Welcome to another round of Agile SDLC Q&A. Last week Ryan and I took some time to answer questions from our webinar, "Building Security Into the Agile SDLC: View from the Trenches"; in case you missed it, you can see Part I here. Now on to more of your questions!
Q. What would you recommend as a security process around continuous build?
Q. What if you only have one security resource to deal with app security - how would you leverage just one resource with this "grooming" process?
Q. Your "security champion" makes me think to the "security satellite" from BSIMM; do you have an opinion on BSIMM applicability in the context of Agile?
Q. We are an agile shop with weekly release cycles. The time between when the build is complete, and the release is about 24 hours. We are implementing web application vulnerability scans for each release. How can we fix high risk vulnerabilities before each release? Is it better to delay the release or fix it in the next release?
Q. How do you address findings identified from regular automated scans? Are they added to the next day's coding activities? Do you ever have a security sprint?
Q. Who will do security grooming? Development team or security team? What checklist included in the grooming?
Q. How important to your success was working with your release engineering teams?
Q. How to you handle accumulated security debt?