Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Project management experience security in agile 1309
1. Security in Agile Delivery
Case Study: A Project Managers Experience with
Delivering Agile Projects within the Financial Industry.
Mobile Banking Lessons Learnt review
Emma Balfe
13/09/2017
2. Security in Agile Delivery: Project Manager’s view
Case Study taken from the recent Mobile Banking release;
• Release Working Environment;
– Security Architecture SME limited
– Frequent product releases (monthly)
– Short lead time for dynamic feature changes – quick to market key principal
– Security testing end of development cycle – External code review & Pen testing carried
out later during Business Release stage
– Developers building to secure code principals
• Key Findings & Challenges;
– Challenges with adding in security requirements into Agile user stories – focus on
developing the customer user experience with new features or fix defects
– Difficulty mapping NFR’s to feature driven user stories
– Lack of Security Architect input /SME visibility during sprints, Sprint reviews and ‘show
and tells’ focus more on usability and demonstrable NFR’s i.e. performance. Security
features less attractive to showcase
– Security testing left too late in development cycle
– No standard approach for Security sign-offs, documentation, governance required
3. • Key Recommendations & Lessons Learnt
– Determine Security sensitive stories as part of sprint planning
– Through design ensure Solution Architecture have early sight for security sign offs, need
to consider what artefacts are required to be taken through which governance forums. Is
it just the architecture that needs to be endorsed?
– Bake in Security requirements into stories
– Security SME input in code reviews
– Carryout security testing/validation before signing off a story
– Early security testing requirements (e.g. SAST or penetration testing) depending on
criticality of feature . At least 2-3 times through development + on final gold candidate
– Automate Security Testing ? Future plan, is this feasible to replace human testing
Security in Agile Delivery: Project Manager’s view