Help Me With Sign California Banking Word

Help me with industry sign banking california word secure

all right they talk about steel experience from today hopefully you guys can hear me in the back if not just kind of your has been a major increase and that shift has made it more challenging for security teams to keep up especially when compared to traditional models at the waterfall I had the means increased even low latency which leads to some resources management our securities the risk of shipping insecure product is elevated because 70 or 90 days to inspect thoroughly and the good news is the security can't work with an animal can be done well can be done without having to allocate a lot of fun time security experts to development teams which is great it does require some flexibility on your part so this is kind of a case study and if I go through this case tell you what I'd like you to do is to listen to how our processes of all this all these some things that we knew may turn the Americans and then envision how you could maybe apply some of our learnings to your own head my hope is it will take away three things from this or one learn from our successes and mistakes number two improve your ability to ship secure software developed with and handled frameworks and number two create a relationship with dev teams less adversarial or the Parchin my name is pressing I lead a team of area code responsible for building security knowledge into our products and I also share a kind bility for product security with Narciso I spend most of the first part of my career doing objects investigating stuff before coming to America we focus more on the defensive side so the developers switches to agile a lot of times what happens the security teams get that you may not realize if you're not closely intertwined with your deputies you may not realize that the really links run and you may just get a product increment at some point that they want to release and they said hey can you test so if you don't adjust and understand how the development process works you to stay up-to-date with what's going on there's an information you survey that's released about a month ago it's called the app debt priority survey and they surveyed about 532 organizations about how they're getting various different parts of their relatives that process and what I'm asked about that so far they found that 69 percent of organizations were using edible and another 13 percent plan to implement some form of valuable within the next 12 to 24 months so you can add that together that's good run that's mostly all of them everyone's doing at it is about to stomach today whether it's full-on handle strong or just kind of agile like methodologies it's close enough in the same survey 76 percent of companies said that absolutely they're slightly or majorly improved their development finalized so it makes them more productive and makes them more faster more effectively so you can see that's why they were able to do that from a development point I'm a security point of view there are couple models out there that suggest how do you secure with an agile generic if you google it will find one from Microsoft it's as secure the address DL there's a good start but the problem with it and any sort of best practices metabolic approach to make some assumptions about your security resourcing the expertise on your team kind of assumes that unlimited resources and with it glosses over a lot of real world complexities and multiple scrum teams more than that single product is fairly common doesn't really talk about that very much so that's why so it's important to just to approach this topic from the perspective of the key steps if you have all this kind of real-world here the actual thing try to do this you know starting from a generic model so my welcome to Howard SD I was involved with the past three to four years since we made the move to have a scrum I'll go through a few spaces about some things that we tried didn't work for various reasons just gonna ask the context for that and then talk about how we're currently over the pasture the scale that made that something that gets pushed down into the usual individuals from seeing themselves using a program we call the security champions and I'll end with a discussion of challenges and future direction and some specific takeaways and learners will hopefully be useful to you anyway so several years ago four years ago now America we decided to start using Hannah strong from early on in the company you know you're seven we were using agile but we really are we you know we would write user stories but our friends would be six to twelve weeks we would miss release dates while eight months at a time we're not such an honest worker so there are a few reasons why we decided we need to go hold on we need to actually do this for real so we were to stay in the company of all of it from a single tie back to the multi product single team to molt each team single site to multi site so we need to determine or scale home to be unpredictable and more work as an organization it also be like the notion of continuous learning that comes with faculty you constantly reevaluate assessing what you're doing what's going well look so important where you can improve we like that we were recruited at Russell growth high rated lots of Engineers and one of the nice things about using scrum is it's a well-defined software assuming we would bring lots of new developers on from other other companies sure we got the ramping up on a product but we didn't have to rent the Muslims how you don't suffer they already knew house deposit so they understand your processes and they just mean the last thing I'll point out in terms the motivation to move to scrum is is completely driven by development teams right there's no regard for like oh should we move this from this affects security at all maybe they won't like that so it's not meant to be pointed out as a negative so much as it's an observation security teams have to adapt to the way the business wanted it wasn't necessarily the plaza responsibility to learn it and understand how the campus but purely private banking methodologies okay so just quick show of hands who uses a balloon today it's been about half this is pretty typical developers in the room okay okay so I don't want to give you all the bathroom angle and it's going to go pee then on your own I only use a few terms to wrap something very quickly define just the very basics of what you need to know so I can so I can talk about what we're doing is in some death so a few definitions I'll sprinkle around first things from ceremonies all right so you'll see different icons through the slides that kind of represent different parts of scrum and then it's great planning process and that's where you kind of have a meeting you can find that work to be done during the sprint the team chooses how much work it can and can commit to and go from there so every iteration you do planning cycle the calendar or eclipse daily scrum which is when you go and you get together a room the people that you stand up and talk about yeah what did you yeah what did you do yesterday what am I going to do today we're a month lot and can we small on something so that's the daily scrum yet the review demo meeting is when at the end of us friend who get together to say hey you're all the cool stuff we've done please show off what I've been on user stories and you just show you evaluate the changes that you've made to the product within that time frame and father the Left row is at a point where you as a team get together to reflect on the process and you think about what went well the Sprint what would fully and look me up on retro single meeting is meeting was not supposed to last a long time review is supposed to be an hour max and the retro was supposed to be about you know 45 minutes per week and sprint so these are short these are four things so this happens every sprint and sprint is the iteration the cycle of it the unit of measure for first run all right so when we first started okay they're moving to a drone what should we do so first thing we did was like well crap we need to know what is going on in development we need just we need to understand the stories of building what they're taking in what they're committing to but we know it's a contestant reasonable you can't just wait till the end and say oh it's just do a pen test we need to look at the individual stories that they would commit to and figuring out all right the business need a code review does this need a design consultation with the security expert does this mean a little miniature can test for this particular feature that's like super important in investing it's a pretty critical functionality so what we do is we just started going to their planning name so every for this particular team was every two weeks they'd have to our planet or the criticism they post about the ending to that particular sprint and that is what hold up the best friend so you sit there and then say oh that sounds like it's secure that doesn't sound too secure to get under the hood and just kind of make a note of what needed to be added to that particular story so adding a new JSP page somebody might say all right you need to go to view of that and we need to make sure that all developer understand across the school it's a very important include stories for that because this kind of kept track of it won't even be done where and tap the developer on the school nurse at 8:00 you know when you're done with that let me know so pretty pretty informal at this point number evaluated what we were doing in the style that you would do record so doing this kind of phase in our life cycle was good little boy so we have these physically new us what you're going anywhere we have 30 subject matter experts resuming the result in the scanner positions these obvious but up until then you can review the neuron products and another product suits you scan and then there's we're more closely aligned with development lifecycle and working with a difference yeah yes question is my team in a minute so much instantly and they were mostly the speed of mine that were responsible for building a unified or not nobody was hired to work on product security so basically at this point we were looking at you know a quarter of a one-person to you know to do the stuff that we're in this space what was bad for us here is that we were not using that particular time very efficiently so I mentioned you know he's sending minutes to our meeting just kind of listening is neuters perking up when there was something that we needed to do but you know you might sit there for 30 minutes listen the stories that have nothing to do with security what a waste of time so what we thought we need to change here like how do we figure out how to use time or how do we you know drop you in exactly how we need you and not have this enabled us to reach the security okay more definitions so this from you have a thing called product backlog and that represents all developing stories forgiven product all the stuff that you are eventually going to build with you had an idea to build the ideas to this rank and priorities so it's room the terms of what's most important top of the bookshelf as you move towards the bottom you have this kind of haphazard amman they may not have been prioritized yet but do you have this list this world of user stories that correspond to what you're going to eventually see the Sprint backlog slow pile of books here is the story of the team is committed to completing during a sprint during that two-week period this is the spitting off of the vendor and then finally the product increment stuff in the box is what's shippable at the end of the screen so my scrub definitions at the end of every sprint peoples have a shippable product yes that's it you have the acceptance criteria a ton of definitions done but your product should be okay so if we went from this first phase where we're kind of just seeing that everybody a lot of time and identifying what we should be working on the meantime the development teams did a few things to us that we didn't account for number one they took one huge from team they split it into three swim teams great slice on the surface 3 times more meetings they did that because they weren't adherence from wolverson you have to be seven plus or minus two people for a scrum team and at this point they were like you know 1820 people miss from T so that wasn't correct so they they split the difference from teams I think this is around the point where we also actually added you were switching balance tax from like rally to do removing a bunch of things ask you just have to kind of be aware that phase two three different scrum teams for this particular part of the product right and we're trying to use our time more effectively so we started doing is we said let's not sit in on that planet that's too much time let's meet with the technique for that particular scrum team which could be the scrum master to be diffidently it's not a strict definition that lets meet with them afterwards and just go through all the stuff that they committed to you like really quickly moves good ad like bam bam bam there's really no security in fact we'll just not talk about it we don't need to know what was designed for what the customer need is is if not a security impact we'll just skip over and so what that led to was like we could get through all this in 20 or 30 minutes instead of two hours downside is going to do it for three different teams now still we were coming out ahead using our time better and we were actually creating real stories in JIRA and attaching them to the main the main source we were creating essentially a subtask attaching the story and that way you couldn't close out the story to you this also close out the security subtask do a static now the code review interviews I don't even see that but you know we've got a code of you kind of as why crying face it could be anything it could be any sort of security activity and and that's that tight much better into the way that we were using the tools and you know and they already know the deputies already know you don't close out a story unless you finish all the subtasks all right while researchers fine I'm sorry extended they were kind of reaching out to us with questions with they're nice with the dev team during this period of change but they made a slip school split you think they were changing from a development effective you are able to continue helping on his team to stay integrated yeah okay well obviously because the team split I mentioned there's a peacetime commitment that we have so multiply anything by three even that we were increasing the team we were violating scrum still by changing stories during the sprint so if we go back and describe to get what you're doing yes bunking with the other room they do their planning they take in their work and then we would meet with them afterwards figure out which things needed security work and add work to each story which is the thing like this roughly you know change develop yeah adding work for them who are angular for us so sort of okay but still if you're not supposed to do that so that was bad and then also at this point we created a sort of a single point of failure by virtue of the fact that I had one person that I had kind of designated to go to all these meetings and the security tasking and do the reviews and you know that made it hard for him to go on vacation so what do we need to change we need to move earlier in the pre sprint planning activities into the room weren't adding up after spring and then also we needed to find a way to distribute the workload another thing that's worth pointing out here I can't remember exactly when this happened so did from the slide but at one point the developmental physician had some trading company come in to lose trimester thing for all day and we had probably 10 different uses for focusing on a subset of that here but they said alright we're gonna send all these developers from a strain so they know you know exactly how that thing works and they speak the same language so I said to people from security team to that as well because why not learn the vocabulary ou learn how you know sauce was made you're on the same page with the engineers and you know that can't hurt and it costs two days of their time and so and I got certified okay we're definition is fun in scrum you have a couple different roles your product owner you tell your father he's one with soup he is responsible or she comes before privatization that person is a single interface stakeholders stakeholders to be management to customers old people asking for stuff they build me this feature will be this how can this happen I said what's important you know what can I hold off three-quarters on what this won't make you lose a customer if I don't do it today yesterday so I master has it very as an internal focus on the team and the process it's not allowed for the product or this Promaster to be the same person scrum master is like running mate I'm calling the meetings make sure people don't go in rat holes just and the team is everyone else everyone else in the scrum team is doing the work it's gonna be developers QA testers DBAs and UX people self-organizing it can be seven people hustle - to it to make you perform but other than that the kind of comprise it anybody that is doing work this important part so after Ryan my projects pretty I went to swim master training he came back and said hey you know we have to have very similar roles to this on the security team if you think about the things that we do product owner is and this website is sort of the same thing as our security architect which is the person is strategic they're closing all the planning that the one that's kind of saying where security activities need to be at and look at the backlog the team member on the scrum team is very similar to what we call a security engineer the lack of a better word and that's where a person is no tactical they're not tightly coupled in particular to you they take little chunks of work like hit code review this page or go consult with this developer on how to decrypt them correctly but they're taking very tactical pieces of work in the same way that a scrum team member takes historian so we started just kind of designated everybody on the team it's like hey you're like you know five percent of security engineer and you're gonna start taking these little bits of work that we rolled out to you by our security protectors kind of you know willing to show had a doling out the world and figuring out making sure that we know so we simply removing earlier in the lifecycle so what we did is we had the security architect sit with the product owner every couple weeks and well they do if they move moving the backlog so the backlog if you remember is stores haven't been taken in yet stuff that's prioritize that we're gonna build eventually and we'll take will get taken into Sprint's as you go so the security architect sits there with the part learner they room starting from the top of the prioritize back wells down however well do they feel is about one Sprint's work or maybe a little bit more but you wanted to have spent this initial and they would just do the same thing as they have previously done post planning go through look at the story what is this does it have a screen path what would that scream Peck be what tasks should I add them to this so that when we build it we should make sure that we that we carry out from a security perspective and we create those subtasks and attach them to the story at that time so now when the scrum team goes into their planning session they're taking in stories that have already been grueling and prioritized from a feature perspective and also groomed and sub tasks from a security perspective so now the amount of work you're taking in is know the amount of work that's going to impact this three team is known and we're actually doing named according to discipline rules so that was that was a good improvement for us so now you have a sprint enemy these stories some of them have security tasks and window and individual developers are interacting with individual security engineers to work on that particular consult with that with you actually gives you your cross product internet oh say sir so that takes us to death like two years ago what was good well we were two more influential points to inject security we were better involved in design discussions we had a more accurate view of the sizing scoping their stories we had better visibility into tracking submitting the eSport we could look at kind of see exactly what came out of doing and we're starting to become scalable finally by distributing the tactical work amongst the team out the bad was that yes we did have more people involved but that creates complexity and complexity always it's worth mentioning is bad we thought we could do better training at this point and of the the individual dev teams themselves so we were doing a lot of work for them but they weren't learning a lot from it unless you know they made a station that they might learn a little bit about that particular thing we weren't really putting effort into training them beyond that so we thought well we should figure out how to do that and then we were thinking well we need to figure out how to incorporate our internal I security testing along with the existing QA testing we're just sort of yeah depending on the route ization can be kind of like there anything reasonable it's a little bit of a tangent but I think it's worth mentioning before we get into but they're called face forwards turning things this a little bit engineering heavy and less security specific but it's an important aspect of how we improve our processes and that's why we do it so the context here is that a lot of companies don't use it on the products pretty well very much or effectively as they asked their customers to do so products which is medicine and what happens when you do that is you've got a black man empathy for your customers pain points and your solution is that you come up with for those pain points may miss the mark because you haven't experienced it yourself right you're just listening to how somebody else is having trouble I think I can solve that by it you know tweaking this this UI here but you haven't tried to use it yourself so you get a lot so we were using a lot of stuff we weren't using than enough and at the beginning of the year last year we said we should do a better tennis we should put ourselves in our customers shoes in terms of how do we incorporate our stuff into automated workflows we were doing that but we weren't doing that well so we call this Punk arena you haven't figured out it's pretty obvious but you're on dog food and so what we focused on was better more effective use of our EP eyes and our technology integration to do automated static and dynamic scanning that we saw by the way absolutely pessimistic so anyway so here's how we incorporate an automated spirit test before our we've got to this product Korean thing literally did so they release Canada training some of the login to Jenkins will kick off the filter how to read kicked off bills and Jenkins you had you have to build the code slightly differently for our analysis so we have active button pick something when the bill was complete they would go download the jar of the wool files from wherever Jenkins and then they would upload log into their feed website upload it we hear that they'll run the priest can check for dependencies a bunch of things that's it's a little while some kind of coffee or something when Capri scam is complete then they don't have to go select the modules that they wanted us to scan it as you can do do partial scans to want they have to put Ron Bobby and then they're waiting for this one coffee or that would vary from you know ten minutes to a few hours and then of the scans please they're gonna login again to the platform that have to login because of course it timed out by then and they do the results manually do them at the issues that need to be fixed going manually create you know your exceiiency so that's at least three or four steps that require manual intervention and more importantly they include the introduced a lot of latency so over the period of a few months what we did was we replaced every single one of those manual steps with automation using using various plugins and api's and you know you think that we would have been using those along except that's not all of them actually existed I'm just started doing it so today we using Jenkins plug-in to interface EAP is perform the uploaded configurations can kick off automatically little simple clicks developers don't have to login to the website anymore to view results we have a juror plugin which actually pulls out all the bugs that we find automatically into JIRA right alongside all the other bugs are working on labels and the security and a cwe table but basically they're just bucks a bunch of bucks 30 bucks or bucks the only important things that they're required to fix by virtue of the policies that you've set so you know why unfortunately you're not gonna fix that so now that's that is happens and the work the security work for they attribute it shows up alongside all the other stuff that can be prioritized one of the features you know we can save something that's critical the same way that we could before except now this now it's just there another thing that we improved during this phase was we started using heavily using a feature of our platform called sandbox which is like the Elissa develop of run a scan and isolation is kind of like an open book test the way so they're not doing it officially it's not you know the team about the team doesn't see it only they see it so they can find issues earlier on they can fix them and have any anxiety around you know one of the scans gonna find that I check this in what's going to show up in the police Canada which I guess gives them a level of comfort the good thing from our perspective in the security perspective is now things are being fixed earlier early in the dev cycle as they're getting the sandbox code so when we get to the release candidate there's actually fewer bucks if it's was fine except for earlier fixing stuff earlier and many you know manual steps are now to a place with automated steps and also we were able to do this much more efficient which is important as you work towards you know a CI CD sort of model which we're not at today we're going to couple weeks prints but eventually you know so automation whiskey there that's right so the question is from sandbox objectives that we're not capturing Memphis about yeah that so flaws that we find there are only developers you know so they can fix them and that way the business doesn't have to have to see them you know we think that's fair I mean they can fix it beforehand like why do they need to be game to that not that they didn't gain any benefit that it gives them a level of developers really like the sandboxing they do okay so the last phase right now this is kind of 2014 but how do we scale this and how do we you know how do we take what we're doing in our team and like meet other people do that so that we can focus on more strategic long-term things how do we build security expert and you know rodents name written companies grown or the way the engineering position is wrong so our team was started getting a little bit stretched we realized at this point that the culture was right to just scale security expertise to be on the team and we thought was all right let's find some volunteers on each team to be like a security you know they didn't have a name yet but security ambassador security champion someone who is developers that wants to learn more about security add it to the resume take some additional accountability learn some skills and just you know they're interested in doing it so there were no prereqs to volunteer and then you had to have an interest in the topic and we were asking for maybe a couple extra out of you know more than that specifically because we wanted people to actually raise their hand this time so the goals of this program initiatives were number one or scale the SDLC by inventing security into each team rather than having it be an externality you have the research team which is nothing better having those people will be the conscience the security lawton so as they're working on their stand-ups or working with their teams if you thinking kind of all the time what would you know what we're Kris think about this what would it be Narayan think about this because we're not always there and it's good they have somebody asking those questions all the time other programming to provide opportunities for collaboration between research and engineering on new security initiatives it would encourage the teaching and learning aspect that I said before suppose to represent so give us more opportunity to teach security skills as part of completely so this is not a thing that you just show up to work and send an email out and say hey we're doing this now we sound while socializing the concept with every single engineering manager engineering meeting because we're gonna be asking for that's fine the developers time right you're gonna just take two hours some one time so it's time for week and not look at the engineering manager now so we socialize it with you know the VP's and the tech leaves a lot of people and then he put out an email asking for volunteer and describe what we're asking for I had a bet with one of the development leaders lesson we're never gonna have a lot of trouble people are not gonna sign up for this this is going to be like top he's like we know everyone's next I went to this he was right we had about somewhere between 15 and 20 people sign up with far exceeded expectations we took all over because why not let's good to how we were done and see especially because scrum teams as I mentioned couldn't reform all the time we can discover you have one person per team if they decided to move through different team now you about me terminal first horrible is exploited to our world like hey here's what we do as food people and just some general education so we sent them off to a little security conference it was pretty cheap and immerse them in the world have intense the technical talks just kind of hear about the attack and defense and the types of issues that we deal with we didn't give them any particulars yet it just says go go to something sounds interesting come back and we're all nothing being and once they do a five-minute version of your favorite talk so that was a good way to kick it off and have people need to realize at least you know content at one talk and then come back and share that hello it wasn't that hard to teach I mean you're attending every security ruling means that we do so we don't going to do anything yet just show up listen to the other security architect to talk to talk to the product owner listen to the questions and they're asking the things that they're poking them on what is it that you know makes it something you have to do a design review what are those things one of those criteria those triggers so this when you can listen and then the other thing that we did to kind of keep people engaged in a way that was not too much of a commitment with meetups and drop-in times each week where we just have kind of a communal kitchen so we said hey it started out twice a week for like two hours just drop in time come whenever you want so we're gonna work on public CTFs as a group so there were a lot of turns out now just as conferences but at the time we were gonna call Happy Easter it was in April and there's like 30 different challenges that you can do very short just as CTS tend to be ranging from aspects and network security to a person to crypto and whatever you want so not just weather point us play to come for two hours they can under 30 minutes to meet amount of all no commitment and you know no to records at learning from one game to the next but they could come down they could sit there and work with their peers have called security people to ask questions to us a struggle and it wasn't really well we had a lot of people will show up to those interestingly not just the security champions but ju t like other random people from the company they'll just start showing up these we have a whole services team that you know it's kind of a fun customer-facing arm the company we are some that show up sales engineer show up analyst what the so it's not huge high-volume every time but we had we have some regulars but some people just drop in minutes and that's exactly what it's designed to people so that was good that's been a lot more then q3 q4 we gave them actual goals we gave them things that they actually needed to do it we work with them and yes I actually cook that X in goal on the back in terms of their annual reviews so they had you know they had their global engineering goals and then they had a security champion goal and as we're going through the annual performance review thoughts now that actually being measuring stuff she goes flexible against that is socialized mcmenamy's accuse me they were tasked with taking over just the cooking and the Tigers of creating the security subtasks that we associated with each story now they want just listening they were the one that actually to listen and meet the jurist stuff we still have a rich research person there as a safety blanket in case they didn't know all the answers which they didn't but they were the ones getting kind of the muscle memory of how to do this in memory but before we wanted to set them loose on the grooming themselves so they would be able to do all the security grooming meetings without the security person in the room at all and the way they were able to do that was we asked you to go back look at all the security subtext over the past year and look for the patterns what why did these 18 stories need code reviews oh well this here's the common thread and we've asked them to do that because it was different for every team that we work with there's no there's no generic list I can't give you a list that says here are the things that you look for bit of booty because it's very specific to the pup we asked them to do that they all came up with the checklist and now with the exception of I think one team they're all security champions are doing their own group and you can focus on other things so that's pretty cool that's where we are kind of at this the process of building bowls for them coming there which would include things like ramping up on doing some of them some of you work themselves the code reviews can to some extent we turn into checklists that they understand in the context and basically working on some the tasks that we would typically do with our guidance with with the end goal being let's turn elliptic let's turn over a lot of stuff to them by the end of the year we haven't set those cool you milestone gentlemen in the process of doing that that I thought was interesting there's further note here if you remember back in September there was this announcement at Microsoft saying that they were they were basically disbanding possibly computing and we decided connection over that because the way that Spain recorded and really what it was if you think about it is they just said we're gonna take this movie people with this previously a centralized team and we're gonna push the expertise out into various product scenes which sounds very much like see her two champions except for the fact that you're taking an existing security expert and putting them down as opposed to taking developers and throwing them in disturbance but the idea you have that embedded security expertise on the team is to me what it sounds like they're doing so I thought that was interesting because it as we were going through this exercise during the year they they kind of having the same epiphany I guess and I don't know if that was because of strong or it was just because of a move to more frequent releases but it was interesting nonetheless alright so we'll do challenges and to Karen's so cleared a lot of challenges along the way hasn't been completely rosy and that's compressed about several years worth now into forty minutes at the beginning was really difficult to get some of the New York run team especially to take the process seriously we're security company but we're also still company full of engineers that don't always come from screw background so you think it would be maybe easy but if it's it's not used to that early on there was some wrote development work by bromine delicious I just mean sometimes developers would taken upon themselves to do work that wasn't that hasn't been taken into the sprint basically get over achieving their rating the backlog and doing stuff before it was the foot was meant to be done and that was pretty cool except but we didn't have any visibility into it and so we couldn't review it so we don't know that was happening and it's kind of an ongoing battle between strong rigor and pragmatism so what I mean by that is you're not supposed to you know the real world perfect world was supposed to have people fully committed to this from teams we can't afford to do that I can't put a security expert on each of 15 different functions whose photo didn't mrs. Bute champions but initially we didn't have that and we've got a little bit of pushback saying that hey you should fully commit to this you should be a member of this team but quit how do we either put something on your team if you want to give me that rack and nobody gave me the rack so we had it you know we had to ask for some flexibility without getting too much invested because of time combat teams some teams decided they wanted with Kanban the strong that creates a whole set of problems on its own isn't that is a structure that has wronged us and in particular this particular team was a sort of plug sustained Euler maintenance team so it has higher turnover and assigning the security champion to that is harder because the point is you work on this particular team for a little while then you kind of do advance you know we're moving force continues deployment want to be able to deploy more often than monthly which is what we do now I don't think it's ever going to be 50 deploys a day you know we're not FC nor nor do we need to be I will look at sort of things that those companies do but I think our customers expects us a level of security river from us that's very different from what they would expect from a consumers visit excited but we're did a lot of lessons that we have to learn from there we are going to speed up so we have to figure out how to do that this year as we get security champions rolled out with unity building more security libraries internally so not just code review guidelines but hey we wanted to trick them here's a library use here's the miracle specific encoding libraries for these various situations that correspond to you know user IDs or whatever the case may be for our particular product and so that will also make it easier for the security champions to take on the code of you because they can just check if there isn't something that's approved or not it's not going to completely take away to dependence on a strong security team but I think that the checklist style approach gives you a really solid baseline and start from and they cover 80% and you know you escalate to do the more seasoned experts who remain with it this is yet to be seen so we'll see how it goes that's kind of where we are right now and by Mike huff I have 12 minutes but by your o'clock you you gave me a five minute sign let's go so what's the deal so I thought do not have till 4:00 oh okay okay what I'm gonna do is on your taste we'll take a few questions okay I've a few questions and now wrap up at the end so I have some conclusion slides but the actual takeaways but let me take a few minutes of questions now yeah the questions on incorporating the detective iske management into scrum um yeah I would say that the extent that we do that in work things are having a very tactical level so we're doing like we're doing like lightweight drop modeling for new digital stories and things like that but if you talk about your actual real you know business risk management that doesn't come into the day-to-day so much I mean I don't know that may vary from place to place but we're focused more on one of these individuals towards the building with one of the security risks inherent at that what do we need to throttle but not not sort of like leveling up that risk so as we transfer as we transition responsibility for my routine to discourage champions who took ownership of visit mrs. right we still take ownership of that we have kind of a lead for that we do some sampling so even though they're the ones doing it we'll go and we'll look at the backlog and let's kind of just take a quick glance to see if we we see that they missed anything also they know that they have a question on something to not just make a guess I mean escalate this you know for us is just like making a phone call it's in an email and escalate it to us and we'll help answer that so there's there's not a we're not completely we're not sending them out there with no statement yeah we should be all share kind of I mean this kind of part of school anyways I kind of built eeper for everything so yeah we saw we saw all of that so their manager is the one that signs up so we said the goals in who's responsible for evaluation so we set the goals communicates the managers to make sure that they felt it was reasonable and then as we've gone through evaluation process this year we do in January those management says back out to me and the personal monies product security to ask have it fulfill Kevin as this person fulfilled these goals so it's just you know we could say yes or no we can give them additional insight so we're evaluating them but the managers a lot of time you select the value from the top down the manager didn't was the manager at so the manager was we came we weren't email saying like here's the q3 called here's the q4 goal can you please put this into success factors for your people that are doing this and they did it so they didn't take anything away they just added that goal no is this a small I mean it's a couple hours in the week it's not it wasn't a big deal they thought it was reasonable they wouldn't have done it this and notices we can't have people to do this like that's what we socialize it so heavily they were located yeah yeah so you automatically tickets any minute false positives we have same way that we did before if the developer felt there was a it was a false positive they could you know they would raise it he didn't touch something in there anything you know tagged me or texted me on my team say hey did you think about this I think you know just assume you've entrusted in fact we posted you know they do the same thing that we're just doing a different place than others those doing it in our analysis platform so same same process just different so I didn't know the mix that was in the other room so I do this talk there's 30 people and I've also done it for me development and give them different advice at the end because obviously these different projects you can I didn't know what the mix is gonna be here so you get the developer advice on this side security person's advice on this side and if you're kind of a mixture then you take both so developers whilst our students learn the development tools and processes though add another system for them to do play if they used to use Europe these values rels they use whatever figure out how to do your stuff and the confines of look they're already using and kind of developer standpoint helps them like they don't know your tools if they have a question about you know could we is it possible to the you know a legal thing here or how can we do a dashboard like help them do that so that you can not have to learn more tools it's in everybody's best interest take the existing stuff you have the existing in augment or you can for developers view security as polity sort of take a risk-based approach not anything that's critical which is the sort of the same thing that I say is people security bugs are just bugs some of them can be high priority but they're just bugs in computer those bugs and be reasonable not everything is critical don't know don't throw spit every little thing it's not going to help you regain credibility if your Belfer you don't understand the smile on a slot sessions expects the security team to be super responsive about everything and make sure they understand why the agile it's not always second nature to security also they need another channel you do things quicker we expect responses we you know this is can't be blocked you know that sort of thing and the security teams communicate this over communicator can make it way more than you need to be insanely responsive to developer needs even though that seems hard but if you're trying to build support for bringing security into something and it enables going to be you this more work like be willing responses be over communicative that really works well present learn the Harvard developers be flexible we talked about that Alba team scrum rigor and paroxysm accept the fact that you may not be able to have some on your team and find the understanding huh 30% have a little empathy understand that you know how did all before that why do you want how they're motivated understandings Sloane process really well helps helps with that but just you know put yourself in their shoes for a little bit and as you're asking me to do stuff just defer know just having with you I can't decide that no developers remember that you are the same team you know look at the same company usually the sentence is written they're not there he's getting away they don't like being the bad guy they don't they just want to ship secure products assume that everything in the conversation that you understand understand why you're telling me now ask learn a little bit about whatever they understand you know what happens when a simple injection is exploited understand its impact and then the security Bowl don't just say no of everything figure out how to say yes it's your job not to shut things down there's your job to help the dev teams innovate in a secure way so don't lengthen that perception the security is just there to get in the way yeah raise above that do what you can to help them go fast they care about security but they also care about scalability imaging ability and usability and performance and deadlines in other words now the last one it's just the same for both if you go back to the tennis the main tenets of scrum is it's always the evaluating to customize the approach nobody's gonna be able to go back and take even our most recent pace what we're doing there and apply it to your to your companies you you're gonna have to customize that to specific teams and the products that they're building they'll always be evaluating always be trying to figure out what you can do better and how you customize that to have your organization works with any importance so strong is all about constant evaluation so that's it I hope you take away from this that security can work alongside agile and young effectively and you know build a partnership whichever side you're on build a partnership remember you're on the same team and hopefully that way security doesn't thank you