Loading ...
Sorry, an error occurred while loading the content.

Role of Security Analysis in Scrum - Your Thoughts

Expand Messages
  • McGovern, James F (HTSC, IT)
    Security is not just one of technology and the automated checking of source code. It should be thought of in terms of governance such that existing code bases
    Message 1 of 4 , Feb 24, 2006
    • 0 Attachment
      Security is not just one of technology and the automated checking of source code. It should be thought of in terms of governance such that existing code bases trends towards more secure. This notion not only requires developers doing unit testing with automated tools but for the tools themselves to produce scores and for those scores to show how folks are trending based on previous runs.

      Ideally, tools in this space should use a traffic light metaphor where RED may indicate the logical equivalent of breaking the build, YELLOW may create an automatic entry on the backlog with high priority.

      ---------
      Date: Thu, 23 Feb 2006 10:55:35 -0500
      From: "John Streiff" <john.streiff@...>
      Subject: Role of Security Analysis in Scrum - Your Thoughts

      All,

      I noticed with some interest that the process of building an application using the Scrum method outlined below places security analysis as one of the last activities. I would be interested in knowing if this is commonplace.

      Also, given a 1 to 2 day cycle as this poster indicates, it seems that unless you are using security analysis automation tools, the degree of coverage and the depth of the analysis is compromised. Is this true, or are there other mitigating factors at work here?

      My company is one of several in an emerging market for application security analysis in the early phases of the lifecycle. It would be interesting to know how folks who are engaged in rapid development think about security analysis to ensure your code is free from common pitfalls that may later be compromised.

      John Streiff
      Secure Software, Inc



      *************************************************************************
      This communication, including attachments, is
      for the exclusive use of addressee and may contain proprietary,
      confidential and/or privileged information. If you are not the intended
      recipient, any use, copying, disclosure, dissemination or distribution is
      strictly prohibited. If you are not the intended recipient, please notify
      the sender immediately by return e-mail, delete this communication and
      destroy all copies.
      *************************************************************************
    Your message has been successfully submitted and would be delivered to recipients shortly.