The Internet is full of insecure applications that cost organizations time and money, while damaging their reputations when their systems are compromised. We need to build secure applications as never before. While at the same time Agile Software Development practices are moving into the mainstream because they offer companies a faster path to getting their software in the hands of their customers. While security and agility may appear to be in natural opposites that don’t mix well, they don’t need to be. Learn how to integrate application security practices into your Agile practices in a way that doesn’t compromise either. Join Tom to explore real-world examples of secure application development practices integrated into the regular cycle of iterative development used in Agile projects. Learn to marry Agile development with application security practices in a way that best leverages the strengths of both.


Outline/Structure of the Talk

Factoring Application Security practices into an agile development process, including:

ŸThreat Modeling

ŸRisk Analysis

ŸPen Testing

ŸSecurity Stories

ŸSecure Code Review

ŸDefensive Coding and Design

ŸSecure Testing

–Static Code Analysis

–Automated Security Testing

Learning Outcome

Interactive discussion of how to incorporate application security practices into sprint or iteration based Agile practices. Based on the experience of integrating application security and Agile on several projects, we will talk about what works, what doesn’t work and what challenges need to be overcome in order to get the required value out of application security practices while maintaining the integrity and feedback cycles Agile practitioners have come to expect. The take away materials will include concrete release and sprint milestones that can be directly adopted in order to start incorporating application security right away.

Target Audience

Software Developers, Architects and Project Managers


schedule Submitted 5 years ago

  • 45 Mins

    The Zombie Retrospective - presented by Tommie Adams 

    So they say the retrospective is one of the strongest and most powerful tools in the agile scrum methodology tool kit, and is often overlooked or skipped. So how does a scrum master find ways to creatively explain and express the importance of this agile scrum ceremony, or even the basics of agile scrum in general. How does the scrum master explain the importance of banding together as a team in this brave new agile scrum world.  In many organizations, nowadays, the teams are even made up of outside vendors as well as in house associates. So how do you even start to pique the interest and the importance of team collaboration to a bunch of folks who are strangers to one another on a agile scrum team?  Even more specifically, how do you explain how the retrospective ceremony will help improve the way they work with one another over time?

    My answer: ZOMBIES!!!  Everyone loves zombies, right?  So come, take a bite!

    Tommie works for Marriott International in Bethesda MD. His background is in theater and communication which he studied at Grinnell College in Iowa. He has worked for Marriott International for 26 years with jobs ranging from reservation sales associate, to group sales manager, to functional IT tester to his current position as scrum master for the Marriott Rewards Agile Scrum Team. A native of Omaha, Nebraska, his hobbies include photography, cello and learning the ukulele, (you know, in case you were curious.) 

  • Max Saperstone

    Max Saperstone - Test Automation Strategies and Frameworks: What Should Your Team Do?

    45 Mins

    Agile practices have done a magnificent job of speeding up the software development process. Unfortunately, simply applying agile practices to testing isn't enough to keep testers at the same pace. Test automation is necessary to support agile delivery. Max Saperstone explores popular test automation frameworks and shares the benefits of applying these frameworks, their implementation strategies, and best usage practices. Focusing on the pros and cons of each framework, Max discusses data-driven, keyword-driven, and action-driven approaches. Find out which framework and automation strategy are most beneficial for specific situations. Although this presentation is tool agnostic, Max demonstrates automation with examples from current tooling options. If you are new to test automation or trying to optimize your current automation strategy, this session is for you.


  • Max Saperstone

    Max Saperstone - Testing with a Rooted Mobile Device

    45 Mins

    Traditional applications are tested through the GUI and through all exposed APIs. However, typical mobile app testing is only done through the front-end GUI. In addition, performance and security details are not readily available from the mobile device. Max Saperstone demonstrates some benefits of testing a native mobile application on a rooted device—one with privileged access control. Although Max does not describe how to root a device, he shares how to access back-end processes and test at this detailed level. He discusses the technical controls made available through a rooted device—together with its auditing, logging, and monitoring—and describes the gathering of additional metrics. Max demonstrates tools for penetration testing, sniffing, and network hacking; shares how to access application data directly; and shows how data security is implemented for the application. Learn how to use the admin rights associated with a rooted device to examine device performance and to simulate interrupts and system faults.


  • Ben Pick

    Ben Pick - Testing for Security: The oft forgotten aspect of DevOps

    45 Mins

    Agile development and DevOps churn through testing at a rate that is impossible for a human to keep up with. Security tools are often designed to have someone at the helm, targeting the systems and applications or performing time intensive penetration tests.

    What if there were a way to layer in security as applications are being developed? It is unreasonable to believe that automation can completely replace a knowledgeable security tester, but much of the groundwork and preliminary analysis can be incorporated into the software lifecycle.

    If nothing else, these tools and methods will help prevent completing an application, only to discover security findings that cannot be resolved before being released.