A picture says more than a 1000 words:
If you are interested in our model and want to learn more, register for our workshop at Security Academy.
De noodzaak tot herijken van informatiebeveiliging voor agile projecten
A picture says more than a 1000 words:
If you are interested in our model and want to learn more, register for our workshop at Security Academy.
Here: Agile Security Introduction-20170531 you will find the sheets of the presentation Pascal and Arthur did on the Experts Gathering at i-to-i.
We did a short version of our Agile Security workshop and had a lot of positive feedback. You can find more information on our workshop at Security Academy.
Here is the slidedeck for continuous testing in an agile environment, PECB webinar, Oct. 19, 2016
Here is the link to the slidedeck on Agile Security for PECB on Oct 27, 2016.
Agile Security
Matching information security and agile
While agile development is going mainstream, information security is having difficulties to keep pace. The result of this struggle is that new systems are insecure, or that they are loaded with point solutions for security. What is so hard about security in agile environments? In this article we examine what makes infosec fail with agile, in future articles we will propose solutions for that and present a model to integrate information security into an agile development process.
So, what is wrong with classical infosec in relation to agile?
This has to do with the common way of working within security management. Popular information security frameworks (such as ISO27001) use a top down approach: They emphasize that policies, processes and generic technical controls need to be in place to make sure an organization is in control of its information security. Once all of that is in place, projects can start building on this security foundation and use security management services. This works well in top down projects that follow the waterfall model, with clearly defined transition moments and deliverables. Information security is often addressed at the start and end of a project.
Agile however follows a different model, it is uses a risk based approach for developing in an incremental way, using short development cycles called sprints. A sprint is small enough to be manageable and it forces the product owner to set priorities. All new feature requests are collected in the backlog. For each sprint, a selection of requests is made, based on business value, urgency, ease of implementation, customer requirements, etcetera. If a feature or requirement is too complex or will take too long to implement, it may be broken down into smaller bits and implemented in a series of sprints. Test results from previous sprints are fed back into the next sprints to facilitate continuous improvement while performing sprints
So where do things go wrong?
Traditional security assumes that:
These assumptions do not hold up in an agile environment.
Arthur Donkers, 1Secure (arthur@1secure.nl), Pascal de Koning, i-to-i (p.de.koning@i-to-i.nl).
De mismatch tussen traditioneel securitymanagement en agile ontwikkeling wordt onder meer veroorzaakt door de gebruikelijke manier van werken binnen securitymanagement. Veelal worden hier standaarden en raamwerken toegepast die een top-down benadering kennen: eerst moet er beleid komen en een organisatie worden ingericht, daarna moeten de procedures worden opgesteld en tenslotte wordt er een verzameling van generieke technische maatregelen bedacht. En pas als dat allemaal ‘geregeld’ is kunnen projecten gebruik maken van de diensten van securitymanagement.
In een reeks artikelen en blog posts willen de auteurs helpen agile en security dichter bij elkaar te brengen.
Het eerste artikel met een introductie vindt u hier.