PaulDotCom mailing list archives
Re: Agile SDLC
From: Josh More <jmore () starmind org>
Date: Tue, 26 Feb 2013 07:58:24 -0600
Meg, Agile transitions and frameworks don't work very well together. You can put security frameworks into long-running Agile teams, but during a transition, you don't know where you're going to end up, so any framework is going to limit the team. This is counter to the Agile concept itself and will engender extreme resistance on the part of the developers. The best thing you can do is have a presence in every sprint kick-off meeting, every retrospective and in every daily standup. If personas are being used, create a couple for attackers so the developers can start to think about what people should NOT be able to do as well as what they should. Do not hold your security assessment reports to the Go/NoGo stage. That'll just irritate everyone. Think smaller, more iterative assessments. Work the bigger infrastructure stuff into the long-running QA process so security issues show up in the Defect Tracking system (whatever you use). For the sprints, think of the OWASP Top 10 and Binary Risk Analysis. When your developers are adding a feature set during a sprint, consider using your time to exhaustively test the application against SQLi and SQLi only. Maybe the next sprint will be CSRF. You have to be as agile as your team. Whether you use user stories, acceptance criteria or something else will depend more on how your team works than any "right" way to do it. If your team is leveraging test-driven development, write hooks for the source control system to reject obviously bad code. Start small, as this is a really good way to screw things up, but little rules like "no SQL in the mid-tier apps, only in stored procedures" will do wonders over the long term. If you do nightly tests, look at doing automated tests with arachni and skipfish so you get rolling security metrics on the app. If you want more exploration of this idea, feel free to poke me off-list. I mostly focus on business-level and infrastructure stuff in the Lean/Agile security space, but my friend Matt Konda does a lot on the development side of the house. (Not sure if he's on this list, but I'll poke him.) He can probably weigh in a lot more on this than I can. -Josh More On Mon, Feb 25, 2013 at 6:29 PM, Megan Mauch <oneilme77 () gmail com> wrote:
Hello, My company is looking to move from Waterfall project framework to Agile. Does anyone know of any good resources or examples that would be useful in ceating a security framework for Agile. I've seen Microsoft's, its really good but maybe a little overkill for the size of our company. We are about 15% the size of MS. I'm looking for: How do we include security requirements in Agile, do we use User Stories or Acceptance criteria? Examples of highlevel security gates and program overview. Since Agile is so lean and documentation is sparse, do folks create a security assessment reports for the final project Go/NoGo? Work flow examples? Does anyone do self-service security assessments for smaller projects? Given that Agile is a lean process, what security project documentation besides requirements should be created? Thanks, Meg _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Agile SDLC Megan Mauch (Feb 25)
- Re: Agile SDLC Josh More (Feb 26)
- Re: Agile SDLC Pat (Feb 26)
- <Possible follow-ups>
- Agile SDLC Matt Konda (Feb 26)
- Re: Agile SDLC Kevin Shaw (Feb 26)
- Re: Agile SDLC Josh More (Feb 26)