Developing secure software is a complex and asymmetrical endeavor since it requires high level of technical expertise in order to mitigate known risks and vulnerabilities of today and to withstand attacks from the unknown threats of tomorrow. The traditional way of securing software is based on thorough threat analysis, extensive capture of the security requirements and detailed planning of the mitigations. This highly formulated approach is contradictory in many aspects to the principles of Lean and Agile software development.
In this talk we are presenting a context sensitive framework of secure software deployment that is based on the principles of Lean development like eliminating waste, amplified learning, late decisions and fast deliveries without making any compromises regarding security. Our approach is focusing on providing product owners with detailed information about the impact of threats to products and the cost of mitigations, allowing them to assess and prioritize security items using the same criteria as any other item in their product backlog.
Thoralf J. Klatt, Mario Lischka, Panayotis Kikiras