Previous Chapter

16. What Does Agile Security Mean?

About the Authors

Index

A

acceptance tests, Acceptance Testing, Acceptance Testing-Serverspec
accidents, STRIDE: A Structured Model to Understand Attackers
- (see also blameless post-mortems)
accreditation and assurance, Accreditation and Assurance Are Dying
Adobe's security "karate belt" program, You Can Build Your Own Security Experts
Agile
- authors’ experiences with, What Does Agile Security Mean?-And Now, We’re Here
- evolution of, Agile: A Potted Landscape-Agile: A Potted Landscape
- general practices, Agile Methods in General-Agile Methods in General
- security requirements (see requirements)
Agile basics (see enabling capabilities)
Agile Manifesto, Agile: A Potted Landscape
Agile principles, Agile: A Potted Landscape-Agile: A Potted Landscape
Agile Test Pyramid, Automated Testing, The Agile Test Pyramid-The Agile Test Pyramid
AirBnB, Using Application Monitoring for Security
alerting and analytics tools, Using Application Monitoring for Security
Allspaw, John, Principles of Effective Security
Amazon, Game Days
Amazon Web Services (AWS), Infrastructure and Operations Requirements
Aminator, Approaches for Building Hardened Systems
Ansible, First, Understand What You Need to Scan, Reviewing Infrastructure Code, Testing Your Infrastructure, Test Kitchen, Approaches for Building Hardened Systems-Network as Code, Shh…Keeping Secrets Secret
anti-personas, Security Personas and Anti-Personas, Attacker Stories: Put Your Black Hat On
Apache Logging Services, Auditing and Logging
APIs
- fuzzing, BDD-Security and ZAP Together, Out-of-Band Testing and Reviews
- scanning, ZAP in Continuous Integration
application attack surface, Your System’s Attack Surface
Application Verification Security Standard (ASVS), Security Stories-Security Stories, Reviewing Security Features and Controls
architecture review, Traditional Application Security Models
architecture teams, Pre-Iteration Involvement
assume compromised, Assume Compromised
ASVS (Application Verification Security Standard), Security Stories-Security Stories, Reviewing Security Features and Controls
attack simulation (see red teaming)
attack simulation platforms, Common Attack Vectors
attack surfaces, Your System’s Attack Surface-Managing Your Application Attack Surface, System Hardening: Setting Up Secure Systems
- managing, Managing Your Application Attack Surface-Managing Your Application Attack Surface
- mapping, Mapping Your Application Attack Surface
- microservices and, Managing Your Application Attack Surface
- reducing, System Hardening: Setting Up Secure Systems
  - (see also hardening)
attack targets, Threats and Attack Targets
attack trees, Attack Trees-Maintaining and Using Attack Trees
attack vectors, Common Attack Vectors-Common Attack Vectors
attack-driven defense, Threat Assessment, Penetration Testing, Using Application Monitoring for Security, A Little Light Bulb
- (see also goal-oriented attack)
attacker stories, Attacker Stories: Put Your Black Hat On-Writing Attacker Stories
attackers, Threat Actors and Knowing Your Enemy
- (see also threat actors)
- thinking like, Thinking Like an Attacker-STRIDE: A Structured Model to Understand Attackers, Get Off the Happy Path
attestation, Certification and Attestation-Certification Doesn’t Mean That You Are Secure
auditing and logging, Auditing and Logging-Auditing and Logging
auditors, Keeping Auditors Happy-Dealing with Auditors When They Aren’t Happy
automated build and test pipeline, Creating an Automated Build and Test Pipeline-Where Security Testing Fits Into Your Pipeline
- continuous delivery and continuous deployment, Continuous Delivery and Continuous Deployment
- continuous integration (CI), Continuous Integration
- creation guidelines, Guidelines for Creating a Successful Automated Pipeline
- nightly builds, Nightly Build
- out-of-band testing and reviews, Out-of-Band Testing and Reviews
- promoting to production, Promoting to Production
automated code reviews, Automated Code Reviews, Automated Code Reviews-Reviewing Infrastructure Code
- developer adoption of, Getting Developers to Use Automated Code Reviews-Getting Developers to Use Automated Code Reviews
- infrastructure code, Reviewing Infrastructure Code
- self-service scanning, Self-Service Scanning-Self-Service Scanning
automated systems, Automation
automated testing, Automated Testing-Automated Testing
autonomy of teams, Self-Organized, Autonomous Teams
availability, Availability: Keeping the Doors Open and the Lights On
AWSpec, Serverspec

B

backlog grooming, Getting Security into Requirements
backlogs, Tracking and Managing Stories: The Backlog
baseline setting, Setting Secure Baselines
BDD (behavior-driven development), Service-Level Testing and BDD Tools-Let’s Look Under the Covers
BDD-Security, BDD-Security, BDD-Security and ZAP Together-BDD-Security and ZAP Together
black-box tests, Penetration Testing
blameless postmortems, Blameless Postmortems: Learning from Security Failures-Blameless Postmortems: Learning from Security Failures, Don’t Play the Blame Game
blamelessness, Don’t Play the Blame Game-Don’t Play the Blame Game
blockers, Stand-ups
blocking, Enable, Don’t Block-Enable, Don’t Block
boundaries (see trust/trust boundaries)
breaches
- continuous compliance and, Continuous Compliance and Breaches
- versus outages, Incident Response: Preparing for Breaches
- preparing for, Incident Response: Preparing for Breaches-Blameless Postmortems: Learning from Security Failures
bug bounties, Common Attack Vectors, Bug Bounties-Are You Sure You Want to Run a Bug Bounty?
- budgeting for, Setting Up a Bug Bounty Program
- communication expectations, Setting Up a Bug Bounty Program
- defining, How Bug Bounties Work
- in-house versus outsourced, Setting Up a Bug Bounty Program
- initial and duplicate submissions, Setting Up a Bug Bounty Program
- ISO 29147 vulnerability disclosure, Are You Sure You Want to Run a Bug Bounty?
- participant recognition, Setting Up a Bug Bounty Program
- payment, Setting Up a Bug Bounty Program
- and pen testers, Setting Up a Bug Bounty Program
- potential drawbacks, Are You Sure You Want to Run a Bug Bounty?-Are You Sure You Want to Run a Bug Bounty?
- program considerations, Setting Up a Bug Bounty Program-Setting Up a Bug Bounty Program
- rewards, Setting Up a Bug Bounty Program
- rules of engagement, Setting Up a Bug Bounty Program
- submissions structure, Setting Up a Bug Bounty Program
bug patterns, Bug patterns
bugBlast, Managing Vulnerabilities
bugs, Dealing with Bugs, If You Got Bugs, You’ll Get Pwned-If You Got Bugs, You’ll Get Pwned
bugs versus flaws, Traditional Application Security Models
build and deployment security, Post-Iteration Involvement-Compliance and Audit Tools
build pipeline capabilities, Build Pipeline
build pipeline security, Securing Your Build Pipeline-Monitor Your Build and Test Systems
- build/test system monitoring, Monitor Your Build and Test Systems
- cloud-based services, Understand What’s in the Cloud-Understand What’s in the Cloud
- configuration manager lockdowns, Lock Down Configuration Managers
- hardening CI/CD tools, Harden Your CI/CD Tools
- hardening infrastructure, Harden Your Build infrastructure
- keys/secrets protection, Protect Keys and Secrets
- log reviews, Review the Logs
- Phoenix Servers, Use Phoenix Servers for Build and Test
- protection of secrets, Shh…Keeping Secrets Secret-Shh…Keeping Secrets Secret
- repo lockdowns, Lock Down Repos
- secure chat, Secure Chat
build/test pipeline (see automated build and test pipeline)
build/test system monitoring, Monitor Your Build and Test Systems
building secure systems (see secure system design)
bulkheads, Perimeterless Security
burn-up/burn-down charts, The Planning Game

C

call-chain dependencies, Managing Your Application Attack Surface
The Center for Internet Security (CIS) Critical Controls checklist, Hardening Standards and Guidelines
certification and attestation, Certification and Attestation-Certification Doesn’t Mean That You Are Secure
change management, Managing Changes in Continuous Delivery-Managing Changes in Continuous Delivery
Chaos Monkey, Catching Mistakes at Runtime
chat tools, securing, Secure Chat
Cheat Sheet on Storing Passwords, Data Privacy
Chef, First, Understand What You Need to Scan, Reviewing Infrastructure Code, Test Kitchen, Approaches for Building Hardened Systems-Automated Hardening Templates, Lock Down Configuration Managers, Use Phoenix Servers for Build and Test, Shh…Keeping Secrets Secret
circuit breakers, Perimeterless Security
CIS-CAT, Automated Compliance Scanning
Clair, Testing Your Infrastructure
cloud hosting, Dealing with Risk, Accepting and Transferring Risks
cloud security protection, Cloud Security Protection
cloud-based services, Understand What’s in the Cloud-Understand What’s in the Cloud
code audits, Code Audits-What Kind of Review Approach Works Best for Your Team?, Secure Code Audit
code complexity analysis, Code complexity analysis and technical debt metrics
code reviews, Traditional Application Security Models, Code Review for Security-Key Takeaways
- 80:20 rule, What Code Needs to Be Reviewed?
- automated, Automated Code Reviews-Reviewing Infrastructure Code
- before committing changes, Before Code Changes Are Committed
- challenges and limitations, Code Review Challenges and Limitations-Finding Security Vulnerabilities Is Even Harder
- checklists, Using Code Review Checklists
- code audits, Code Audits, What Kind of Review Approach Works Best for Your Team?
- coding guidelines, Take Advantage of Coding Guidelines
- data validation, Fundamentals Will Take You a Long Way to Secure, Safe Code
- formal inspections, Formal Inspections, What Kind of Review Approach Works Best for Your Team?
- gated checks before release, Gated Checks Before Release
- for insider threats, Reviewing Code for Insider Threats-Reviewing Code for Insider Threats
- introducing security into, Adopting Secure Code Reviews-Fundamentals Will Take You a Long Way to Secure, Safe Code
- key takeaways, Key Takeaways-Key Takeaways
- mistakes to avoid, Don’t Make These Mistakes
- pair programming, Pair Programming (and Mob Programming), What Kind of Review Approach Works Best for Your Team?
- peer reviews, Peer Code Reviews-What Kind of Review Approach Works Best for Your Team?
- postmortem, Postmortem and Investigation
- purpose of, Why Do We Need to Review Code?
- reviewer criteria, Who Needs to Review Code?-What Experience Do Reviewers Need?
- rubber ducking, Rubber Ducking or Desk Checking, What Kind of Review Approach Works Best for Your Team?
- rules of conduct, How to Review Code
- security features and controls, Reviewing Security Features and Controls
- self-reviews, Rubber Ducking or Desk Checking, What Kind of Review Approach Works Best for Your Team?
- what to review, What Code Needs to Be Reviewed?-What Code Needs to Be Reviewed?
code turnaround, The Only Good Code Is Deployed Code
collective code ownership, Collective Code Ownership, Take Advantage of Coding Guidelines
compensating controls, Compensating Controls
compiler warnings, Compiler warnings
complexity
- in code, Code complexity analysis and technical debt metrics-What Tools Are Good For, and What They’re Not Good For
- in design, Complexity and Security-Complexity and Security
compliance, Compliance, Regulation, and Security Standards, Compliance-Key Takeaways
- as habit, You Can Make Compliance an Everyday Thing
- auditors, dealing with, Keeping Auditors Happy-Dealing with Auditors When They Aren’t Happy
- building into culture, Building Compliance into Your Culture-Dealing with Auditors When They Aren’t Happy
- certification and attestation, Certification and Attestation-Certification Doesn’t Mean That You Are Secure
- and change management, Managing Changes in Continuous Delivery-Managing Changes in Continuous Delivery
- compliance stories, Compliance Stories and Compliance in Stories
- continuous compliance and breaches, Continuous Compliance and Breaches
- data privacy, Data Privacy-Data Privacy
- defined, Compliance and Security
- documentation, More Code, Less Paperwork-More Code, Less Paperwork
- key takeaways, Key Takeaways
- outcome-based (descriptive), Different Regulatory Approaches, Reg SCI: Outcome-Based-Which Approach Is Better?
- proactive approach to, How to Meet Compliance and Stay Agile
- purpose of, Compliance and Security
- risk management and, Risk Management and Compliance-Risk Management and Compliance
- rules-based (prescriptive), Different Regulatory Approaches-PCI DSS: Rules-Based
- versus security, Compliance and Security
- separation of duties and, Dealing with Separation of Duties
- for system hardening, Regulatory Requirements for Hardening
- traceability and assurance within, Traceability and Assurance in Continuous Delivery-Traceability and Assurance in Continuous Delivery
- traceability of changes, Traceability of Changes
compliance and audit tools, Compliance and Audit Tools
compliance requirements, Privacy, Fraud, Compliance, and Encryption
compliance scanning, Automated Compliance Scanning-Automated Compliance Scanning
conditions of satisfaction, Conditions of Satisfaction
confidentiality, Confidentiality: Keep It Secret
configuration drift, Incremental Design and Refactoring
configuration management (CM) systems
- programmable, Infrastructure as Code-Infrastructure as Code
- tool lockdown, Lock Down Configuration Managers
configuration reviews, Configuration Review
Conformity Monkey, Catching Mistakes at Runtime
containers
- attack surface, Managing Your Application Attack Surface
- isolation, Perimeterless Security
- vulnerability, Vulnerabilities in Containers
continuous delivery versus continuous deployment, Release Management, Continuous Delivery and Continuous Deployment
continuous improvement, Continuous Improvement
continuous integration (CI), Continuous Integration, Continuous Integration, Harden Your CI/CD Tools
crypto audits, Crypto Audit-Crypto Audit
crypto requirements, Privacy, Fraud, Compliance, and Encryption
Cryptographic Storage Cheat Sheet, Data Privacy
Cucumber, Let’s Look Under the Covers
culture (see security culture)
custom greps, Custom greps and detectors
CVE (Common Vulnerabilities and Exposures), Managing Vulnerabilities
CVSS and CWSS Scoring Systems, Managing Vulnerabilities
CWE (Common Weakness Enumeration), Managing Vulnerabilities
cyber, defining, There Is an Attacker for Everyone
cycle time, Kanban

D

dark launching, Managing Changes in Continuous Delivery
dashboards, Dashboards-Dashboards
- intervention, Dashboards-Dashboards
- situational awareness, Dashboards-Dashboards
- summary, Dashboards
- vanity, Dashboards-Dashboards
data privacy, Privacy, Fraud, Compliance, and Encryption, Data Privacy-Data Privacy
data validation, Fundamentals Will Take You a Long Way to Secure, Safe Code
debt (see security debt)
Deming, W. Edwards, Kanban
Dependency Check, Securing Your Software Supply Chain
design review, Traditional Application Security Models
design teams, Pre-Iteration Involvement
desk checking, Rubber Ducking or Desk Checking, What Kind of Review Approach Works Best for Your Team?
detection of breaches, Proactive Versus Reactive Detection
detective controls, Detective Controls
deterrent controls, Deterrent Controls
DevOps, What About DevOps?-What About DevOps?
DevOps Audit Defense Toolkit, More Code, Less Paperwork
Dickerson, Chad, Principles of Effective Security
DirtyCow, Traditional Application Security Models
Disciplined Agile Delivery (DAD), Security Sprints, Hardening Sprints, and Hack Days
Docker, Reviewing Infrastructure Code, Testing Your Infrastructure, Use Phoenix Servers for Build and Test
Docker Bench for Security, Testing Your Infrastructure
Docker Security Scanning, Testing Your Infrastructure
documentation, Documenting Security Techniques
domain-driven design, Shared Design Metaphor

E

Elastalert, Using Application Monitoring for Security
electronic backlogs, Tracking and Managing Stories: The Backlog
enablement, Enable, Don’t Block-Enable, Don’t Block
enabling capabilities, Agile Enablers-Operating Safely and at Speed
- automated testing, Automated Testing-Automated Testing
- build pipeline, Build Pipeline
- centralized feedback, Centralized Feedback
- code turnaround speed, The Only Good Code Is Deployed Code
- continuous integration (CI), Continuous Integration
- infrastructure as code, Infrastructure as Code-Infrastructure as Code
- release management, Release Management-Release Management
- visible tracking, Visible Tracking-Visible Tracking
encryption requirements, Privacy, Fraud, Compliance, and Encryption-Privacy, Fraud, Compliance, and Encryption
epics, Agile Requirements: Telling Stories
Etsy, What Code Needs to Be Reviewed?, Monitoring to Drive Feedback Loops-Using Application Monitoring for Security, Game Days, Principles of Effective Security-The Who Is Just as Important as the How, Securgonomics
event logs, Common Attack Vectors
existing model security improvement, Working with Your Existing Agile Life Cycle-Key Takeaways
- enabling agility in, Building Security Teams That Enable-Documenting Security Techniques
- key takeaways, Key Takeaways
- per-iteration rituals, Per-Iteration Rituals-Tools Embedded in the Life Cycle
- planning and discovery tooling, Tooling for Planning and Discovery
- post-iteration involvement, Post-Iteration Involvement-Compliance and Audit Tools
- pre-iteration involvement, Pre-Iteration Involvement
- scaling, What About When You Scale?
- setting secure baselines, Setting Secure Baselines
exploratory testing, A Place for Manual Testing in Agile
exposure to vulnerabilities, We Are All Vulnerable
external reviews, External Reviews, Testing, and Advice-Key Takeaways
- bug bounties, Bug Bounties-Are You Sure You Want to Run a Bug Bounty?
- code audits, Secure Code Audit
- configuration review, Configuration Review
- crypto audits, Crypto Audit-Crypto Audit
- getting your money's worth, Getting Your Money’s Worth-Rotate Firms or Swap Testers over Time
- key takeaways, Key Takeaways
- penetration testing, Penetration Testing-Penetration Testing
- providers/consultant considerations, Choosing an External Firm-Meet the Technical People
- reasons for, Why Do We Need External Reviews?-Why Do We Need External Reviews?
- red teaming, Red Teaming-Red Teaming
- vulnerability assessment, Vulnerability Assessment-Vulnerability Assessment
externalities, Risk Can Be Minimized, Not Avoided
Extreme Programming (XP), Extreme Programming-Shared Design Metaphor
- core concepts, Extreme Programming
- on-site customer, The On-Site Customer
- pair programming, Pair Programming
- planning game, The Planning Game
- Shared Design Metaphor, Shared Design Metaphor
- stories in, Tracking and Managing Stories: The Backlog
- test-driven development, Test-Driven Development

F

failed attack pathways, Red Teaming
failures, learning from, Blameless Postmortems: Learning from Security Failures-Blameless Postmortems: Learning from Security Failures
feature flag, Managing Changes in Continuous Delivery
feedback
- centralized, Centralized Feedback
- in attack-driven defense, Threat Assessment
- in KanBan, Constant Feedback
- in Lean, Lean
- monitoring, Monitoring to Drive Feedback Loops
- out-of-band, Out-of-Band Testing and Reviews
- in scanning, Then Decide How to Scan and How Often
- in Scrum, Scrum Feedback Loops
flaws versus bugs, Traditional Application Security Models
Flickr, Principles of Effective Security
flow, Kanban
formal inspections, Formal Inspections, What Kind of Review Approach Works Best for Your Team?
411 alert management system, Using Application Monitoring for Security
fraud protection, Privacy, Fraud, Compliance, and Encryption
functional testing and scanning, Functional Security Testing and Scanning-Challenges with Application Scanning
functional tests, Automated Testing
fuzz testing (fuzzing), Out-of-Band Testing and Reviews
fuzzing, BDD-Security and ZAP Together

G

game days, Get Your Exercise: Game Days and Red Teaming
Gauntlt, Test-Driven Security, Gauntlt (“Be Mean to Your Code”)-Let’s Look Under the Covers
Git, Before Code Changes Are Committed
GitHub, Understand What’s in the Cloud
goal-oriented attack, Red Teaming, A Little Light Bulb
- (see also attack-driven defense)
golden images, Approaches for Building Hardened Systems
Google, Game Days
Goto fail bug, Reviewing Code for Insider Threats, If You Got Bugs, You’ll Get Pwned, What Unit Testing Means to System Security, Security Has to Start with Quality
government security, Michael’s Story
gray-box tests, Penetration Testing
greps, Custom greps and detectors

H

hack days, Security Sprints, Hardening Sprints, and Hack Days
hacking, Not an Engineer but a Hacker-Let’s Go Faster, The First Time Is Free-The First Time Is Free
Happy Path, Get Off the Happy Path-Get Off the Happy Path
hardening, System Hardening: Setting Up Secure Systems-Automated Hardening Templates, Harden Your Build infrastructure
- approaches to, Approaches for Building Hardened Systems
- automated compliance scanning, Automated Compliance Scanning-Automated Compliance Scanning
- automated templates for, Automated Hardening Templates-Automated Hardening Templates
- challenges with, Challenges with Hardening-Challenges with Hardening
- CI/CD tools, Harden Your CI/CD Tools
- common techniques for, System Hardening: Setting Up Secure Systems
- Linux servers, System Hardening: Setting Up Secure Systems
- regulatory requirements for, Regulatory Requirements for Hardening
- standards and guidelines, Hardening Standards and Guidelines
hardening sprints, Security Sprints, Hardening Sprints, and Hack Days-Security Sprints, Hardening Sprints, and Hack Days
Heartbleed bug, Traditional Application Security Models, Managing Vulnerabilities, Test-Driven Security, Finding Security Vulnerabilities Is Even Harder, If You Got Bugs, You’ll Get Pwned, What Unit Testing Means to System Security
high-risk features, Post-Iteration Involvement
HTTP headers, secure, Fundamentals Will Take You a Long Way to Secure, Safe Code
human attack surface, Your System’s Attack Surface
Hyphothesis Driven Development, Lean

I

IAST (Interactive or Instrumented Application Security Testing), What Tools Are Good For, and What They’re Not Good For
IDE plug-ins, Catching mistakes as you are coding
incident response, Incident Response: Preparing for Breaches-Blameless Postmortems: Learning from Security Failures
- blameless postmortem exercises, Blameless Postmortems: Learning from Security Failures-Blameless Postmortems: Learning from Security Failures
- game days, Get Your Exercise: Game Days and Red Teaming
- red teaming, Red Team/Blue Team-Red Team/Blue Team
incremental design, Incremental Design and Refactoring
industry analyst reports, Common Attack Vectors
infrastructure as code, Infrastructure as Code-Infrastructure as Code
infrastructure security requirements, Infrastructure and Operations Requirements-Key Takeaways
infrastructure testing, Testing Your Infrastructure-Serverspec
insider threats, Reviewing Code for Insider Threats-Reviewing Code for Insider Threats
InSpec, Key Takeaways, Automated Hardening Templates
integration tests, Automated Testing
integrity, Integrity: Keep It Safe
intervention dashboards, Dashboards-Dashboards
intrusion detection, Monitoring and Intrusion Detection-Proactive Versus Reactive Detection
- (see also monitoring)
Intuit, Red Team/Blue Team

J

Jenkins, Harden Your CI/CD Tools

K

Kanban, Kanban-Continuous Improvement
- constant feedback, Constant Feedback
- continuous improvement, Continuous Improvement
- Kanban board, Kanban Board: Make Work Visible
- stories in, Tracking and Managing Stories: The Backlog

L

Lean, Lean
linting tools, Linting
log reviews, Review the Logs
logging, Auditing and Logging-Auditing and Logging
Lynis, Automated Compliance Scanning

M

manual testing, A Place for Manual Testing in Agile-A Place for Manual Testing in Agile
mean time between failures (MTBF), What About DevOps?
mean time to recovery (MTTR), What About DevOps?
metrics tracking, Monitoring to Drive Feedback Loops
microservices, Managing Your Application Attack Surface, Understanding Trust and Trust Boundaries, What Code Needs to Be Reviewed?, Auditing and Logging
Microsoft Threat Modeling Tool, “Good Enough” Is Good Enough
Minimum Viable Product (MVP), Lean, Taking On and Paying Down Security Debt, Complexity and Security
mistakes, runtime, Catching Mistakes at Runtime-Catching Mistakes at Runtime
misuse cases (see attacker stories)
mob programming, Pair Programming (and Mob Programming)
mocks, The Agile Test Pyramid
monitoring, Monitoring and Intrusion Detection-Proactive Versus Reactive Detection
- auditing and logging, Auditing and Logging-Auditing and Logging
- to drive feedback loops, Monitoring to Drive Feedback Loops
- for security, Using Application Monitoring for Security-Using Application Monitoring for Security
- proactive versus reactive detection, Proactive Versus Reactive Detection

N

Netflix, Infrastructure and Operations Requirements, What Code Needs to Be Reviewed?, Monitoring to Drive Feedback Loops, Catching Mistakes at Runtime
network attack surface, Your System’s Attack Surface
network configuration and management, Network as Code-Network as Code
nightly builds, Nightly Build
NIST SP 800-53r4, Reg SCI: Outcome-Based
nonfunctional requirements, Handling Security Risks in Agile and DevOps
nonrepudiation, Nonrepudiation
NoOps, Infrastructure and Operations Requirements
NVD (National Vulnerability Database), Managing Vulnerabilities

O

open source, dependency vulnerabilities in, Securing Your Software Supply Chain-Securing Your Software Supply Chain
OpenAPI/Swagger, BDD-Security and ZAP Together
OpenSCAP, Automated Compliance Scanning
operations and OpSec, Operations and OpSec-Key Takeaways
- build pipeline security, Securing Your Build Pipeline-Shh…Keeping Secrets Secret
- catching mistakes at runtime, Catching Mistakes at Runtime-Catching Mistakes at Runtime
- incident response, Incident Response: Preparing for Breaches-Blameless Postmortems: Learning from Security Failures
  - (see also breaches, preparing for)
- key takeaways, Key Takeaways-Key Takeaways
- network as code, Network as Code-Network as Code
- runtime defense, Runtime Defense-RASP
- system hardening, System Hardening: Setting Up Secure Systems-Automated Hardening Templates
operations security requirements, Infrastructure and Operations Requirements-Key Takeaways
out-of-band testing and reviews, Out-of-Band Testing and Reviews
outages versus breaches, Incident Response: Preparing for Breaches
outcome-based regulation, Different Regulatory Approaches, Reg SCI: Outcome-Based-Which Approach Is Better?
outsourcing hosting, Dealing with Risk, Accepting and Transferring Risks
OWASP
- AppSensor, RASP
- ASVS project, Security Stories-Security Stories, Reviewing Security Features and Controls
- Benchmark Project, What Tools Are Good For, and What They’re Not Good For
- crypto cheat sheets, Data Privacy
- Dependency Check, Securing Your Software Supply Chain
- Logging Cheat Sheet, Auditing and Logging
- Testing Guide, Challenges with Application Scanning
- Top 10 Risk List, Understanding Risks and Risk Management, Common Attack Vectors, Risk Management and Compliance

P

Packer, Testing Your Infrastructure, Approaches for Building Hardened Systems
pair programming, Pair Programming, Per-Iteration Rituals, Pair Programming (and Mob Programming), What Kind of Review Approach Works Best for Your Team?
passive scanning, ZAP Tutorial
PayPal, Monitoring to Drive Feedback Loops
PCI DSS (Payment Card Industry Data Security Standard), PCI DSS: Rules-Based-PCI DSS: Rules-Based
peer code reviews, Peer Code Reviews-What Kind of Review Approach Works Best for Your Team?
penetration testing, Common Attack Vectors, Challenges with Application Scanning, A Place for Manual Testing in Agile, Penetration Testing-Penetration Testing, Your Baby Is Ugly and You Should Feel Bad
per-iteration rituals, Per-Iteration Rituals-Tools Embedded in the Life Cycle
perimeterless security, Perimeterless Security-Perimeterless Security
personas/anti-personas, Security Personas and Anti-Personas-Security Personas and Anti-Personas
PHI (Personal/Protected Health Information), Compliance and Security
Phoenix Servers, Use Phoenix Servers for Build and Test
PII (Personally Identifiable Information), Compliance and Security
pipeline (see build pipeline)
planning and discover tooling, Tooling for Planning and Discovery
planning poker, The Planning Game
post-iteration involvement, Post-Iteration Involvement-Compliance and Audit Tools
postmortem exercises, Blameless Postmortems: Learning from Security Failures-Blameless Postmortems: Learning from Security Failures, Don’t Play the Blame Game
pragmatic security, Enable, Don’t Block
pre-iteration involvement, Pre-Iteration Involvement
privacy of data, Privacy, Fraud, Compliance, and Encryption, Data Privacy-Data Privacy
programmable configuration management, Infrastructure as Code-Infrastructure as Code
protective controls, Protective Controls
Puppet, First, Understand What You Need to Scan, Reviewing Infrastructure Code, Test Kitchen, Approaches for Building Hardened Systems-Network as Code, Lock Down Configuration Managers, Use Phoenix Servers for Build and Test, Shh…Keeping Secrets Secret

R

RASP (Runtime Application Self-Protection), What Tools Are Good For, and What They’re Not Good For, RASP-RASP
red teaming, Common Attack Vectors, Red Teaming-Red Teaming, Red Team/Blue Team-Red Team/Blue Team, Your Baby Is Ugly and You Should Feel Bad
Red, Green, Refactor, Test-Driven Development
refactoring, Test-Driven Development, Refactoring: Keeping Code Simple and Secure-Refactoring: Keeping Code Simple and Secure
Reg SCI (Systems Compliance and Integrity), Reg SCI: Outcome-Based-Which Approach Is Better?
regression testing, A Place for Manual Testing in Agile
regulatory compliance (see compliance)
release management, Release Management-Release Management
repo lockdowns, Lock Down Repos
requirements, Security and Requirements-Key Takeaways
- attack trees, Attack Trees-Maintaining and Using Attack Trees
- attacker stories, Attacker Stories: Put Your Black Hat On-Writing Attacker Stories
- encryption, Privacy, Fraud, Compliance, and Encryption-Privacy, Fraud, Compliance, and Encryption
- fraud protection, Privacy, Fraud, Compliance, and Encryption
- getting security into, Getting Security into Requirements-SAFECode Security Stories
- infrastructure and operations, Infrastructure and Operations Requirements-Key Takeaways
- key takeaways, Key Takeaways
- operational considerations, Infrastructure and Operations Requirements
- personas and anti-personas, Security Personas and Anti-Personas-Security Personas and Anti-Personas
- privacy, Privacy, Fraud, Compliance, and Encryption
- regulatory compliance, Privacy, Fraud, Compliance, and Encryption
- SAFECode security stories, SAFECode Security Stories-SAFECode Security Stories
- stories, Agile Requirements: Telling Stories-Dealing with Bugs
- teams to be considered, Infrastructure and Operations Requirements
requirements review, Traditional Application Security Models
resistive controls, Resistive Controls
risk, Security Is About Risk-An Imperfect World Means Hard Decisions
- accepting, Dealing with Risk
- assessing up front, Assess Risks Up Front
- avoiding, Dealing with Risk
- minimizing, Risk Can Be Minimized, Not Avoided-An Imperfect World Means Hard Decisions
- mitigating, Agile Risk Mitigation-Agile Risk Mitigation
- outsourcing, Dealing with Risk-Dealing with Risk
- reducing, Dealing with Risk
- versus threats, Risks and Threats-Risks and Threats
- vulnerability likelihood, Vulnerability: Likelihood and Impact
risk backlog, Making Risks Visible
risk management, Risk for Agile Teams-Key Takeaways
- accepting and transferring risks, Accepting and Transferring Risks
- challenges with Agile and DevOps, Risk Management in Agile and DevOps-Agile Risk Mitigation
  - automation, Automation
  - incremental design and refactoring, Incremental Design and Refactoring
  - risk mitigation, Agile Risk Mitigation-Agile Risk Mitigation
  - self-organized, autonomous teams, Self-Organized, Autonomous Teams
  - speed of delivery, Speed of Delivery
- changing contexts for risks, Changing Contexts for Risks-Changing Contexts for Risks
- and compliance, Risk Management and Compliance-Risk Management and Compliance
- host outsourcing, Dealing with Risk, Accepting and Transferring Risks
- methodologies, Understanding Risks and Risk Management
- mitigation strategies, Dealing with Risk-Dealing with Risk
- OWASP’s Top 10 Risk List, Understanding Risks and Risk Management, Common Attack Vectors, Risk Management and Compliance
- purpose of, Security Says, No
- risk ratings, Understanding Risks and Risk Management
- risk visibility and tracking, Making Risks Visible
- risks versus threats, Risks and Threats-Risks and Threats
- Structured Information Gathering (SIG) questionnaire, Dealing with Risk
- understanding, Understanding Risks and Risk Management-Understanding Risks and Risk Management
risk register, Making Risks Visible
rubber ducking, Rubber Ducking or Desk Checking, What Kind of Review Approach Works Best for Your Team?
rules-based regulation, Different Regulatory Approaches, PCI DSS: Rules-Based-PCI DSS: Rules-Based
runtime defense, Runtime Defense-RASP
- cloud security protection, Cloud Security Protection
- RASP (Runtime Application Self-Protection), RASP-RASP
runtime mistakes, Catching Mistakes at Runtime-Catching Mistakes at Runtime

S

SAFe (Scaled Agile Framework), Security Sprints, Hardening Sprints, and Hack Days
SAFECode security stories, SAFECode Security Stories-SAFECode Security Stories
SafeStack, Let’s Go Faster
Salt, Test Kitchen, Approaches for Building Hardened Systems
SAST (Static Analysis Security Testing), Security vulnerabilities (SAST)
scaling, What About When You Scale?
scanning, Vulnerability Scanning and Patching-Managing Vulnerabilities, Common Attack Vectors
- APIs, BDD-Security and ZAP Together
- automated code reviews, Automated Code Reviews-Reviewing Infrastructure Code
- automated compliance scanning, Automated Compliance Scanning-Automated Compliance Scanning
- challenges with, Challenges with Application Scanning-Challenges with Application Scanning
- functional, Functional Security Testing and Scanning-Challenges with Application Scanning
- passive, ZAP Tutorial
- versus penetration testing, Challenges with Application Scanning
- self-service, Self-Service Scanning-Self-Service Scanning
- vulnerability versus compliance, Automated Compliance Scanning
scoped review, Penetration Testing
Scrum, Scrum, the Most Popular of Agile Methodologies-Scrum Feedback Loops
- backlogs, Sprints and Backlogs-Sprints and Backlogs
- blockers, Stand-ups
- feedback loops, Scrum Feedback Loops
- sprints, Sprints and Backlogs-Sprints and Backlogs
- stand-ups, Stand-ups-Stand-ups
- stories in, Tracking and Managing Stories: The Backlog
secrets, Shh…Keeping Secrets Secret-Shh…Keeping Secrets Secret, Transparently Secure
secure system design, Building Secure and Usable Systems
- complexity, Complexity and Security-Complexity and Security
- key takeaways, Key Takeaways
- resistance to compromise, Design to Resist Compromise
- security architecture, Security Architecture-Assume Compromised
- security versus usability, Security Versus Usability
- technical controls, Technical Controls-Compensating Controls
securgonomics, Securgonomics-Securgonomics
security, Security Says, No
- (see also risk management)
- versus compliance, Compliance and Security
- defining, Getting Started with Security, Per-Iteration Rituals, Compliance and Security
- misconceptions, Common Security Misconceptions or Mistakes-Security Requires Special [Insert Item/Device/Budget]
- perimeterless, Perimeterless Security-Perimeterless Security
- pragmatic, Enable, Don’t Block
- skills distribution, Security Skills Are Unevenly Distributed
- standards, Compliance, Regulation, and Security Standards
- traditional models, Traditional Application Security Models-Traditional Application Security Models
- updating practitioner skills, Security Practitioners Need to Get a Tech Refresh
- versus usability, Security Versus Usability
security and Agile team collaboration, Agile and Security-Agile and Security
security and requirements (see requirements)
security architecture, Security Architecture-Assume Compromised
security breaches (see breaches)
security culture, Security Culture
- accessibility of security team, Securgonomics-Securgonomics
- blamelessness, Don’t Play the Blame Game-Don’t Play the Blame Game
- defining, Defining “Culture”
- development of, Building a Security Culture-Building a Security Culture
- enablement, Enable, Don’t Block-Enable, Don’t Block
- Etsy case study, Principles of Effective Security-The Who Is Just as Important as the How
- goal of, Building a Security Culture
- importance of, The Importance of Security Culture-Push, Don’t Pull
- key takeaways, Key Takeaways
- security outreach, Security Outreach-Dashboards
- security personnel decisions, The Who Is Just as Important as the How
- transparency, Transparently Secure-Transparently Secure
- user inclusion, Scale Security, Empower the Edges
security debt, Taking On and Paying Down Security Debt-Taking On and Paying Down Security Debt
security fix, Release Management
security gates, Traditional Application Security Models
security monitoring (see monitoring)
Security Monkey, Catching Mistakes at Runtime
security outreach, Security Outreach-Dashboards
- dashboards, Dashboards-Dashboards
- securgonomics, Securgonomics-Securgonomics
security sprints (see hardening sprints)
security stories, Security Stories-Security Stories
security team building, You Can Build Your Own Security Experts-You Can Build Your Own Security Experts
security team involvement, Getting Security into Requirements-SAFECode Security Stories
security technology tools, Tools Embedded in the Life Cycle-Tools Embedded in the Life Cycle
security testing (see testing)
security values, Security Values: Protecting Our Data, Systems, and People-Compliance, Regulation, and Security Standards
self-reviews, Rubber Ducking or Desk Checking, What Kind of Review Approach Works Best for Your Team?
separation of duties, Dealing with Separation of Duties
Serverspec, Serverspec
service-level testing, Service-Level Testing and BDD Tools-Let’s Look Under the Covers
Shared Metaphor, Shared Design Metaphor
shared responsibility model, Understanding Trust and Trust Boundaries
Simian Army, Catching Mistakes at Runtime
single-sign-on (SSO) solutions, Understand What’s in the Cloud
situational awareness dashboards, Dashboards-Dashboards
SOAP, BDD-Security and ZAP Together
SonarQube, Code complexity analysis and technical debt metrics
Sonatype calculator, Fewer, Better Suppliers
speed of Agile delivery, Speed of Delivery
sprints, Sprints and Backlogs-Sprints and Backlogs, Security Sprints, Hardening Sprints, and Hack Days-Security Sprints, Hardening Sprints, and Hack Days
SQL Prepared Statements, Fundamentals Will Take You a Long Way to Secure, Safe Code
SSL/TLS, Using Application Monitoring for Security, Catching Mistakes at Runtime
stand-ups, Stand-ups-Stand-ups, Per-Iteration Rituals
static scanning, Automated Code Reviews-Reviewing Infrastructure Code
STIX, Threat Intelligence
stories, Agile Requirements: Telling Stories-Dealing with Bugs
- attacker stories, Attacker Stories: Put Your Black Hat On-Writing Attacker Stories
- backlog, Tracking and Managing Stories: The Backlog
- conditions of satisfaction, Conditions of Satisfaction
- electronic tracking systems, Tracking and Managing Stories: The Backlog
StreamAlert, Using Application Monitoring for Security
STRIDE threat model, Building an Attack Tree, STRIDE: A Structured Model to Understand Attackers
Structured Information Gathering (SIG) questionnaire, Dealing with Risk
stubs, The Agile Test Pyramid
summary dashboards, Dashboards
supply chain costs/risks, Fewer, Better Suppliers
system availability, Availability: Keeping the Doors Open and the Lights On
system complexity, Complexity and Security-Complexity and Security
system hardening (see hardening)
system integrity, Integrity: Keep It Safe
system tests, Automated Testing
- (see also testing)

T

TAXII, Threat Intelligence
TDD (test-driven development), Unit Testing and TDD
team autonomy, Self-Organized, Autonomous Teams
team-enablement tools, Tools to Enable the Team
technical controls, Technical Controls-Compensating Controls
technical debt metrics, Code complexity analysis and technical debt metrics
technology dependence, This Isn’t Just a Technology Problem-This Isn’t Just a Technology Problem
templating data, Fundamentals Will Take You a Long Way to Secure, Safe Code
10+ Deploys per Day: Dev and Ops Cooperation at Flickr, Principles of Effective Security
test data, Use Phoenix Servers for Build and Test
Test Kitchen, Test Kitchen
test reviews, Build on What the Team Is Doing, or Should Be Doing
test-driven development, Test-Driven Development
test-driven security, Test-Driven Security
testing, Traditional Application Security Models, Agile Security Testing-Key Takeaways
- acceptance tests, The Agile Test Pyramid, Acceptance Testing
- Agile process, How Is Testing Done in Agile?
- Agile Test Pyramid, The Agile Test Pyramid-The Agile Test Pyramid
- automated build and test pipeline, Creating an Automated Build and Test Pipeline-Where Security Testing Fits Into Your Pipeline
- BDD (behavior-driven development), Service-Level Testing and BDD Tools-Let’s Look Under the Covers
- changing roles and rules in, How Is Testing Done in Agile?
- coding error implications, If You Got Bugs, You’ll Get Pwned-If You Got Bugs, You’ll Get Pwned
- functional, Functional Security Testing and Scanning-Challenges with Application Scanning
- infrastructure, Testing Your Infrastructure-Serverspec
- key takeaways, Key Takeaways-Key Takeaways
- manual, A Place for Manual Testing in Agile-A Place for Manual Testing in Agile
- SAST, Security vulnerabilities (SAST)
- service-level, Service-Level Testing and BDD Tools-Let’s Look Under the Covers
- success with in Agile and DevOps, How Do You Make Security Testing Work in Agile and DevOps?-How Do You Make Security Testing Work in Agile and DevOps?
- unit tests, Unit Testing and TDD-Get Off the Happy Path
- ZAP, ZAP Tutorial-BDD-Security and ZAP Together
testing, automated, Automated Testing-Automated Testing
ThreadFix, Managing Vulnerabilities
Threatbutt, Threat Intelligence
threats, Threat Assessments and Understanding Attacks-Key Takeaways
- assessing, Threat Assessment-Threat Assessment
- attack surfaces, Your System’s Attack Surface-Managing Your Application Attack Surface
- attack targets, Threats and Attack Targets
- attack-driven defense, Threat Assessment
- developer intel, Threat Assessment
- insider, Reviewing Code for Insider Threats-Reviewing Code for Insider Threats
- key takeaways, Key Takeaways
- threat actors, Threat Actors and Knowing Your Enemy-Motivation, Resources, Access, Understanding Threat Actors-Outsiders
  - (see also attackers)
- threat intelligence, Threat Intelligence-Threat Intelligence
- threat modeling, Pre-Iteration Involvement, Agile Threat Modeling-Getting Value Out of Threat Modeling
  - attack vectors, Common Attack Vectors-Common Attack Vectors
  - building your threat model, Building Your Threat Model-“Good Enough” Is Good Enough
  - incremental, Incremental Threat Modeling and Risk Assessments-Getting Value Out of Threat Modeling
  - Microsoft Threat Modeling Tool, “Good Enough” Is Good Enough
  - optimizing value of, Getting Value Out of Threat Modeling-Getting Value Out of Threat Modeling
  - resources for, “Good Enough” Is Good Enough
  - reviewing, Review Threats as the Design Changes
  - STRIDE model, STRIDE: A Structured Model to Understand Attackers
  - thinking like an attacker, Thinking Like an Attacker-STRIDE: A Structured Model to Understand Attackers
  - trust and trust boundaries, Understanding Trust and Trust Boundaries-Understanding Trust and Trust Boundaries
  - upfront risk review, Assess Risks Up Front
  - versus attacker stories, Attacker Stories: Put Your Black Hat On
- versus risks, Risks and Threats
Tinfoil, BDD-Security and ZAP Together
tools
- for compliance and audit, Compliance and Audit Tools
- embedded, Tools Embedded in the Life Cycle
- for planning and discovery, Tooling for Planning and Discovery
- for team enablement, Tools to Enable the Team
- usability of, Building Tools That People Will Use
tools versus people, Choose People over Tools
tools, security technology, Tools Embedded in the Life Cycle-Tools Embedded in the Life Cycle
tracking, visible, Visible Tracking-Visible Tracking
traditional security models, Traditional Application Security Models-Traditional Application Security Models, Security Architecture
- documentation in, Documenting Security Techniques
- embedded tools, Tools Embedded in the Life Cycle
transparency, Transparently Secure-Transparently Secure
Transport Layer Protection Cheat Sheet, Data Privacy
trust/trust boundaries, Understanding Trust and Trust Boundaries-Understanding Trust and Trust Boundaries
trusted versus trustworthy, Understanding Trust and Trust Boundaries

U

unit tests, Automated Testing, Unit Testing and TDD-Get Off the Happy Path, Unit Testing
UpGuard, First, Understand What You Need to Scan
usability, versus security, Security Versus Usability
user stories (see stories)

V

Vagrant, Testing Your Infrastructure
validating data, Fundamentals Will Take You a Long Way to Secure, Safe Code
value chain monitoring, Centralized Feedback
vanity dashboards, Dashboards-Dashboards
Vault secrets manager, Shh…Keeping Secrets Secret
vulnerabilities, Agile Vulnerability Management-Key Takeaways, Security Has to Start with Quality
- assessing, First, Understand What You Need to Scan, Vulnerability Assessment-Vulnerability Assessment
- in containers, Vulnerabilities in Containers
- critical, Dealing with Critical Vulnerabilities
- CVE (Common Vulnerabilities and Exposures), Managing Vulnerabilities
- CVSS and CWSS Scoring Systems, Managing Vulnerabilities
- CWE (Common Weakness Enumeration), Managing Vulnerabilities
- exposure to, We Are All Vulnerable
- fixing, How to Fix Vulnerabilities in an Agile Way-Collective Code Ownership
  - with collective code ownership, Collective Code Ownership
  - hack days, Security Sprints, Hardening Sprints, and Hack Days
  - with hardening sprints, Security Sprints, Hardening Sprints, and Hack Days-Security Sprints, Hardening Sprints, and Hack Days
  - with test-driven security, Test-Driven Security
  - with zero bug tolerance, Zero Bug Tolerance
- from open source libraries, Securing Your Software Supply Chain
- Heartbleed example, Managing Vulnerabilities
- impact of, Measuring the Cost
- key takeaways, Key Takeaways
- likelihood of, Vulnerability: Likelihood and Impact-Not Impossible, Just Improbable
- managing, Managing Vulnerabilities-Managing Vulnerabilities
- NVD (National Vulnerability Database), Managing Vulnerabilities
- prioritizing, How to Fix Vulnerabilities in an Agile Way
- risk factors, Managing Vulnerabilities
- SAST, Security vulnerabilities (SAST)
- scanning and patching, Vulnerability Scanning and Patching-Managing Vulnerabilities
  - (see also scanning)
- securing software supply chain, Securing Your Software Supply Chain-Fewer, Better Suppliers
- standardization for avoiding, Fewer, Better Suppliers
- tracking, Tracking Vulnerabilities
vulnerable dependencies, Vulnerable dependencies

W

Waterfall projects, Agile Requirements: Telling Stories
Waterfall/CMMI model, Dealing with Separation of Duties
white-box testing, Penetration Testing

Y

Yelp, Using Application Monitoring for Security

Z

ZAP (Zed Attack Proxy), ZAP Tutorial-BDD-Security and ZAP Together, Challenges with Application Scanning
- with BDD-Security, BDD-Security and ZAP Together-BDD-Security and ZAP Together
- in continuous integration, ZAP in Continuous Integration
zero bug tolerance, Zero Bug Tolerance
zero trust networks, Perimeterless Security

Previous Chapter

16. What Does Agile Security Mean?

About the Authors