Case Study: 10 Steps To Agile Development Without Compromising Enterprise Security – Yair Rovek


Is there a way to shave years off of the trial and error implementing Agile?
Find Out Now.


Case Study: 10 Steps to Agile Development without Compromising Enterprise Security – Yair Rovek

In an Agile, fast paced environment with frequent product releases, security code reviews & testing is usually considered a delaying factor that conflicts with success. Is it possible to keep up with the high-end demands of continuous integration and deployment without abandoning security best practices?

We started our journey seeking a way to reduce friction, risk and cost driven from identifying vulnerabilities too late, when already in Production. After a long way and many lessons learned, we have successfully added in-depth security coverage to more than 20 SCRUMS and up to 1M lines of code. We are happy to share our insights, tips and experience from that process.

LivePerson is a provider of SaaS based technology for real-time interaction between customers and online businesses. Over 1.5 billion web visitors are monitored by the platform on a monthly basis. LivePerson’s R&D center consists of hundreds of developers who work in an Agile and Scrum based methods, closely tied with our Secure Software Development Lifecycle.

In order to achieve best results and reduce friction, we have tailored the SSDLC to the standard SCRUM process and added security coverage (both operational + technical controls) for each phase starting with a mutual Security High Level Design post release planning with Software Architects, defining technical security controls and framework in sprint planning, implementation of ESAPI and Static Code Analysis at the CI, manual code reviews, Automated Security Tests during QA and a penetration test as part of the release.

This session will include detailed information about the methodologies and operational cycles as well as measureable key success factors and tips related to implementation of tools and technologies in our use (e.g. ESAPI package, Static Code Analysis as a Maven Step, Vulnerability Scanning plugins)

References:

OWASP ESAPI Writing Secure Code, Second Edition, Michael Howard and David LeBlanc, Microsoft Press The Burp Suite

OWASP Developer Guide
Speakers

Yair Rovek
Security Specialist, LivePerson
A technical information security specialist with more than 25 years of experience and strong knowledge in Network and Web Applications.

Managed by the official OWASP Media Project