Scribd Logo
Upload

Welcome to Scribd!

  • ISF Embedding Security Into Agile Development Executive Summary 2023

    Uploaded by

    T
    3 views2 pages
    The document discusses 10 principles for integrating security into agile development methods. Agile development enables rapid adaptation but does not explicitly consider security. The principles are organized into three categories: agile program management actions for senior leaders, agile project management actions for security experts and managers, and agile iteration actions for developers and security practitioners during development. Adopting actions from the principles framework can help organizations improve application security as projects progress through continuous evaluation.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses 10 principles for integrating security into agile development methods. Agile development enables rapid adaptation but does not explicitly consider security. The principles are organized into three categories: agile program management actions for senior leaders, agile project management actions for security experts and managers, and agile iteration actions for developers and security practitioners during development. Adopting actions from the principles framework can help organizations improve application security as projects progress through continuous evaluation.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views2 pages

    ISF Embedding Security Into Agile Development Executive Summary 2023

    Uploaded by

    T
    The document discusses 10 principles for integrating security into agile development methods. Agile development enables rapid adaptation but does not explicitly consider security. The principles are organized into three categories: agile program management actions for senior leaders, agile project management actions for security experts and managers, and agile iteration actions for developers and security practitioners during development. Adopting actions from the principles framework can help organizations improve application security as projects progress through continuous evaluation.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Embedding Security

    into Agile Development

    Ten principles for rapid improvement

    In a world driven by digital transformation, the advantages of agile development


    are clear. It enables organisations to adapt to ever-changing business
    requirements and accelerates the delivery of products, services, and applications.
    However, agile development methods do not always explicitly contemplate the
    need for information security even though security should be at the forefront.
    The speed and frequency of application development presents unnecessary 86%
    opportunities for exploitation by cyber attackers, particularly if the software
    development lifecycle is not security focused.

    Underpinning each of the ten agile security principles is a set of practical


    of organisations have adopted agile software
    considerations to be actioned by relevant stakeholders at different stages of the
    development emphasising the need for
    agile process. security to be immersed in the process

    The ten agile


    Agile programme management actions
    security principles:
    These tasks set the overarching parameters for securing agile development.
    Typically undertaken by project sponsors and senior security managers, such as 1 Define roles and responsibilities
    CIOs and CISOs, a commitment to these actions has the advantage of showing
    support from the top levels of the organisation. 2 Invest in skills and training

    Agile project management actions 3 Apply an information risk


    management process

    Designed to build security into day-to-day operations, these actions are carried
    out by those with specialist project management or security expertise, such as 4 Specify security requirements
    using the developers’ format
    information security managers and project managers.

    5 Conduct threat modelling


    Agile iteration actions
    6 Employ secure
    Performed by software developers and information security practitioners at the programming techniques
    more detailed level of application development, these tasks relate to how the
    code is written, reviewed, tested and implemented. 7 Perform independent
    security reviews

    The modern business environment is more demanding than ever. To meet Automate security testing
    8
    customer expectations, maintain a competitive edge and realise business
    opportunities, organisations must continuously refine their processes.
    9 Include security in
    With efficiency and flexibility ranking as key measures of business success, acceptance criteria
    organisations have jettisoned traditional development approaches in favour of
    agile ways of working.
    10 Evaluate security performance
    Getting started Principle title

    Fresh thinking and new


    attitudes are required
    Project stages at
    to successfully integrate which the principle
    security into agile ways primarily applies
    of working. Selecting
    and assigning actions
    from the ISF ten agile Specific considerations
    security principles puts for project sponsors,
    senior IT and
    organisations in the
    information security
    best position to rapidly leaders, (e.g. CIOs
    improve the secure and CISOs)
    development of their
    applications. Specific considerations
    for agile project
    As each agile management teams
    development project (e.g. IT managers
    and information
    progresses, the ongoing security practitioners)
    evaluation of security
    performance is integral
    to improvement – this is
    Specific considerations
    covered by Principle 10. for software developers
    and other members of
    the project team

    Where next?
    Organisations should also consider the ISF resources related to this report including:

    Using Cloud Services Securing Containers: Standard of Good


    Securely: Harnessing Keeping pace Practice for Information
    the core controls with change Security 2022 (SOGP)
    ISF report ISF briefing paper ISF tools and methodologies

    ISF Information Threat Intelligence: ISF Services


    Risk Assessment React and prepare For more information, contact
    Methodology 2 (IRAM2) ISF report services@securityforum.org
    ISF tools and methodologies

    Contact About the ISF


    For further information contact: The ISF is a leading authority on information security and risk management. A not‑for‑profit organisation,
    we provide independent opinion and guidance on all aspects of information security. We deliver practical
    Steve Durbin
    solutions to overcome the wide‑ranging information security and risk management challenges that
    Chief Executive
    impact business.
    US Tel: +1 (347) 767 6772
    UK Tel: +44 (0)20 3289 5884 Disclaimer
    UK Mobile: +44 (0)7785 953800
    This document has been published to provide general information only. It is not intended to provide advice
    steve.durbin@securityforum.org
    of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any
    securityforum.org responsibility for the consequences of any use you make of the information contained in this document.

    Information Security Forum ©2023 Information Security Forum Limited | Classification: Public, no restrictions | Prepared: June 2023

    You might also like