Joint Practices for Security in Agile Development

Started in December 2020

Agile and DevOps have brought software development and testing together in a lesser formalized, and more collaboration driven, way of working and introduced the use of CI/CD (Continuous Integration/Continuous Development) pipelines.

https://pcsi.nl/uploads/projects/joint-practices-for-security-in-agile-1920px.jpg

CI/CD pipelines facilitate continuous release of functionalities in short lead times, but have also opened the door to continuous vulnerabilities. This means that it is easier to inject vulnerabilities in the code when security testing in a CI/CD pipeline is not done properly.

The "Joint Practices for Agile" project team worked on the validation of the question: "How can Agile secure development be assured?" 

Project results

Activities in Explore phase
Security experts from ABN AMRO, Achmea, ING and TNO looked together at the landscape of existing DevSecOps Communities, shared information on how each PCSI partner manages their own DevSecOps, and shared insights on the challenges they encounter. For example how to ensure a continuous high level of engagement of security experts and security champions at all times. 

Conclusion at the end of the Explore phase
The team came to the conclusion that participating in the activities of a DevSecOps community can be one of the best ways of guaranteeing a high level of engagement. Although several excellent DevSecOps communities already exist, the project team realized that no community offers a level of consolidated and confidential collaboration among Financial Organizations, comparable with what already exists within the PCSI framework. 

Proof of Concept phase & Pilot phase
The added value of the PCSI framework was the driver for pitching the idea of creating of a PCSI DevSecOps Community in the PoC phase of the project. Within the PCSI DevSecOps Community, experts and security champions from any of the PCSI core partner organizations had the chance to experience and collaborate on DevSecOps themes beyond the border of their own organization. The community meetings saw the participation of security experts from ABN AMRO, Achmea, ING, and TNO. Three topics were discussed across a series of six meetings in total: "Security Champions and how to engage them", and the security testing principles "SAST" and "DAST". During the Proof-of-Concept & Pilot phase, the community building for SecDevOps proved itself as a very good idea, capable of addressing an obvious need, and worth trying to exploit out of the PCSI process.

Exploit phase - Final result
In the exploit phase we have drafted and implemented a self-sustaining governance, as well as a communication platform, whose ultimate goal is to let the PCSI DevSecOps Community, created within this project, into an independent and self-supporting community open for all present and future core partners of the PCSI program. 
 

Links

This project is part of the trend

27 Opportunity and threat February 2022

Increasing use of agile software development

The waterfall methodology for software development is increasingly making room for the agile methods to software development. Agile methods promote iterative development (as opposed to linear development in the waterfall methodology), self-organizing cross-functional teams, and shorter development-testing-support cycles (e.g. CI/CD, DevOps). This impacts how security should be addressed by design. Elements here are transferring security responsibility to the agile teams, education, automation etc.
Beeldmerk PCSI
PCSI is a collaboration of
    ABN-AMRO Achmea ASML Belastingdienst ING TNO Volksbank
This project is co-funded by Holland High Tech with a PPP Grant for Research and Innovation in Top Sector HTSM ® 2022 Partnership for Cyber Security Innovation