Track: | DevSecOps |
---|---|
When: | Tue PM-1 |
Where: | Larch |
Organizers | Ante Gulam Ante Gulam |
Participants | Abhinav Sejpal Abhinav Sejpal , Clara Anel Mansilla Clara Anel Mansilla , Claudio Camerino Claudio Camerino , Francois Raynaud Francois Raynaud , Gabor Pek Gabor Pek , Imran Chaudhari Imran Chaudhari , Imran Mohammed A Imran Mohammed A , Luis Saiz Luis Saiz , Paul Dubourg Paul Dubourg , Pedro Laguna Pedro Laguna , Peter Turczak Peter Turczak , Radu Tighineanu Radu Tighineanu , Simon Pavillon Simon Pavillon , Sotiraki Sima Sotiraki Sima , Stu Hirst Stu Hirst , Thomas Franceschini Thomas Franceschini , Tony Richards Tony Richards , Vasil Buraliev Vasil Buraliev |
Remote Participants | Ashraf Iftekhar Ashraf Iftekhar , Barbara Prevel Barbara Prevel , Harmeet Singh Harmeet Singh , Madhu Akula Madhu Akula , Mustaqiim Muhar Mustaqiim Muhar , Nicholas Tait Nicholas Tait , Pascal Schulz Pascal Schulz , Prakash Sharma Prakash Sharma , Sophie Tonnoir Sophie Tonnoir , Sugumaran Uppili Sugumaran Uppili , Vinod Anandan Vinod Anandan |
Until recently, cyber security was often considered as “nice to have” in the software development lifecycle. However, due to several data breaches that hit the headlines, more and more dev teams are now starting to incorporate security practices in their processes. Considering how agile methodologies benefit the development lifecycle, security should be approached in the same, or a similar, way.
Why
Agile practices have been around for quite some time now and a lot of organisations incorporate Agile practices into their daily operations. This working session will discuss how security teams can utilise these Agile practices to improve their position and make their operational side more productive. Early delivery, a synonym of Agile, is one of the biggest challenges for info-sec, but using some Agile practices could enable security teams to integrate more effectively within their organisations.
What
- Agile and its practices
- Security adoption of Agile
- Architecting security for early delivery
- Situational awareness in Agile environments
- Optimising Agile SDLC security
Outcomes
A Draft List of Agile Security Practices
Synopsis and Takeaways
The following categories highlight some of the key activities of an agile security team:
Education
- Define and deliver security training programmes
Communication
- Security team to be visible, present at standups, available
- Connect dev to production
- Empower security champions
Standardisation and Compliance
- Own strong guidelines, e.g. data classification, regulatory, compliance
- Two tier security standards? mandatory, depend on risk/sensitivity etc
- Library of standard stories
Support
- Technical support
- Help create security user stories, personas, anti-personas, patterns
- Culture of “security is not to say no, but to help”
- Testing
- Automation is needed for CI/CD e.g. tool to track 3rd party licenses
- “Development enablement tribe”
Governance/Control
- Project initiation touch point to define “gates”
- Prioritisation of involvement based on risk assessment, lifecycle stage
- Define “done”
- 3rd party maturity assessment
- Internal compliance checks
- Centralised tracking in primary colours
- Security team KPIs
- Security organisation has to be separate from development
- Monetary value on risks helps prioritisation
- Risk acceptance/escalation process
Engineering
- Bring in shared security solutions such as WAF- engineering effort
Practices
- Perhaps agile not applicable, more lean/kanban
- View security as functions, not people - resourcing can change but functions don’t
- Don’t be a blocker to agile, e.g. in operational approvals
- “Security team as a service”
- Struggle to manage BAU and hence forecasting: separate functions
- Need visibility of project portfolio
- Separation of duty can be a constraint
Who
The target audience for this Working Session is:
- Developers
- Security professionals
- DevSecOps
- Security champions
Working materials
Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions):
OWASP Proactive Controls
Previous Summit Working Session
https://owaspsummit.org/Working-Sessions/Agile-AppSec/Agile-Practices-for-Security-Teams.html
Register as participant
To register as participant add Agile Practices for Security Teams
to either:
- the
sessions
metadata field from your participant's page (find your participant page and look for the edit link). - or the
participants
metadata field from this git session page
Back to list of all Working Sessions