Vault restructure
This commit is contained in:
parent
d45797d121
commit
ff77508bd1
1433 changed files with 415450 additions and 1201 deletions
|
|
@ -0,0 +1,50 @@
|
|||
[](Agile-development-for-Application-security-managers2.pdf)
|
||||
Downloaded from: [Quotium.com](http://www.quotium.com/content/uploads/2014/02/Agile-development-for-Application-security-managers2.pdf) on February 11, 2022
|
||||
|
||||
|
||||
|
||||
Quotium are the vendors of a 'run-time code & data analysis application security testing solution for the software development life-cycle', called Seeker.
|
||||
|
||||
This booklet explains the Agile way of working with a non-development manager in mind. Medium quality, in my opinion.
|
||||
It is moderately suitable for distribution to them in a company setting.
|
||||
|
||||
Relevant ISO 27001 clauses/controls:
|
||||
- [ISO 27001 A.14.2.1 Secure development policy](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A.14.2.1%20Secure%20development%20policy.md)
|
||||
|
||||
Related:
|
||||
- [DevSecOps and ISO 27k](../🎇%20Sparks/DevSecOps%20and%20ISO%2027k.md)
|
||||
|
||||
# Achieving Application Security in Agile
|
||||
Weave security thinking into the Agile process. Adding it on later will be less secure, more costly and will probably achieve not enough attention because of release deadlines.
|
||||
|
||||
The author(s) state that, to be succesful, you have to use Agile's own principles when implementing application security.
|
||||
|
||||
## Define Clear Objectives and Requirements
|
||||
Answering the following questions for (with?) the developers is a good first step in defining the requirements:
|
||||
|
||||
- What are the specific areas of focus in developing securely and testing for security?
|
||||
- What security standards should the development team strive to meet or exceed? (This could be industry standards like OWASP, PCI-DSS, internal organization requirements or something else)
|
||||
- How often should developers test for security and who is responsible for doing these tests?
|
||||
- Do these tests replace periodical penetration tests and security audits or are utilized alongside these testing methods?
|
||||
|
||||
## Integrate with the developer's processes and tools
|
||||
- Include security tickets in the existing ticketing / bug tracking / taks management software.
|
||||
- Accommodate frequent code changes: don't you testing tools or methods that take a long time to run or require manual interpretation of results.
|
||||
- Create security stories: requirements are specified in the form of user stories.
|
||||
|
||||
|
||||
## Help Create an Agile Application Security Workflow
|
||||
Answer these questions:
|
||||
- who should run security testing, should each developer run on their own code, or maybe have one QA member who is responsible for security testing?
|
||||
- How often should security tests be performed – should they be on every piece of code or after integration?
|
||||
- Who should the results be delivered to? Development or security?
|
||||
- Who is responsible for signing off?
|
||||
|
||||
Provide a training program for developers.
|
||||
|
||||
Have the principle of continuous improvement also apply the Secure Development program.
|
||||
|
||||
**-> Where is the Review / Lessons Learned part, which is essential in the Agile cycle?**
|
||||
**-> Where is the Definition of Done?**
|
||||
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue