Intro
- Can regulators be Agile? Can they keep up?
- Probably not!
Panel Questions
- Microsoft: millenials - don’t want to talk to greybeard security experts
- Provide tools, guidance processes to support building things securely
- Rather than being “security police”, focus should be on supporting teams build in a secure way
- “Accreditation is what is driving security”
- we’re doing it wrong
- no consensus what good security looks like in an agile environment
- Technology should be driving security
- If assurance people don’t talk to technology people…
- how do you deal with security stories which always get leapfrogged
- microsoft: Default stories get added to every sprint
- Also they make individual teams accountable for when the read team owns
their stuff.
- This is maybe not a good idea - doesn’t help to blame devs
- Also they make individual teams accountable for when the read team owns
their stuff.
- microsoft: Default stories get added to every sprint
- “How easy can we make it to develop security?”
Wrap up question
What single thing could we do to improve security in Agile
- Resource it: need more people
- Show developers the effects of their decisions
- Collaboration: Devs, security, features, everyone talking the same language
- Kill the IT healthcheck
- it’s driving bad behaviours
- Learn to build software 100X better than currently