Recently, Ryan O’Boyle and I hosted the webinar “Building Security Into the Agile SDLC: View From the Trenches”. We would like to take a minute to thank all those who attended the live broadcast for submitting questions. There were so many questions from our open discussion following the webinar that we wanted to take the time to follow up and answer them. So without further ado, the Q&A.
Q. Did using JIRA give you greater visibility?
Q. Was the Kanban team a dedicated security team or was it just a team performing in a different way?
Q. Do you recommend we have security training and expect security requirements coming from those writing stories/reqs or would that all be on the SCRUM team?
Q. Can a Technical Lead/Scrum Master play Security Engineer Role if they have security background?
Q. How did you ensure test strategy, test plan, and security considerations are still correct when the stories are constantly being added or modified during the sprints?
Q. What threat modeling tools do you use? Do you use any risk analysis/assessments to shape how you develop security requirements and their priorities?
Q. Outside of reviewing every user story, how do you ensure you don't miss things?
Q. Did you guys make security requirements as part of Definition of Done of user stories?
Q. So for any security testing, are the results ever sent directly back to the contributing developer? Or are the security test results always reviewed first by SMEs to triage/prioritize?
Q. Do you see any process changes for security testing?
That is all we have time for at the moment, but check back next week for the second half of our Agile SDLC Q&A. In the meantime, if you found the Agile Security webinar useful, consider registering for Veracode’s director of platform engineering, Peter Chestna's webinar: "Secure Agile Through An Automated Toolchain: How Veracode R&D Does It". In this technical webinar, Peter will share how we’ve leveraged Veracode's cloud-based platform to integrate application security testing with our Agile development toolchain (Eclipse, Jenkins, JIRA) -- and why it's become essential to our success.