“Vulnerable Components are a known issue that we struggle to test and assess risk and is the only category to not have any Common Vulnerability and Exposures (CVEs) mapped to...” https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ Vulnerable and Outdated Components.   Ugh.  Gross.  Sounds like a communicable disease and an outdated vaccine for an application.  Wait, maybe that’s a good analogy.  Let’s roll with it. What exactly is a Vulnerable and Outdated C

What is a SMART Goal ?  It can apply to any goal you set, not just Agile-related ones.  We write our PI Objectives in SMART goal format, but it can also be used to write better sprint goals.  A SMART Goal is scientifically proven to help teams set and achieve goals.  They excel at providing the framework to create a compelling PI Objective or Sprint Goal.  You can even use them for retrospective goals!   Let’s dive in… They give you direction.  A well-planned goal helps you m

Do you look forward to receiving an injection? No? The same applies for our systems! Let’s learn more about SQL injections and how this can impact our applications! “Injection slides down to the third position. 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3%, and 274k occurrences. Notable Common Weakness Enumerations (CWEs) included are CWE-79: Cross-site Scripting, CWE-89: SQL Injection, and

“Shifting up one position to #2, previously known as Sensitive Data Exposure, which is more of a broad symptom rather than a root cause, the focus is on failures related to cryptography (or lack thereof). Which often lead to exposure of sensitive data.” Cleopatra is making an online purchase of a new sheath dress When I think of cryptographic failures, my mind immediately pictures Cleopatra on her laptop. Close enough, right? For what it’s worth, cryptology really does orig

We’re going to take a deeper dive into Access Controls !  Let’s jump right in.  Broken access controls are the number one vulnerability according to OWASP and the most serious.  This may sound harsh, but the truth is that a malicious attacker has exploited a weak access control point in one of our web applications, taking advantage of a vulnerability.  Broken access controls have been responsible for data breaches, identity theft, financial losses, and reputational damage to

Published on Medium.com Broken access control could be an attacker exploiting these vulnerabilities, or it could be unintended. They could be: Injection flaws: untrusted input injected into an application. Cross-site scripting (XSS): untrusted input is included in a web page output. Broken authentication/session management: the application doesn’t validate or protect information. Inadequate role-based authorization or allowing users to access functionality beyond their permis

Published on Medium.com We have to be super careful with our client’s sensitive data, including PII, financial records, and login credentials. That’s a given! Sensitive Data Exposure occurs when a web application fails to protect confidential information, accidentally or intentionally. Either way, there are serious consequences. Exposed data can then be exploited by malicious actors, ranging from identity theft to financial fraud. One way this can happen is by returning too m

Posted on Medium.com We don’t want a security breach! That’s why we rely heavily on logging and monitoring our applications-without it, breaches cannot be detected. Though challenging to test, it can be beneficial for accountability, visibility, incident alerting, and forensics. That’s why this is in the OWASP Top 10 of vulnerabilities-to help detect, escalate, and respond to active breaches! A security logging/monitoring failure is a vulnerability that occurs when a system/a

Written for Medium.com I’ve always believed that some friendships are meant to last a lifetime, while others are only with us for a season. Each serves a purpose during a certain period, and when that time is over, it’s natural to move on. Some of my friendships date back to high school. Now, at my age, I realize how much I’ve learned from these relationships—no matter how cliché that may sound. My best friend, who is my oldest daughter’s godfather, has been in my life since

What on earth does a Release Train Engineer (RTE) do? The Scaled Agile Framework definition states that “The Release Train Engineer (RTE) is a servant leader and coach for the Agile Release Train (ART).” That’s a mouthful! Well, there’s a lot that goes on “behind the scenes” to keep an Agile Release Train on the tracks. It’s more than just organizing PI Planning! Is it a Release Manager? No, but here’s a highlight of just a few areas that an RTE can help! ● Protec

Feedback is critical to the success of the Agile Release Train (ART). How do we know if the solution we are building is what our customers desire? Stakeholders, aka Business Owners in the world of SAFe, play a crucial role in keeping the Agile Release Train on track. This is definitely a partnership! How can you help as a partner of your Agile Release Train? Attend the PI Planning Event for the full two days (in person if possible!). Regularly attend the system demo (or sen

Here's a presentation that I wrote and have given at multiple companies on various Agile tools. The screenshots are from Azure DevOps, not JIRA, but can easily be swapped out.

Here's a presentation that I wrote and have given at multiple companies.

Today, we’ll learn more about the role of the Team Coach . Team Coach? Jen, what are you talking about? Did you know that with SAFe 6.0, they have actually renamed the role of the Scrum Master to a Team Coach? Yes! Prince, who changed his name to a Symbol, or Snoop Dog g’s identity crisis, where he became Snoop Lion-do you remember that? Thankfully, he’s back to straight Gin and Juice! The Team Coach role is no gimmick. Seriously though, “ain’t nothin’ but a SAFe thin

Path traversal vulnerabilities —aka directory traversal attacks—are like that one nosy neighbor who tries to peek into rooms they weren’t invited to. Path traversal vulnerabilities, also known as directory traversal attacks, attempt to gain access to and read files in a restricted directory by manipulating variables that reference file paths. It occurs on the web server outside the website's directory. This type of attack is wholly an attempt to get access to sensitive data t

Server-Side Request Forgery (SSRF) is a security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. Whew, that’s a mouthful. And that’s just the beginning of what makes SSRF so dangerous. Let’s unpack it a bit further: It is similar to cross-site scripting except it is gaining control of a server versus a URL and bypassing the firewall entirely. This attack typically targets i

“A new category for 2021 focuses on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures.” - OWASP The Wolf loves an insecure design that he can huff and puff and blow down. What is it and how can we prevent it? Let’s learn more together about this topic! “Little pig! Little pig! Let me in!” – The Wolf “No, no, no! Not by the hairs of my chinny chin chin.” – All Three Little Pigs Inse

SAFe focuses heavily on Lean-Agile practices. Lean is all about reducing waste (improving efficiency and eliminating multi-tasking) and...

In an Agile Release Train (ART), we strive to wrap up our PI commitments made before the Innovation and Planning Iteration. Sometimes...

In an Agile Release Train (ART), we try to mitigate risks. Some risks can be tackled at a Team level. Some risks are bubbled up to a...