Saturday 29 October 2016

Do security reviews every sprint

If you have an agile development environment, you need to implement security procedures and security reviews at the end of every sprint. In the period between the sprint finishing and going live, you need to do a push to get a sense of whether the original threats and issues, that were highlighted in the threat model, were done, or exist, in a verifiable way.

This task shouldn't be done by the central AppSec team.

The target application Security Champion(s) should do this 'smaller' review, in their one-day-a-week allocated AppSec activities. Only asking for help from the central AppSec team when required.

When you create a threat model before the application or feature is build, you will know in advance which apps will need a more in depth security review or analysis. This will depend on the size of the changes, what is being changed, or the assets being handled. This will allow scheduling of the more experienced and knowledgeable AppSec professionals, which can be internal or external entities.

Note that these 'sprint reviews' are not meant to replace a final security push and (when required) pentests (i.e. Application Security assessments)

(from SecDevOps Risk Workflow book, please provide feedback as an GitHub issue)