Escolar Documentos
Profissional Documentos
Cultura Documentos
Can We Be Both?
Keith Landrus
Director of Technology
Denim Group Ltd.
keith.landrus@denimgroup.com
OWASP (210) 572-4400
AppSec
Seattle Copyright © 2006 - The OWASP Foundation
Oct 2006 Permission is granted to copy, distribute and/or modify this document under the
terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this
license, visit http://creativecommons.org/licenses/by-sa/2.5/
Background
Source: http://www.agilemanifesto.org/
Communication
Simplicity
Feedback
Courage
Quality Work
OWASP AppSec Seattle 2006 7
Agile Practices
• Customer: scope, priorities
and release dates
The Planning Game
• Developer: estimates,
consequences and detailed
The Driving Metaphor scheduling
Shared Vision
Coding Standards
Continuously build, deploy
Pair Programming and execute all of the
system’s tests multiple times
per day.
Continuous Integration
OWASP AppSec Seattle 2006 9
Agile Methods strive to…
Sources:
“Writing Secure Code” 2nd Ed., Howard & LeBlanc
Threat Modeling
Security Testing
Requirements
Design
Implementation
Verification
Release
Source: http://www.ddj.com/dept/architect/191800169
SCRUM
Develop an Build
Overall Features Planning
Model List
Startup Phase
Design Build
by by
Feature Feature
Construction Phase
Source: http://featuredrivendevelopment.com/
OWASP AppSec Seattle 2006 27
SCRUM
Source: http://www.controlchaos.com/
OWASP AppSec Seattle 2006 28
MSF for Agile Software Development
Daily Stand-ups
Continuous Integration
Code Scanning Tools
Security Testing Tools
Pair Programming
New Features, Refactoring, Hazardous Components
Developer’s Checklist
Communication
Simplicity
Feedback
Courage
Trustworthy
OWASP AppSec Seattle 2006 39
Book Resources
http://www.agilealliance.org
http://www.xprogramming.com
http://www.featuredrivendevelopment.com
http://www.controlchaos.com
http://msdn.microsoft.com/vstudio/teamsystem/msf/msfagile