Agile Practices for Security Teams

Track:DevSecOps
When:Tue PM-1
Where:Larch
OrganizersAnte Gulam Ante Gulam
ParticipantsAbhinav Sejpal Abhinav Sejpal , Clara Anel Mansilla Clara Anel Mansilla , Claudio Camerino Claudio Camerino , Francois Raynaud Francois Raynaud , Gabor Pek Gabor Pek , Imran Chaudhari Imran Chaudhari , Imran Mohammed A Imran Mohammed A , Luis Saiz Luis Saiz , Paul Dubourg Paul Dubourg , Pedro Laguna Pedro Laguna , Peter Turczak Peter Turczak , Radu Tighineanu Radu Tighineanu , Simon Pavillon Simon Pavillon , Sotiraki Sima Sotiraki Sima , Stu Hirst Stu Hirst , Thomas Franceschini Thomas Franceschini , Tony Richards Tony Richards , Vasil Buraliev Vasil Buraliev
Remote ParticipantsAshraf Iftekhar Ashraf Iftekhar , Barbara Prevel Barbara Prevel , Harmeet Singh Harmeet Singh , Madhu Akula Madhu Akula , Mustaqiim Muhar Mustaqiim Muhar , Nicholas Tait Nicholas Tait , Pascal Schulz Pascal Schulz , Prakash Sharma Prakash Sharma , Sophie Tonnoir Sophie Tonnoir , Sugumaran Uppili Sugumaran Uppili , Vinod Anandan Vinod Anandan

Until recently, cyber security was often considered as “nice to have” in the software development lifecycle. However, due to several data breaches that hit the headlines, more and more dev teams are now starting to incorporate security practices in their processes. Considering how agile methodologies benefit the development lifecycle, security should be approached in the same, or a similar, way.

Why

Agile practices have been around for quite some time now and a lot of organisations incorporate Agile practices into their daily operations. This working session will discuss how security teams can utilise these Agile practices to improve their position and make their operational side more productive. Early delivery, a synonym of Agile, is one of the biggest challenges for info-sec, but using some Agile practices could enable security teams to integrate more effectively within their organisations.

What

  • Agile and its practices
  • Security adoption of Agile
  • Architecting security for early delivery
  • Situational awareness in Agile environments
  • Optimising Agile SDLC security

Outcomes

A Draft List of Agile Security Practices

Synopsis and Takeaways

The following categories highlight some of the key activities of an agile security team:

Education

  • Define and deliver security training programmes

Communication

  • Security team to be visible, present at standups, available
  • Connect dev to production
  • Empower security champions

Standardisation and Compliance

  • Own strong guidelines, e.g. data classification, regulatory, compliance
  • Two tier security standards? mandatory, depend on risk/sensitivity etc
  • Library of standard stories

Support

  • Technical support
  • Help create security user stories, personas, anti-personas, patterns
  • Culture of “security is not to say no, but to help”
  • Testing
  • Automation is needed for CI/CD e.g. tool to track 3rd party licenses
  • “Development enablement tribe”

Governance/Control

  • Project initiation touch point to define “gates”
  • Prioritisation of involvement based on risk assessment, lifecycle stage
  • Define “done”
  • 3rd party maturity assessment
  • Internal compliance checks
  • Centralised tracking in primary colours
  • Security team KPIs
  • Security organisation has to be separate from development
  • Monetary value on risks helps prioritisation
  • Risk acceptance/escalation process

Engineering

  • Bring in shared security solutions such as WAF- engineering effort

Practices

  • Perhaps agile not applicable, more lean/kanban
  • View security as functions, not people - resourcing can change but functions don’t
  • Don’t be a blocker to agile, e.g. in operational approvals
  • “Security team as a service”
  • Struggle to manage BAU and hence forecasting: separate functions
  • Need visibility of project portfolio
  • Separation of duty can be a constraint

Who

The target audience for this Working Session is:

  • Developers
  • Security professionals
  • DevSecOps
  • Security champions

Working materials

Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions):

OWASP Proactive Controls

Previous Summit Working Session

https://owaspsummit.org/Working-Sessions/Agile-AppSec/Agile-Practices-for-Security-Teams.html

Register as participant

To register as participant add Agile Practices for Security Teams to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page

Back to list of all Working Sessions