Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Project management experience security in agile 1309


Published on

Presented at the inaugural DevSecOps - London Gathering 13 Sept 2017.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Project management experience security in agile 1309

  1. 1. Security in Agile Delivery Case Study: A Project Managers Experience with Delivering Agile Projects within the Financial Industry. Mobile Banking Lessons Learnt review Emma Balfe 13/09/2017
  2. 2. Security in Agile Delivery: Project Manager’s view Case Study taken from the recent Mobile Banking release; • Release Working Environment; – Security Architecture SME limited – Frequent product releases (monthly) – Short lead time for dynamic feature changes – quick to market key principal – Security testing end of development cycle – External code review & Pen testing carried out later during Business Release stage – Developers building to secure code principals • Key Findings & Challenges; – Challenges with adding in security requirements into Agile user stories – focus on developing the customer user experience with new features or fix defects – Difficulty mapping NFR’s to feature driven user stories – Lack of Security Architect input /SME visibility during sprints, Sprint reviews and ‘show and tells’ focus more on usability and demonstrable NFR’s i.e. performance. Security features less attractive to showcase – Security testing left too late in development cycle – No standard approach for Security sign-offs, documentation, governance required
  3. 3. • Key Recommendations & Lessons Learnt – Determine Security sensitive stories as part of sprint planning – Through design ensure Solution Architecture have early sight for security sign offs, need to consider what artefacts are required to be taken through which governance forums. Is it just the architecture that needs to be endorsed? – Bake in Security requirements into stories – Security SME input in code reviews – Carryout security testing/validation before signing off a story – Early security testing requirements (e.g. SAST or penetration testing) depending on criticality of feature . At least 2-3 times through development + on final gold candidate – Automate Security Testing ? Future plan, is this feasible to replace human testing Security in Agile Delivery: Project Manager’s view