https://github.com/OpenSecuritySummit/oss2019

title        : Agile Practices for Security Teams
type         : working-session
topics       : ["Agile"]
featured     : yes                   # if  "yes" review with summit team
when_day     : Tue
when_time    : PM-1
room_layout  :                    #
room_id      : room-3
session_slack: https://os-summit.slack.com/messages/CAU62737S
status       : done
organizers   : Ante Gulam
track        : DevSecOps
participants :
description  : Agile Practices for Security Teams

Until recently, cyber security was often considered as “nice to have” in the software development lifecycle. However, due to several data breaches that hit the headlines, more and more dev teams are now starting to incorporate security practices in their processes. Considering how agile methodologies benefit the development lifecycle, security should be approached in the same, or a similar, way.

Why

Agile practices have been around for quite some time now and a lot of organisations incorporate Agile practices into their daily operations. This working session will discuss how security teams can utilise these Agile practices to improve their position and make their operational side more productive. Early delivery, a synonym of Agile, is one of the biggest challenges for info-sec, but using some Agile practices could enable security teams to integrate more effectively within their organisations.

What

• Agile and its practices

• Security adoption of Agile

• Architecting security for early delivery

• Situational awareness in Agile environments

• Optimising Agile SDLC security

Outcomes

A Draft List of Agile Security Practices

Synopsis and Takeaways

The following categories highlight some of the key activities of an agile security team:

Education

• Define and deliver security training programmes

Communication

• Security team to be visible, present at standups, available

• Connect dev to production

• Empower security champions

Standardisation and Compliance

• Own strong guidelines, e.g. data classification, regulatory, compliance

• Two tier security standards? mandatory, depend on risk/sensitivity etc

• Library of standard stories

Support

• Technical support

• Help create security user stories, personas, anti-personas, patterns

• Culture of "security is not to say no, but to help"

• Testing

• Automation is needed for CI/CD e.g. tool to track 3rd party licenses

• "Development enablement tribe"

Governance/Control

• Project initiation touch point to define "gates"

• Prioritisation of involvement based on risk assessment, lifecycle stage

• Define "done"

• 3rd party maturity assessment

• Internal compliance checks

• Centralised tracking in primary colours

• Security team KPIs

• Security organisation has to be separate from development

• Monetary value on risks helps prioritisation

• Risk acceptance/escalation process

Engineering

• Bring in shared security solutions such as WAF- engineering effort

Practices

• Perhaps agile not applicable, more lean/kanban

• View security as functions, not people - resourcing can change but functions don't

• Don't be a blocker to agile, e.g. in operational approvals

• "Security team as a service"

• Struggle to manage BAU and hence forecasting: separate functions

• Need visibility of project portfolio

• Separation of duty can be a constraint

Who

The target audience for this Working Session is:

• Developers

• Security professionals

• DevSecOps

• Security champions

Working materials

Here are the current 'work in progress' materials for this session (please add as much information as possible before the sessions):

OWASP Proactive Controls

Previous Summit Working Session

https://owaspsummit.org/Working-Sessions/Agile-AppSec/Agile-Practices-for-Security-Teams.html