Loading ...
Sorry, an error occurred while loading the content.

159166Re: [XP] Re: Agile in Secure Software development

Expand Messages
  • Keith Ray
    Aug 20, 2014
    • 0 Attachment
      Some agile teams use Personas to represent their users and the different kinds of stories those users want. For security software, you may want to have one or more "black-hat" personas representing people who are trying to break the software.

      Stories for the black-hat should result in their failure to break in, and notifications (where appropriate) given to the user(s) responsible for the system's security.

      Story tests may include attempt to mimic DoS attacks, brute-force password guessing, and so on.

      Does this help?

      --
      C. Keith Ray
      * (650) 533-6535
      * Resume available on request. 




      On 2014 Aug 20, at 10:23 AM, George Dinwiddie lists@... [extremeprogramming] <extremeprogramming@yahoogroups.com> wrote:



      On 8/20/14 12:43 PM, schmonz-web-yahoo@... [extremeprogramming] 
      wrote:
      > [List moderators: Even when I'm quite sure my From: header matches my subscribed address, Yahoo tells me I'm not subscribed and can't post. Pretty sure this used to work. Posting via the group's web interface now. Mail me me privately if you need more details.]
      >
      > On Wed, Aug 20, 2014 at 08:51:52AM -0700, bjoseph866@... [extremeprogramming] wrote:
      >
      >> My company is interested in implementing Agile, but we can't
      >> seem to figure out how to also incorporate security software
      >> development. In essence, we need some best practices on how to
      >> incorporate secure software development procedures into Agile.
      >
      > Some handwavy, context-free thoughts:
      >
      > A design is secure iff it has accounted for all important functional
      > and "non-functional" (hate that term) "requirements" (that one too)
      > -- of which you can never be 100% sure.
      >
      > A security hole is a bug, avoidable in the same ways bugs are
      > avoidable -- and equally incompletely avoidable.

      Yes, many can be represented as User Stories.

      Other aspects can be treated the same way as performance and usability 
      testing, e.g., test early and often. Watch the trends over time.

      - George

      >
      > When mistakes of any kind (design, implementation, testing, etc.)
      > are likely to have security implications, it's even more important
      > to arrange for the work process to highlight mistakes ASAP.
      >
      > If you're relying on the team to make decisions which are likely
      > to have security implications, you may want to offer training in
      > the kind of practical knowledge and critical thinking required to
      > make the decisions well.
      >
      > If your company can be sunk by one sufficiently bad security decision,
      > you may want to involve security experts early and often in your
      > development process. You may already be doing so!
      >
      > More context would help, if you can offer it. Which aspects of
      > security is your company most concerned with? What practices and
      > procedures have you been employing to address those concerns? How
      > effective have they been? What now motivates the interest in Agile?
      >
      > - Amitai

      -- 
      ----------------------------------------------------------
      * George Dinwiddie * http://blog.gdinwiddie.com
      Software Development http://www.idiacomputing.com
      Consultant and Coach http://www.agilemaryland.org
      ----------------------------------------------------------


    • Show all 8 messages in this topic