Recently, Ryan O’Boyle and I hosted the webinar “Building Security Into the Agile SDLC: View From the Trenches”. We would like to take a minute to thank all those who attended the live broadcast for submitting questions. There were so many questions from our open discussion following the webinar that we wanted to take the time to follow up and answer them. So without further ado, the Q&A.

Q. Did using JIRA give you greater visibility?

Ryan Ryan: Standardizing on one tool for tracking development work across all development teams, and using the same tool to track the security reviews gave both us and the development teams improved visibility.

Q. Was the Kanban team a dedicated security team or was it just a team performing in a different way?

Ryan Ryan: Just a team performing in a different way. This meant that while we had developed our core process around Scrum teams, we had to find a similar way to integrate with a new team operating with a different process.

Q. Do you recommend we have security training and expect security requirements coming from those writing stories/reqs or would that all be on the SCRUM team?

Ryan Ryan: In our process, the Security Architect is responsible for working with the Product Owner to define security-related Acceptance Criteria or entire stories. As those participating in security grooming gain familiarity and certain patterns emerge, they can write them as well. I would recommend security training for everyone involved.

Q. Can a Technical Lead/Scrum Master play Security Engineer Role if they have security background?

Chris Chris: Yes, though I think you want to be careful of putting too many responsibilities on the Scrum Master. A Tech Lead can certainly be trained up to pitch in on some subset of the Security Engineer role, such as routine code reviews. This is similar to what we are rolling out with our Security Champions program, except that the Security Champion can be any member of the team. It will take longer for them to develop the expertise and intuition needed to perform tasks like security design reviews or focused penetration testing.

Q. How did you ensure test strategy, test plan, and security considerations are still correct when the stories are constantly being added or modified during the sprints?

ChrisChris: Modifying stories during sprints is a violation of Scrum principles, so if/when this does happen, we try to make sure it is addressed during Retro. Adding stories during sprints can still be challenging in the cases where the story was created on-the-fly. If it was pulled out of backlog, it would already have security criteria attached. However if it was a "just-in-time" story (e.g. acute customer pain point), we ask the Scrum Masters to inform us ASAP so that we can assess the security needs. In the near future it will be the Security Champion's job to keep an eye out for things like this.

Q. What threat modeling tools do you use? Do you use any risk analysis/assessments to shape how you develop security requirements and their priorities?

ChrisChris: We do not use formal threat modeling tools. At the story level, we are doing light, informal threat modeling focused heavily on protecting against unauthorized access to customer data. We plan to take some steps to formalize this, but we also want to be cautious of creating a bloated process.

Q. Outside of reviewing every user story, how do you ensure you don't miss things?

ChrisChris: We run automated static and dynamic analyses against each release candidate after code freeze. Every once in a while this picks up an implementation issue that might have been missed during code review, so it serves as a nice additional layer of defense. Additionally, we hire external consulting firms to perform a web app penetration test twice a year. All that being said, we'll absolutely miss things. Nothing is perfect. When we do become aware of any security issues that have escaped to production, we take a risk-based approach to determining the urgency of the fix. What's nice is that our deployment process allows us to test and push fixes relatively quickly if an off-cycle patch is needed.

Q. Did you guys make security requirements as part of Definition of Done of user stories?

RyanRyan: Yes, we consider security a part of our Definition of Done and to that point add and review against specific Acceptance Criteria on stories with security impact.

Q. So for any security testing, are the results ever sent directly back to the contributing developer? Or are the security test results always reviewed first by SMEs to triage/prioritize?

RyanRyan: Development teams run their own static analysis scans and do the initial review of the results. A security SME will review the results of later scan that incorporates many developers. Code review or pen. test findings that result from an in-sprint security review will be communicated back to the developer immediately so they can be addressed.

Q. Do you see any process changes for security testing?

Ryan Ryan: Automation, automation, automation.


That is all we have time for at the moment, but check back next week for the second half of our Agile SDLC Q&A. In the meantime, if you found the Agile Security webinar useful, consider registering for Veracode’s director of platform engineering, Peter Chestna's webinar: "Secure Agile Through An Automated Toolchain: How Veracode R&D Does It". In this technical webinar, Peter will share how we’ve leveraged Veracode's cloud-based platform to integrate application security testing with our Agile development toolchain (Eclipse, Jenkins, JIRA) -- and why it's become essential to our success.

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (1)

Raghu | February 22, 2016 2:15 am

Please help me understand the difference between Software Requirement Specification Document and Requirement Analysis Document?

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.