Friday, September 29, 2017

Agile Application Security book

This is the first post in a while. I've been busy working on a bunch of projects. One of them is now finally complete: a book on Agile Application Security for O'Reilly, with Laura Bell, Michael Brunton-Spall, and Rich Smith.

In this book we try to build bridges between the security community and Agile teams, by taking advantage of our different experiences and viewpoints:

  • Rich's extensive experience as a pen tester, and running the security team at Etsy.
  • Michael's experience in hyperdrive Agile development, DevOps and security at The Guardian and the UK Digital Service.
  • Laura's work as a software developer and application security cat herder with large and small organizations in many different stages on their journeys to Agile adoption.
  • My work in development and operations in enterprise financial technology.

This is a unique book that looks at Agile from a security perspective, and security from an Agile perspective.

We explain the driving ideas and key problems in security, and the core enabling practices in Agile that help teams succeed, and how security programs can leverage Agile ideas and practices. How to deal with important risks and problems, and how to scale.

We look in detail at security practices and tools in an Agile context: threat and risk management, how to think about security in requirements, secure coding and code reviews, security testing in Continuous Integration and Continuous Deployment, what scanning can and cannot do for you, building hardened infrastructure and running secure systems, and putting all of this together into automated pipelines and feedback loops.

We also step through regulatory compliance and how to achieve continuous compliance; and how to get value from working with outsiders, including auditors, pen testers and bug bounty programs. We end with how to build an agile security culture and how to break down walls between engineers and security.

It was a unique opportunity to work with experts around the world: Michael in the UK, Laura in New Zealand, Rich in the US. Challenging, exhausting, and a great learning experience.

Our hope is that it offers value to developers who work in Agile environments and are new to security; to people in the security community who want to understand how security can keep up with high-velocity Agile and DevOps teams; and even to people who are expert in both.

4 comments:

komal patodi said...

Worthful Hadoop tutorial. Appreciate a lot for taking up the pain to write such a quality content on Hadoop course. Just now I watched this similar Hadoop tutorial and I think this will enhance the knowledge of other visitors for sure. Thanks anyway.https://www.youtube.com/watch?v=cY5AnQMdXhY

james john said...

Excellent information. Very interesting to read. I really love to read such a nice post.
infinite logo design
logo design uk
professional app development

Artius Technologies said...

This post is extremely pleasant and educational. The clarification given is extremely exhaustive and useful.Thanks

Software Development Company Visit To Artius Technologies

Software Development Company Visit To Software Development Company

chandu chinnu said...

Thanks for giving a great information about DevOps Good Explination nice Article
anyone want to learn advance devops tools or devops online training
DevOps Online Training
DevOps Online Training hyderabad

Site Meter