Why can't we be friends? Integrating security into an existing agile SDLC

Linux Conf AU - January 2015 - Laura Bell

Agile development is often seen as a delicate balance of ritual and roles allowing for rapid development, continuous deployment and the expansion of the post-it note industry.
Security is often seen as a lumbering giant of process, governance and technology allowing for increased control, reduced risk and the expansion of the technology vendor industry.
What if you could merge the two? No really! What if these two former polar opposites can be made to play nicely together?

The world of security is changing to meet the needs of agile software development. Organisations around the world are coming up with tools, techniques and processes to make security a continuous presence to support developers.

In this talk I will outline the questions and challenges involved with implementing security in an agile SDLC, outline some techniques and tools that you can use and share some lessons learned from my journey so far.

So whether you are a shiny new start-up wanting to secure development from the beginning or you are an existing company with years of well-earned technical and security debt ; This talk is for you.

Presentation is available here
Video of this presentation can be found here

Eradicating the human problem

Kiwicon 8 - December 2014 - Laura Bell

People are a problem. We are tangled balls of emotional detritus that masquerades as a trusted member of society. Underneath this lacquered veneer of respectability however writhes a tiny pink squishy ball of vulnerability - the root of all evil, well the root of security issues anyway. Let me tell you a story, let me bend your brain and make you feel uncomfortable. I want to show you why we are all our own worst enemies, why we should never ever be trusted and why security people are the worst of them all.

Then, I will cross the creepy line and introduce AVA, the first prototype automated human vulnerability scanner. A tool for automatically mapping networks of people, attacking them and measuring the results. A tool for spotting the weak link in an organisation.

A tool to help remove the squishy human element of human security. This is the future, a first step towards a greater good or a dystopian nightmare. You're welcome.

Presentation is available here
Video  teaser trailer for AVA can be found here.

Teaching good developers to be bad people

Microsoft TechEd New Zealand - September 2014 - Laura Bell

From a young age, we are taught to be good people. Don't touch that!, Don't go over there! Be careful, you'll break it! We are taught to anticipate what the behaviour of a tool, system or environment should be and interact with it accordingly. 

As developers, we apply these rules and behaviours to our code. Not everyone sees the world like this. Security vulnerability often stems from people ignoring the expected behaviour, challenging the edge cases and constantly asking 'what if I press this?' Are we limiting ourselves by being 'good developers'? Can we undo years of education and throw away the rule book? Will that make us bad people or better developers?

Presentation is available here
Video of this talk is available here.

Integrating security into an existing agile SDLC

Microsoft TechEd New Zealand - September 2014 - Laura Bell

Agile development is being embraced by a wide range of New Zealand organisations and producing a range of innovative products and services. Integrating security into this lifecycle however is challenging. While there are some great tools and guides available, these often assume that you are building in security from project conception. Unfortunately, when you already have a product with thousands of lines of code and dozens of developers, these tools and techniques can be difficult to apply - it can be hard to know where to start. Speaking from hands-on experience, this talk examines how to bring security into your existing agile development lifecycle and codebase, what tools are available to you and how to overcome common challenges.

Presentation is available here and here.

Blindsided By Security 

OWASP Day 2012 - August 2012 - Laura Bell and Britta Offergeld
Lateral Security and The Royal New Zealand Foundation of the Blind examine the guidance and security best practice commonly in use for web applications today and how effective they are for those with visual impairments. In addition, a series of improvements and solutions are outlined.

Presentation is available here

Practical tools for privacy audit

Privacy Awareness Week - May 2012 - Laura Bell
Presented at the Privacy Forum in Wellington as part of the Privacy Awareness Week 2012. This presentation provides an introduction to "practical tools to manage privacy risks".
Presentation is available here.

Bruce Schneier Lecture - In2securITy Overview

NZITF - May 2012 - Laura Bell

Providing an overview of the in2securITy initiative, a non-profit organisation which aims to encourage IT students into the IT security field and then supports those students as their careers progress.

Video for this presentation is available here and the slides are available here.

Going Rogue 

Kiwicon V - November 2011 - Laura Bell

Ever felt like someone is watching you? Wish you could protect yourself but find your tin foil hat a bit uncomfortable for social occasions? This talk is for you. From unlikely ways to communicate using normal, un-modified household electronics, to keeping yourself financially afloat when you can't use your bank.... in 25 minutes or less I will give you the tools and techniques to survive when you need to go off radar for a while.

Presentation is available here.

Twitter Delicious Facebook Digg Stumbleupon Favorites More