SlideShare une entreprise Scribd logo

Booz Allen Secure Agile Development

Booz Allen Hamilton
Booz Allen Hamilton

boozallen.com/systemsdelivery

Technologie
1  sur  10
Télécharger pour lire hors ligne
0Booz Allen Hamilton and Client proprietary and business confidential 0Booz Allen Hamilton and Client proprietary and business confidential June 2016 SECURE AGILE DEVELOPMENT A TRANSFORMATIVE APPROACH TO SECURE SYSTEMS DELIVERY
1Booz Allen Hamilton and Client proprietary and business confidential MEET OUR PRESENTERS MARC MURPHY BOB WILLIAMS RYAN SKOUSEN A Vice President our Systems Delivery Group, Marc is an expert in Agile software development services, ERP, and AWS cloud operations. Prior to joining Booz Allen, Marc served as CEO of SPARC where he oversaw all business and operations done in concert with several Department of the Defense contracts. He was also a former partner for Deloitte DoD/Federal group as well as served as an Officer in the U.S. Army. A Chief Engineer at Booz Allen, Ryan is leading the development and maintenance of a DoD Big Data analytic platform focused on exploitation of unstructured data under the Joint Improvised-threat Defeat Agency (JIDA). Ryan’s experience ranges from software development, Linux systems administration, and big data management to information security and Certification and Accreditation under both RMF and ICD 503. Ryan applies these different disciplines to deliver mission-focused, operational systems to the field. A Chief Scientist at Booz Allen, Bob is a leader, architect and hands-on engineer specializing in building application frameworks and development platforms, as well as building teams, and architecting scalable, robust, data-intensive systems in accordance to FIPS, NIST and OWASP compliance. Prior to joining Booz Allen, Bob served as the CTO for SPARC where he provided vision, strategy and direction to the Engineering organization.
2Booz Allen Hamilton and Client proprietary and business confidentialBooz Allen Hamilton and Client proprietary and business confidential 2 WHAT’S THE CHALLENGE? How can we adopt modern development practices, and transform a federal agency’s delivery model without sacrificing information assurance and system security controls?
3Booz Allen Hamilton and Client proprietary and business confidential THREE PILLARS OF SECURE AGILE DEVELOPMENT When developing any system, security requirements and controls can’t be segmented from technical requirements. There must be a deep understanding of how these security requirements complement capability requirements for the system under development. Expertise in how security is incorporated, tested, and monitored as a part of DevOps (continuous deployment, infrastructure as code, containerization, continuous diagnostic monitoring) methods is critical to increase velocity with confidence. A deliberate organizational change approach, led by experienced professionals is required to transform an agency’s delivery model - this is the difference between “Doing Agile” and “Being Agile”. MISSION UNDERSTANDING TECHNICAL ACUMEN AND INNOVATION “SECURE FIRST” CULTURE
4Booz Allen Hamilton and Client proprietary and business confidential MISSION UNDERSTANDING  Is Security talent embedded within teams and is each team member, from developer to security professional, “security intelligent”?  Are software security fundamentals implemented, such as user authentication and access controls, protection against known attack vectors?  Does the development team have an understanding of current and impending regulatory security requirements (e.g. Risk Management Framework, ICD 503, DISA STIG, US-CERT)? Have these requirements been addressed as technical stories and applied to sprints?  Does the development team have an understanding of agency specific SDLC governance models (e.g. VA’s Veteran Integration Process, DoD 5000) and how modern methods and tooling can be leveraged to meet these requirements with Agility? CHECKLIST: SECURE AGILE DEVELOPMENT
5Booz Allen Hamilton and Client proprietary and business confidential TECHNICAL ACUMEN  Are automated security scans included as a part of Continuous Integration for each code commit and providing a transparent, real-time view of the security posture?  Does your security strategy address the entire technology stack to include secure containers, network, firewalls and operating system for vulnerabilities?  Have automated security test scripts been developed and executed to verify security features, such as authorization, authentication, field level validation, and PII/PHI compliance?  Does the configuration of security components such as the perimeter firewall, Intrusion Detection / Prevention System (IDS/IPS) follow a similar model in terms of provisioning and configuration as application servers?  As a part of the DevOps process, is dynamic network monitoring in place to actively discover vulnerabilities or active attacks? CHECKLIST: SECURE AGILE DEVELOPMENT
6Booz Allen Hamilton and Client proprietary and business confidential CHANGE MANAGEMENT  Is the process of defining, implementing and monitoring security an iterative cycle throughout the development and maintenance lifecycle of the software? Is the team providing constant feedback, reevaluation, maturation and evolution of secure software?  Is the project employing Agile coaching to drive organizational or project level change management?  Have appropriate organizational resources been allocated to sponsor, measure, and reinforce the implementation of security standards as a part of Agile development activities?  Is the delivery team addressing security concerns, as a part of traditional Agile ceremonies and practices (e.g. stand ups, release planning, information radiators, story elicitation)? CHECKLIST: SECURE AGILE DEVELOPMENT
7Booz Allen Hamilton and Client proprietary and business confidential
8Booz Allen Hamilton and Client proprietary and business confidential 8Booz Allen Hamilton and Client proprietary and business confidential AUDIENCE Q & A
9Booz Allen Hamilton and Client proprietary and business confidential LEARN MORE READ THE FULL WHITE PAPER Interested in what you heard today? Read the full white paper on Secure Agile Development. You’ll receive this after today’s meeting. STAY TUNED FOR OUR PODCASTS In the coming weeks, we’ll be releasing a series of podcasts focused on topics related to Secure Agile Development including tools and policy. CHECK OUT OUR OTHER SYSTEMS DELIVERY HIGHLIGHTS Visit www.boozallen.com/systemsdelivery to learn more about our approach to systems delivery and viewpoints on other technology topics.

Recommandé

Creating an IT Revolution within your Organization - QuickBase, Inc. at CIO V...
Creating an IT Revolution within your Organization - QuickBase, Inc. at CIO V...Creating an IT Revolution within your Organization - QuickBase, Inc. at CIO V...
Creating an IT Revolution within your Organization - QuickBase, Inc. at CIO V...
QuickBase, Inc.
 
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
QuickBase, Inc.
 
Why not let apm do all the heavy lifting beyond the basics of monitoring | Sw...
Why not let apm do all the heavy lifting beyond the basics of monitoring | Sw...Why not let apm do all the heavy lifting beyond the basics of monitoring | Sw...
Why not let apm do all the heavy lifting beyond the basics of monitoring | Sw...
Swatantra Kumar
 
Welcome from Intuit QuickBase Keynote
Welcome from Intuit QuickBase KeynoteWelcome from Intuit QuickBase Keynote
Welcome from Intuit QuickBase Keynote
QuickBase, Inc.
 
Modern Architectures: Integration Stories from the Field
Modern Architectures: Integration Stories from the FieldModern Architectures: Integration Stories from the Field
Modern Architectures: Integration Stories from the Field
Dreamforce
 
A Changing Mandate for the CIO
A Changing Mandate for the CIOA Changing Mandate for the CIO
A Changing Mandate for the CIO
AppDynamics
 
Affordable ERP solutions on low-code
Affordable ERP solutions on low-codeAffordable ERP solutions on low-code
Affordable ERP solutions on low-code
Zoho Creator
 
apidays LIVE Helsinki & North - Product data ecosystem in the digital dental ...
apidays LIVE Helsinki & North - Product data ecosystem in the digital dental ...apidays LIVE Helsinki & North - Product data ecosystem in the digital dental ...
apidays LIVE Helsinki & North - Product data ecosystem in the digital dental ...
apidays
 

Recommandé

Creating an IT Revolution within your Organization - QuickBase, Inc. at CIO V...
Creating an IT Revolution within your Organization - QuickBase, Inc. at CIO V...Creating an IT Revolution within your Organization - QuickBase, Inc. at CIO V...
Creating an IT Revolution within your Organization - QuickBase, Inc. at CIO V...
QuickBase, Inc.
 
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
Guiding Principles for the Low Code Revolution – Intuit QuickBase EMPOWER2015...
QuickBase, Inc.
 
Why not let apm do all the heavy lifting beyond the basics of monitoring | Sw...
Why not let apm do all the heavy lifting beyond the basics of monitoring | Sw...Why not let apm do all the heavy lifting beyond the basics of monitoring | Sw...
Why not let apm do all the heavy lifting beyond the basics of monitoring | Sw...
Swatantra Kumar
 
Welcome from Intuit QuickBase Keynote
Welcome from Intuit QuickBase KeynoteWelcome from Intuit QuickBase Keynote
Welcome from Intuit QuickBase Keynote
QuickBase, Inc.
 
Modern Architectures: Integration Stories from the Field
Modern Architectures: Integration Stories from the FieldModern Architectures: Integration Stories from the Field
Modern Architectures: Integration Stories from the Field
Dreamforce
 
A Changing Mandate for the CIO
A Changing Mandate for the CIOA Changing Mandate for the CIO
A Changing Mandate for the CIO
AppDynamics
 
Affordable ERP solutions on low-code
Affordable ERP solutions on low-codeAffordable ERP solutions on low-code
Affordable ERP solutions on low-code
Zoho Creator
 
apidays LIVE Helsinki & North - Product data ecosystem in the digital dental ...
apidays LIVE Helsinki & North - Product data ecosystem in the digital dental ...apidays LIVE Helsinki & North - Product data ecosystem in the digital dental ...
apidays LIVE Helsinki & North - Product data ecosystem in the digital dental ...
apidays
 
North America Strategic Modernization Exec Forum
North America Strategic Modernization Exec Forum North America Strategic Modernization Exec Forum
North America Strategic Modernization Exec Forum
Micro Focus
 
Node: The Integration Fabric of the Future
Node: The Integration Fabric of the FutureNode: The Integration Fabric of the Future
Node: The Integration Fabric of the Future
Albert Tsang
 
Breaking the deadlock for LOW-CODE on the Dutch market | Swatantra Kumar
Breaking the deadlock for LOW-CODE on the Dutch market | Swatantra KumarBreaking the deadlock for LOW-CODE on the Dutch market | Swatantra Kumar
Breaking the deadlock for LOW-CODE on the Dutch market | Swatantra Kumar
Swatantra Kumar
 
Integration: The $100 Billion Opportunity No One Wants to Talk About
Integration: The $100 Billion Opportunity No One Wants to Talk AboutIntegration: The $100 Billion Opportunity No One Wants to Talk About
Integration: The $100 Billion Opportunity No One Wants to Talk About
Bramh Gupta
 
Replace Your Stale Intranet with a Mobile, Social Employee Community
Replace Your Stale Intranet with a Mobile, Social Employee CommunityReplace Your Stale Intranet with a Mobile, Social Employee Community
Replace Your Stale Intranet with a Mobile, Social Employee Community
Dreamforce
 
CRM is not enough
CRM is not enoughCRM is not enough
CRM is not enough
Segment
 
PCM Vision 2019 Breakout: Quest Software
PCM Vision 2019 Breakout: Quest SoftwarePCM Vision 2019 Breakout: Quest Software
PCM Vision 2019 Breakout: Quest Software
PCM
 
How to use Innovative Architectures for Digital Enterprises
How to use Innovative Architectures for Digital EnterprisesHow to use Innovative Architectures for Digital Enterprises
How to use Innovative Architectures for Digital Enterprises
Capgemini
 
Digital Transformation in a World of Connected Devices
Digital Transformation in a World of Connected DevicesDigital Transformation in a World of Connected Devices
Digital Transformation in a World of Connected Devices
MuleSoft
 
Era of APIs: Why do we need an API strategy?
Era of APIs: Why do we need an API strategy?Era of APIs: Why do we need an API strategy?
Era of APIs: Why do we need an API strategy?
Bala Iyer
 
Cwin16 tls-capgemini-business-architecture-open-group-2016
Cwin16 tls-capgemini-business-architecture-open-group-2016Cwin16 tls-capgemini-business-architecture-open-group-2016
Cwin16 tls-capgemini-business-architecture-open-group-2016
Capgemini
 
TURN YOUR DRUPAL INTO A DIGITAL EXPERIENCE PLATFORM (DXP)
TURN YOUR DRUPAL INTO A DIGITAL EXPERIENCE PLATFORM (DXP)TURN YOUR DRUPAL INTO A DIGITAL EXPERIENCE PLATFORM (DXP)
TURN YOUR DRUPAL INTO A DIGITAL EXPERIENCE PLATFORM (DXP)
Drupal Portugal
 
CITRIX IN AMAZON WEB SERVICES
CITRIX IN AMAZON WEB SERVICESCITRIX IN AMAZON WEB SERVICES
CITRIX IN AMAZON WEB SERVICES
Booz Allen Hamilton
 
LANSA, Business Process Integration buyers guide
LANSA, Business Process Integration buyers guideLANSA, Business Process Integration buyers guide
LANSA, Business Process Integration buyers guide
Marjanna Frank
 
What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...
What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...
What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...
Maruti Techlabs
 
Build an Application Integration Strategy
Build an Application Integration StrategyBuild an Application Integration Strategy
Build an Application Integration Strategy
Info-Tech Research Group
 
Low Code Application
Low Code ApplicationLow Code Application
Low Code Application
pavanr1234
 
The Business Case for Disaster Recovery
The Business Case for Disaster RecoveryThe Business Case for Disaster Recovery
The Business Case for Disaster Recovery
Carbonite
 
Accelerating SAP transformations with Micro Focus
Accelerating SAP transformations with Micro FocusAccelerating SAP transformations with Micro Focus
Accelerating SAP transformations with Micro Focus
Christian Schuetz
 
Fast Track AIOps Automation with Prebuilt Databots
Fast Track AIOps Automation with Prebuilt DatabotsFast Track AIOps Automation with Prebuilt Databots
Fast Track AIOps Automation with Prebuilt Databots
Enterprise Management Associates
 
Analytical Program Management Infographic
Analytical Program Management InfographicAnalytical Program Management Infographic
Analytical Program Management Infographic
Booz Allen Hamilton
 
Booz Allen Hamilton's Methodology for Platform Modernization Infographic
Booz Allen Hamilton's Methodology for Platform Modernization InfographicBooz Allen Hamilton's Methodology for Platform Modernization Infographic
Booz Allen Hamilton's Methodology for Platform Modernization Infographic
Booz Allen Hamilton
 

Contenu connexe

Tendances

How to use Innovative Architectures for Digital Enterprises
How to use Innovative Architectures for Digital EnterprisesHow to use Innovative Architectures for Digital Enterprises
How to use Innovative Architectures for Digital Enterprises
Capgemini
 
Era of APIs: Why do we need an API strategy?
Era of APIs: Why do we need an API strategy?Era of APIs: Why do we need an API strategy?
Era of APIs: Why do we need an API strategy?
Bala Iyer
 
What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...
What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...
What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...
Maruti Techlabs
 
Build an Application Integration Strategy
Build an Application Integration StrategyBuild an Application Integration Strategy
Build an Application Integration Strategy
Info-Tech Research Group
 

Tendances (20)

North America Strategic Modernization Exec Forum
North America Strategic Modernization Exec Forum North America Strategic Modernization Exec Forum
North America Strategic Modernization Exec Forum
 
Node: The Integration Fabric of the Future
Node: The Integration Fabric of the FutureNode: The Integration Fabric of the Future
Node: The Integration Fabric of the Future
 
Breaking the deadlock for LOW-CODE on the Dutch market | Swatantra Kumar
Breaking the deadlock for LOW-CODE on the Dutch market | Swatantra KumarBreaking the deadlock for LOW-CODE on the Dutch market | Swatantra Kumar
Breaking the deadlock for LOW-CODE on the Dutch market | Swatantra Kumar
 
Integration: The $100 Billion Opportunity No One Wants to Talk About
Integration: The $100 Billion Opportunity No One Wants to Talk AboutIntegration: The $100 Billion Opportunity No One Wants to Talk About
Integration: The $100 Billion Opportunity No One Wants to Talk About
 
Replace Your Stale Intranet with a Mobile, Social Employee Community
Replace Your Stale Intranet with a Mobile, Social Employee CommunityReplace Your Stale Intranet with a Mobile, Social Employee Community
Replace Your Stale Intranet with a Mobile, Social Employee Community
 
CRM is not enough
CRM is not enoughCRM is not enough
CRM is not enough
 
PCM Vision 2019 Breakout: Quest Software
PCM Vision 2019 Breakout: Quest SoftwarePCM Vision 2019 Breakout: Quest Software
PCM Vision 2019 Breakout: Quest Software
 
How to use Innovative Architectures for Digital Enterprises
How to use Innovative Architectures for Digital EnterprisesHow to use Innovative Architectures for Digital Enterprises
How to use Innovative Architectures for Digital Enterprises
 
Digital Transformation in a World of Connected Devices
Digital Transformation in a World of Connected DevicesDigital Transformation in a World of Connected Devices
Digital Transformation in a World of Connected Devices
 
Era of APIs: Why do we need an API strategy?
Era of APIs: Why do we need an API strategy?Era of APIs: Why do we need an API strategy?
Era of APIs: Why do we need an API strategy?
 
Cwin16 tls-capgemini-business-architecture-open-group-2016
Cwin16 tls-capgemini-business-architecture-open-group-2016Cwin16 tls-capgemini-business-architecture-open-group-2016
Cwin16 tls-capgemini-business-architecture-open-group-2016
 
TURN YOUR DRUPAL INTO A DIGITAL EXPERIENCE PLATFORM (DXP)
TURN YOUR DRUPAL INTO A DIGITAL EXPERIENCE PLATFORM (DXP)TURN YOUR DRUPAL INTO A DIGITAL EXPERIENCE PLATFORM (DXP)
TURN YOUR DRUPAL INTO A DIGITAL EXPERIENCE PLATFORM (DXP)
 
CITRIX IN AMAZON WEB SERVICES
CITRIX IN AMAZON WEB SERVICESCITRIX IN AMAZON WEB SERVICES
CITRIX IN AMAZON WEB SERVICES
 
LANSA, Business Process Integration buyers guide
LANSA, Business Process Integration buyers guideLANSA, Business Process Integration buyers guide
LANSA, Business Process Integration buyers guide
 
What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...
What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...
What is a Citizen Developer? How Can You Harness the Power of Citizen Develop...
 
Build an Application Integration Strategy
Build an Application Integration StrategyBuild an Application Integration Strategy
Build an Application Integration Strategy
 
Low Code Application
Low Code ApplicationLow Code Application
Low Code Application
 
The Business Case for Disaster Recovery
The Business Case for Disaster RecoveryThe Business Case for Disaster Recovery
The Business Case for Disaster Recovery
 
Accelerating SAP transformations with Micro Focus
Accelerating SAP transformations with Micro FocusAccelerating SAP transformations with Micro Focus
Accelerating SAP transformations with Micro Focus
 
Fast Track AIOps Automation with Prebuilt Databots
Fast Track AIOps Automation with Prebuilt DatabotsFast Track AIOps Automation with Prebuilt Databots
Fast Track AIOps Automation with Prebuilt Databots
 

En vedette

Analytical Program Management Infographic
Analytical Program Management InfographicAnalytical Program Management Infographic
Analytical Program Management Infographic
Booz Allen Hamilton
 
My book: "Virtual Social Networks and Open Innovation: Questioning the RBV"
My book: "Virtual Social Networks and Open Innovation: Questioning the RBV"My book: "Virtual Social Networks and Open Innovation: Questioning the RBV"
My book: "Virtual Social Networks and Open Innovation: Questioning the RBV"
Google Inc.
 
You Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
You Can Hack That: How to Use Hackathons to Solve Your Toughest ChallengesYou Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
You Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
Booz Allen Hamilton
 

En vedette (20)

Analytical Program Management Infographic
Analytical Program Management InfographicAnalytical Program Management Infographic
Analytical Program Management Infographic
 
Booz Allen Hamilton's Methodology for Platform Modernization Infographic
Booz Allen Hamilton's Methodology for Platform Modernization InfographicBooz Allen Hamilton's Methodology for Platform Modernization Infographic
Booz Allen Hamilton's Methodology for Platform Modernization Infographic
 
Smart Data Infographic
Smart Data InfographicSmart Data Infographic
Smart Data Infographic
 
The Shifting Economics of Global Manufacturing
The Shifting Economics of Global ManufacturingThe Shifting Economics of Global Manufacturing
The Shifting Economics of Global Manufacturing
 
Inaugural Addresses
Inaugural AddressesInaugural Addresses
Inaugural Addresses
 
Nuclear Promise: Reducing Cost While Improving Performance
Nuclear Promise: Reducing Cost While Improving PerformanceNuclear Promise: Reducing Cost While Improving Performance
Nuclear Promise: Reducing Cost While Improving Performance
 
Military Spouse Career Roadmap
Military Spouse Career Roadmap Military Spouse Career Roadmap
Military Spouse Career Roadmap
 
Examining Flexibility in the Workplace for Working Moms
Examining Flexibility in the Workplace for Working MomsExamining Flexibility in the Workplace for Working Moms
Examining Flexibility in the Workplace for Working Moms
 
Smart Cities – how to master the world's biggest growth challenge
Smart Cities – how to master the world's biggest growth challengeSmart Cities – how to master the world's biggest growth challenge
Smart Cities – how to master the world's biggest growth challenge
 
The True Cost of Childcare
The True Cost of ChildcareThe True Cost of Childcare
The True Cost of Childcare
 
Homeland Threats: Today and Tomorrow
Homeland Threats: Today and TomorrowHomeland Threats: Today and Tomorrow
Homeland Threats: Today and Tomorrow
 
Booz Allen Field Guide to Data Science
Booz Allen Field Guide to Data Science Booz Allen Field Guide to Data Science
Booz Allen Field Guide to Data Science
 
My book: "Virtual Social Networks and Open Innovation: Questioning the RBV"
My book: "Virtual Social Networks and Open Innovation: Questioning the RBV"My book: "Virtual Social Networks and Open Innovation: Questioning the RBV"
My book: "Virtual Social Networks and Open Innovation: Questioning the RBV"
 
Cloud Analytics Playbook
Cloud Analytics PlaybookCloud Analytics Playbook
Cloud Analytics Playbook
 
Data privacy by the numbers
Data privacy by the numbersData privacy by the numbers
Data privacy by the numbers
 
Cyber In-Security II: Closing the Federal Gap
Cyber In-Security II: Closing the Federal GapCyber In-Security II: Closing the Federal Gap
Cyber In-Security II: Closing the Federal Gap
 
The Product Owner’s Universe: Agile Coaching
The Product Owner’s Universe: Agile CoachingThe Product Owner’s Universe: Agile Coaching
The Product Owner’s Universe: Agile Coaching
 
Booz Allen Hamilton and Market Connections: C4ISR Survey Report
Booz Allen Hamilton and Market Connections: C4ISR Survey ReportBooz Allen Hamilton and Market Connections: C4ISR Survey Report
Booz Allen Hamilton and Market Connections: C4ISR Survey Report
 
You Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
You Can Hack That: How to Use Hackathons to Solve Your Toughest ChallengesYou Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
You Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
 
WWAD 2016
WWAD 2016WWAD 2016
WWAD 2016
 

Similaire à Booz Allen Secure Agile Development

Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYCHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
Chuck Davis
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
How to Keep your Atlassian Cloud Secure
How to Keep your Atlassian Cloud SecureHow to Keep your Atlassian Cloud Secure
How to Keep your Atlassian Cloud Secure
Cprime
 
dan craig resume
dan craig resumedan craig resume
dan craig resume
Dan Craig
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 

Similaire à Booz Allen Secure Agile Development (20)

Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!
Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!
Eli Lilly is All In on Salesforce App Cloud. How They Did It and You Can Too!
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYCHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Static Application Security Testing technology to Remediate Vulnerabilities
Static Application Security Testing technology to Remediate VulnerabilitiesStatic Application Security Testing technology to Remediate Vulnerabilities
Static Application Security Testing technology to Remediate Vulnerabilities
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
How to Keep your Atlassian Cloud Secure
How to Keep your Atlassian Cloud SecureHow to Keep your Atlassian Cloud Secure
How to Keep your Atlassian Cloud Secure
 
dan craig resume
dan craig resumedan craig resume
dan craig resume
 
Level Up Web App Security: Start Your Free Trial of HCL AppScan Source
Level Up Web App Security: Start Your Free Trial of HCL AppScan SourceLevel Up Web App Security: Start Your Free Trial of HCL AppScan Source
Level Up Web App Security: Start Your Free Trial of HCL AppScan Source
 
All-In-One Security: Visibility, Risk Management. Versatile, Scalable, Deploy...
All-In-One Security: Visibility, Risk Management. Versatile, Scalable, Deploy...All-In-One Security: Visibility, Risk Management. Versatile, Scalable, Deploy...
All-In-One Security: Visibility, Risk Management. Versatile, Scalable, Deploy...
 
Embedding Security in IT Projects
Embedding Security in IT ProjectsEmbedding Security in IT Projects
Embedding Security in IT Projects
 
How to Become a Security-Minded Admin
How to Become a Security-Minded AdminHow to Become a Security-Minded Admin
How to Become a Security-Minded Admin
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 

Plus de Booz Allen Hamilton

Bridging Mission and Management: A Survey of Government Chief Operating Officers
Bridging Mission and Management: A Survey of Government Chief Operating OfficersBridging Mission and Management: A Survey of Government Chief Operating Officers
Bridging Mission and Management: A Survey of Government Chief Operating Officers
Booz Allen Hamilton
 

Plus de Booz Allen Hamilton (18)

Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
Preparing for New Healthcare Payment Models
Preparing for New Healthcare Payment ModelsPreparing for New Healthcare Payment Models
Preparing for New Healthcare Payment Models
 
Immersive Learning: The Future of Training is Here
Immersive Learning: The Future of Training is HereImmersive Learning: The Future of Training is Here
Immersive Learning: The Future of Training is Here
 
Frenemies – When Unlikely Partners Join Forces
Frenemies – When Unlikely Partners Join ForcesFrenemies – When Unlikely Partners Join Forces
Frenemies – When Unlikely Partners Join Forces
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat Briefing
 
Modern C4ISR Integrates, Innovates and Secures Military Networks
Modern C4ISR Integrates, Innovates and Secures Military NetworksModern C4ISR Integrates, Innovates and Secures Military Networks
Modern C4ISR Integrates, Innovates and Secures Military Networks
 
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...
 
Women On The Leading Edge
Women On The Leading Edge Women On The Leading Edge
Women On The Leading Edge
 
The Enterprise Integrator - C4ISR
The Enterprise Integrator - C4ISRThe Enterprise Integrator - C4ISR
The Enterprise Integrator - C4ISR
 
Convergence and Disruption in Manufacturing
Convergence and Disruption in ManufacturingConvergence and Disruption in Manufacturing
Convergence and Disruption in Manufacturing
 
ISR Systems Development
ISR Systems DevelopmentISR Systems Development
ISR Systems Development
 
Data is Growing at a Veracious Rate
Data is Growing at a Veracious RateData is Growing at a Veracious Rate
Data is Growing at a Veracious Rate
 
The Power and Importance of Failure in Business
The Power and Importance of Failure in BusinessThe Power and Importance of Failure in Business
The Power and Importance of Failure in Business
 
Bridging Mission and Management: A Survey of Government Chief Operating Officers
Bridging Mission and Management: A Survey of Government Chief Operating OfficersBridging Mission and Management: A Survey of Government Chief Operating Officers
Bridging Mission and Management: A Survey of Government Chief Operating Officers
 
Talent InSight Infographic
Talent InSight InfographicTalent InSight Infographic
Talent InSight Infographic
 
Enterprise Integration Architect
Enterprise Integration ArchitectEnterprise Integration Architect
Enterprise Integration Architect
 
Creating Value in Health through Big Data
Creating Value in Health through Big DataCreating Value in Health through Big Data
Creating Value in Health through Big Data
 
Vampire Tactical Forensic Device - Product Sheet
Vampire Tactical Forensic Device - Product SheetVampire Tactical Forensic Device - Product Sheet
Vampire Tactical Forensic Device - Product Sheet
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Dernier (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Booz Allen Secure Agile Development

  • 1. 0Booz Allen Hamilton and Client proprietary and business confidential 0Booz Allen Hamilton and Client proprietary and business confidential June 2016 SECURE AGILE DEVELOPMENT A TRANSFORMATIVE APPROACH TO SECURE SYSTEMS DELIVERY
  • 2. 1Booz Allen Hamilton and Client proprietary and business confidential MEET OUR PRESENTERS MARC MURPHY BOB WILLIAMS RYAN SKOUSEN A Vice President our Systems Delivery Group, Marc is an expert in Agile software development services, ERP, and AWS cloud operations. Prior to joining Booz Allen, Marc served as CEO of SPARC where he oversaw all business and operations done in concert with several Department of the Defense contracts. He was also a former partner for Deloitte DoD/Federal group as well as served as an Officer in the U.S. Army. A Chief Engineer at Booz Allen, Ryan is leading the development and maintenance of a DoD Big Data analytic platform focused on exploitation of unstructured data under the Joint Improvised-threat Defeat Agency (JIDA). Ryan’s experience ranges from software development, Linux systems administration, and big data management to information security and Certification and Accreditation under both RMF and ICD 503. Ryan applies these different disciplines to deliver mission-focused, operational systems to the field. A Chief Scientist at Booz Allen, Bob is a leader, architect and hands-on engineer specializing in building application frameworks and development platforms, as well as building teams, and architecting scalable, robust, data-intensive systems in accordance to FIPS, NIST and OWASP compliance. Prior to joining Booz Allen, Bob served as the CTO for SPARC where he provided vision, strategy and direction to the Engineering organization.
  • 3. 2Booz Allen Hamilton and Client proprietary and business confidentialBooz Allen Hamilton and Client proprietary and business confidential 2 WHAT’S THE CHALLENGE? How can we adopt modern development practices, and transform a federal agency’s delivery model without sacrificing information assurance and system security controls?
  • 4. 3Booz Allen Hamilton and Client proprietary and business confidential THREE PILLARS OF SECURE AGILE DEVELOPMENT When developing any system, security requirements and controls can’t be segmented from technical requirements. There must be a deep understanding of how these security requirements complement capability requirements for the system under development. Expertise in how security is incorporated, tested, and monitored as a part of DevOps (continuous deployment, infrastructure as code, containerization, continuous diagnostic monitoring) methods is critical to increase velocity with confidence. A deliberate organizational change approach, led by experienced professionals is required to transform an agency’s delivery model - this is the difference between “Doing Agile” and “Being Agile”. MISSION UNDERSTANDING TECHNICAL ACUMEN AND INNOVATION “SECURE FIRST” CULTURE
  • 5. 4Booz Allen Hamilton and Client proprietary and business confidential MISSION UNDERSTANDING  Is Security talent embedded within teams and is each team member, from developer to security professional, “security intelligent”?  Are software security fundamentals implemented, such as user authentication and access controls, protection against known attack vectors?  Does the development team have an understanding of current and impending regulatory security requirements (e.g. Risk Management Framework, ICD 503, DISA STIG, US-CERT)? Have these requirements been addressed as technical stories and applied to sprints?  Does the development team have an understanding of agency specific SDLC governance models (e.g. VA’s Veteran Integration Process, DoD 5000) and how modern methods and tooling can be leveraged to meet these requirements with Agility? CHECKLIST: SECURE AGILE DEVELOPMENT
  • 6. 5Booz Allen Hamilton and Client proprietary and business confidential TECHNICAL ACUMEN  Are automated security scans included as a part of Continuous Integration for each code commit and providing a transparent, real-time view of the security posture?  Does your security strategy address the entire technology stack to include secure containers, network, firewalls and operating system for vulnerabilities?  Have automated security test scripts been developed and executed to verify security features, such as authorization, authentication, field level validation, and PII/PHI compliance?  Does the configuration of security components such as the perimeter firewall, Intrusion Detection / Prevention System (IDS/IPS) follow a similar model in terms of provisioning and configuration as application servers?  As a part of the DevOps process, is dynamic network monitoring in place to actively discover vulnerabilities or active attacks? CHECKLIST: SECURE AGILE DEVELOPMENT
  • 7. 6Booz Allen Hamilton and Client proprietary and business confidential CHANGE MANAGEMENT  Is the process of defining, implementing and monitoring security an iterative cycle throughout the development and maintenance lifecycle of the software? Is the team providing constant feedback, reevaluation, maturation and evolution of secure software?  Is the project employing Agile coaching to drive organizational or project level change management?  Have appropriate organizational resources been allocated to sponsor, measure, and reinforce the implementation of security standards as a part of Agile development activities?  Is the delivery team addressing security concerns, as a part of traditional Agile ceremonies and practices (e.g. stand ups, release planning, information radiators, story elicitation)? CHECKLIST: SECURE AGILE DEVELOPMENT
  • 8. 7Booz Allen Hamilton and Client proprietary and business confidential
  • 9. 8Booz Allen Hamilton and Client proprietary and business confidential 8Booz Allen Hamilton and Client proprietary and business confidential AUDIENCE Q & A
  • 10. 9Booz Allen Hamilton and Client proprietary and business confidential LEARN MORE READ THE FULL WHITE PAPER Interested in what you heard today? Read the full white paper on Secure Agile Development. You’ll receive this after today’s meeting. STAY TUNED FOR OUR PODCASTS In the coming weeks, we’ll be releasing a series of podcasts focused on topics related to Secure Agile Development including tools and policy. CHECK OUT OUR OTHER SYSTEMS DELIVERY HIGHLIGHTS Visit www.boozallen.com/systemsdelivery to learn more about our approach to systems delivery and viewpoints on other technology topics.