driven Security
      2. Zero Bug Tolerance
      3. Collective Code Ownership
    5. Security Sprints, Hardening Sprints and Hack Days
    6. Taking on and Paying down Security Debt
    7. Key Takeaways