Loading ...
Sorry, an error occurred while loading the content.

159164Re: Agile in Secure Software development

Expand Messages
  • schmonzie
    Aug 20, 2014
      [List moderators: Even when I'm quite sure my From: header matches my subscribed address, Yahoo tells me I'm not subscribed and can't post. Pretty sure this used to work. Posting via the group's web interface now. Mail me me privately if you need more details.]

      On Wed, Aug 20, 2014 at 08:51:52AM -0700, bjoseph866@... [extremeprogramming] wrote:

      > My company is interested in implementing Agile, but we can't
      > seem to figure out how to also incorporate security software
      > development. In essence, we need some best practices on how to
      > incorporate secure software development procedures into Agile.

      Some handwavy, context-free thoughts:

      A design is secure iff it has accounted for all important functional
      and "non-functional" (hate that term) "requirements" (that one too)
      -- of which you can never be 100% sure.

      A security hole is a bug, avoidable in the same ways bugs are
      avoidable -- and equally incompletely avoidable.

      When mistakes of any kind (design, implementation, testing, etc.)
      are likely to have security implications, it's even more important
      to arrange for the work process to highlight mistakes ASAP.

      If you're relying on the team to make decisions which are likely
      to have security implications, you may want to offer training in
      the kind of practical knowledge and critical thinking required to
      make the decisions well.

      If your company can be sunk by one sufficiently bad security decision,
      you may want to involve security experts early and often in your
      development process. You may already be doing so!

      More context would help, if you can offer it. Which aspects of
      security is your company most concerned with? What practices and
      procedures have you been employing to address those concerns? How
      effective have they been? What now motivates the interest in Agile?

      - Amitai
    • Show all 8 messages in this topic