0Booz Allen Hamilton and Client proprietary and business confidential 0Booz Allen Hamilton and Client proprietary and business confidential
SECURE AGILE DEVELOPMENT
A TRANSFORMATIVE APPROACH
TO SECURE SYSTEMS DELIVERY
1Booz Allen Hamilton and Client proprietary and business confidential
MEET OUR PRESENTERS
MARC MURPHY BOB WILLIAMS RYAN SKOUSEN
A Vice President our Systems
Delivery Group, Marc is an expert
in Agile software development
services, ERP, and AWS cloud
operations. Prior to joining Booz
Allen, Marc served as CEO of
SPARC where he oversaw all
business and operations done in
concert with several Department of
the Defense contracts. He was also
a former partner for Deloitte
DoD/Federal group as well as
served as an Officer in the U.S.
A Chief Engineer at Booz Allen,
Ryan is leading the development and
maintenance of a DoD Big Data
analytic platform focused on
exploitation of unstructured data
under the Joint Improvised-threat
Defeat Agency (JIDA). Ryan’s
experience ranges from software
development, Linux systems
administration, and big data
management to information security
and Certification and Accreditation
under both RMF and ICD 503. Ryan
applies these different disciplines to
deliver mission-focused, operational
systems to the field.
A Chief Scientist at Booz Allen, Bob is
a leader, architect and hands-on
engineer specializing in building
application frameworks and
development platforms, as well as
building teams, and architecting
scalable, robust, data-intensive
systems in accordance to FIPS, NIST
and OWASP compliance. Prior to
joining Booz Allen, Bob served as the
CTO for SPARC where he provided
vision, strategy and direction to the
2Booz Allen Hamilton and Client proprietary and business confidentialBooz Allen Hamilton and Client proprietary and business confidential 2
How can we adopt modern
and transform a federal
agency’s delivery model
information assurance and
system security controls?
3Booz Allen Hamilton and Client proprietary and business confidential
THREE PILLARS OF SECURE AGILE
When developing any system, security requirements and controls can’t
be segmented from technical requirements. There must be a deep
understanding of how these security requirements complement
capability requirements for the system under development.
Expertise in how security is incorporated, tested, and monitored as a
part of DevOps (continuous deployment, infrastructure as code,
containerization, continuous diagnostic monitoring) methods is critical
to increase velocity with confidence.
A deliberate organizational change approach, led by experienced
professionals is required to transform an agency’s delivery model -
this is the difference between “Doing Agile” and “Being Agile”.
4Booz Allen Hamilton and Client proprietary and business confidential
Is Security talent embedded within teams and is each team member, from developer to
security professional, “security intelligent”?
Are software security fundamentals implemented, such as user authentication and access
controls, protection against known attack vectors?
Does the development team have an understanding of current and impending regulatory
security requirements (e.g. Risk Management Framework, ICD 503, DISA STIG, US-CERT)?
Have these requirements been addressed as technical stories and applied to sprints?
Does the development team have an understanding of agency specific SDLC governance
models (e.g. VA’s Veteran Integration Process, DoD 5000) and how modern methods and
tooling can be leveraged to meet these requirements with Agility?
CHECKLIST: SECURE AGILE
5Booz Allen Hamilton and Client proprietary and business confidential
Are automated security scans included as a part of Continuous Integration for each code
commit and providing a transparent, real-time view of the security posture?
Does your security strategy address the entire technology stack to include secure containers,
network, firewalls and operating system for vulnerabilities?
Have automated security test scripts been developed and executed to verify security features,
such as authorization, authentication, field level validation, and PII/PHI compliance?
Does the configuration of security components such as the perimeter firewall, Intrusion
Detection / Prevention System (IDS/IPS) follow a similar model in terms of provisioning and
configuration as application servers?
As a part of the DevOps process, is dynamic network monitoring in place to actively discover
vulnerabilities or active attacks?
CHECKLIST: SECURE AGILE
6Booz Allen Hamilton and Client proprietary and business confidential
Is the process of defining, implementing and monitoring security an iterative cycle throughout
the development and maintenance lifecycle of the software? Is the team providing constant
feedback, reevaluation, maturation and evolution of secure software?
Is the project employing Agile coaching to drive organizational or project level change
Have appropriate organizational resources been allocated to sponsor, measure, and reinforce
the implementation of security standards as a part of Agile development activities?
Is the delivery team addressing security concerns, as a part of traditional Agile ceremonies and
practices (e.g. stand ups, release planning, information radiators, story elicitation)?
CHECKLIST: SECURE AGILE
7Booz Allen Hamilton and Client proprietary and business confidential
8Booz Allen Hamilton and Client proprietary and business confidential 8Booz Allen Hamilton and Client proprietary and business confidential
AUDIENCE Q & A
9Booz Allen Hamilton and Client proprietary and business confidential
READ THE FULL WHITE PAPER
Interested in what you heard today? Read the full white paper
on Secure Agile Development. You’ll receive this after today’s
STAY TUNED FOR OUR PODCASTS
In the coming weeks, we’ll be releasing a series of
podcasts focused on topics related to Secure Agile
Development including tools and policy.
CHECK OUT OUR OTHER SYSTEMS DELIVERY HIGHLIGHTS
Visit www.boozallen.com/systemsdelivery to learn more about our
approach to systems delivery and viewpoints on other technology topics.