Skip to main content
April 16, 2014

Agile SDLC Q&A with Chris Eng and Ryan O’Boyle – Part II

Welcome to another round of Agile SDLC Q&A. Last week Ryan and I took some time to answer questions from our webinar, "Building Security Into the Agile SDLC: View from the Trenches"; in case you missed it, you can see Part I here. Now on to more of your questions!

Q. What would you recommend as a security process around continuous build?

Chris: It really depends on what the frequency is. If you're deploying once a day and you have automated security tools as a gating function, it's possible but probably only if you've baked those tools into the build process and minimized human interaction. If you're deploying more often than that, you're probably going to start thinking differently about security – taking it out of the critical path but somehow ensuring nothing gets overlooked. We've spoken with companies who deploy multiple times a day, and the common theme is that they build very robust monitoring and incident response capabilities, and they look for anomalies. The minute something looks suspect they can react and investigate quickly. And the nice thing is, if they need to hotfix, they can do it insanely fast. This is uncharted territory for us; we'll let you know when we get there.
Q. What if you only have one security resource to deal with app security - how would you leverage just one resource with this "grooming" process?

Chris: You'd probably want to have that person work with one Scrum team (or a small handful) at a time. As they security groomed with each team, they would want to document as rigorously as possible the criteria that led to them attaching security tasks to a particular story. This will vary from one team to the next because every product has a different threat model. Once the security grooming criteria are documented, you should be able to hand off that part of the process to a team member, ideally a Security Champion type person who would own and take accountability for representing security needs. From time to time, the security SME might want to audit the sprint and make sure that nothing is slipping through the cracks, and if so, revise the guidelines accordingly.
Q. Your "security champion" makes me think to the "security satellite" from BSIMM; do you have an opinion on BSIMM applicability in the context of Agile?

Chris: Yes, the Security Satellite concept maps very well to the Security Champion role. BSIMM is a good framework for considering the different security activities important to an organization, but it's not particularly prescriptive in the context of Agile.
Q. We are an agile shop with weekly release cycles. The time between when the build is complete, and the release is about 24 hours. We are implementing web application vulnerability scans for each release. How can we fix high risk vulnerabilities before each release? Is it better to delay the release or fix it in the next release?

Chris: One way to approach this is to put a policy in place to determine whether or not the release can ship. For example, "all high and very high severity flaws must be fixed" makes the acceptance criteria very clear. If you think about security acceptance in the same way as feature acceptance, it makes a lot of sense. You wouldn't push out the release with a new feature only half-working, right? Another approach is to handle each vulnerability on a case-by-case basis. The challenge is, if there is not a strong security culture, the team may face pressure to push the release regardless of the severity.
Q. How do you address findings identified from regular automated scans? Are they added to the next day's coding activities? Do you ever have a security sprint?

Ryan: Our goal is to address any findings identified within the sprint. This means while it may not be next-day it will be very soon afterwards and prior to release. We have considered dedicated security sprints.
Q. Who will do security grooming? Development team or security team? What checklist included in the grooming?

Ryan: Security grooming is a joint effort between the teams. In some cases the security representative, Security Architect in our terminology, attends the full team grooming meeting. In the cases where the full team grooming meeting would be too large of a time commitment for the Security Architect, they will hold a separate, shorter security grooming session soon afterwards instead.
Q. How important to your success was working with your release engineering teams?

Chris: Initially not very important, because we didn't have dedicated release engineering. The development and QA teams were in charge of deploying the release. Even with a release engineering team, though, most of the security work is done well before the final release is cut, so the nature of their work doesn't change much. Certainly it was helpful to understand the release process – when is feature freeze, code freeze, push night, etc. – and the various procedures surrounding a release, so that you as a security team can understand their perspective.
Q. How to you handle accumulated security debt?

Chris: The first challenge is to measure all of it, particularly debt that accumulated prior to having a real SDLC! Even security debt that you're aware of may never get taken in to a sprint because some feature will always be deemed more important. So far the way we've been able to chip away at security debt is to advocate directly with product management and the technical leads. This isn't exactly ideal, but it beats not addressing it at all. If your organization ever pushes to reduce tech debt, it's a good opportunity to point out that security debt should be considered as part of tech debt.

This now concludes our Q&A. A big thank you to everyone who attended the webinar for making it such a huge success. If you have any more questions, we would love to hear from you in the comments section below. In addition, If you are interested in learning more about Agile Security, you might be interested in this upcoming webinar from Veracode's director of platform engineering. On April 17th, Peter Chestna will be hosting this webinar entitled "Secure Agile Through An Automated Toolchain: How Veracode R&D Does It". In this webinar Peter will share how we've leveraged Veracode's cloud-based platform to integrate application security testing with our Agile development toolchain (Eclipse, Jenkins, JIRA) -- and why it's become essential to our success. Register now!

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.