2.9 KiB
Agile Development for Application Security Managers
Downloaded from: Quotium.com on February 11, 2022
Quotium are the vendors of a 'run-time code & data analysis application security testing solution for the software development life-cycle', called Seeker.
This booklet explains the Agile way of working with a non-development manager in mind. Medium quality, in my opinion. It is moderately suitable for distribution to them in a company setting.
Relevant ISO 27001 clauses/controls:
Related:
Achieving Application Security in Agile
Weave security thinking into the Agile process. Adding it on later will be less secure, more costly and will probably achieve not enough attention because of release deadlines.
The author(s) state that, to be succesful, you have to use Agile's own principles when implementing application security.
Define Clear Objectives and Requirements
Answering the following questions for (with?) the developers is a good first step in defining the requirements:
- What are the specific areas of focus in developing securely and testing for security?
- What security standards should the development team strive to meet or exceed? (This could be industry standards like OWASP, PCI-DSS, internal organization requirements or something else)
- How often should developers test for security and who is responsible for doing these tests?
- Do these tests replace periodical penetration tests and security audits or are utilized alongside these testing methods?
Integrate with the developer's processes and tools
- Include security tickets in the existing ticketing / bug tracking / taks management software.
- Accommodate frequent code changes: don't you testing tools or methods that take a long time to run or require manual interpretation of results.
- Create security stories: requirements are specified in the form of user stories.
Help Create an Agile Application Security Workflow
Answer these questions:
- who should run security testing, should each developer run on their own code, or maybe have one QA member who is responsible for security testing?
- How often should security tests be performed – should they be on every piece of code or after integration?
- Who should the results be delivered to? Development or security?
- Who is responsible for signing off?
Provide a training program for developers.
Have the principle of continuous improvement also apply the Secure Development program.
-> Where is the Review / Lessons Learned part, which is essential in the Agile cycle? -> Where is the Definition of Done?