[Owasp-chicago] Chicago OWASP Chapter meeting - June 20

Fri May 18 04:10:37 EDT 2007

The next Quarterly Chicago OWASP Chapter meeting will be held on June 20th, 2007 at 
6PM CST. 

We hope to see you at the ABN AMRO Plaza at 540 W. Madison, Downtown Chicago, 
23rd floor. Please RSVP to jason at wittys.com by Monday 06/18/2007 if you plan to 
attend. Your name will need to be entered into the building's security system in order to 
gain access to the meeting. 

Agenda: 

6:00 Refreshments and Networking 
6:30 Agile and Secure: Can We Be Both?, Dan Cornell, Principal, Denim Group 
7:15 Roundtable (topic to be determined) and Questions

Presentation Abstract 

Software development organizations find themselves pulled in two directions. Agile 
software development methodologies such as extreme Programming and Scrum have 
allowed organizations to be more responsive to business concerns by involving the 
customer, increasing the pace of stable releases and decreasing the time required before 
new features are deployed. In addition, a more aggressive regulatory environment as well 
as an increased focus on security requires that organizations more reliably produce secure 
software applications. Traditional approaches to security and compliance are very top-
down and document-centric, but these approaches often run counter to the spirit of agile 
software development methodologies. 

This presentation examines the goals of both agility and security and discusses strategies 
for making the two compatible . or at least for minimizing the conflict between them. 
First, the presentation outlines the fundamentals of secure software development to 
provide a baseline that any methodology . traditional or agile . must follow. The 
practices of agile development are then examined from the viewpoint of providing 
security assurance. Potential modifications to those practices are discussed that provide 
an approach to creating the artifacts required for compliance and security assurance with 
a minimum of impact on the typically documentation-light agile development practices. 
Finally, the unavoidable conflicts between security and agility are discussed and 
recommendations are provided so that organizations can make the tough decisions 
appropriate to their environment in order to enforce the requisite amount of security 
while still remaining responsive to business concerns. 