Joint Practices for Security in AgileStarted in December 2020
Agile and DevOps have brought software development and testing together in a lesser formalized, and more collaboration driven, way of working and introduced the use of CI/CD (Continuous Integration/Continuous Development) pipelines.
CI/CD pipelines facilitate continuous release of functionalities in short lead times, but have also opened the door to continuous vulnerabilities. This means that it is easier to inject vulnerabilities in the code when security testing in a CI/CD pipeline is not done properly.
The "Joint Practices for Agile" project team worked on the validation of the question: "How can Agile secure development be assured?"
Activities in Explore phase: security experts from ABN AMRO, Achmea, ING and TNO looked together at the landscape of existing DevSecOps Communities, shared information on how each PCSI partner manages their own DevSecOps, and shared insights on the challenges they encounter. For example how to ensure a continuous high level of engagement of security experts and security champions at all times.
Conclusion at the end of the Explore phase: the team came to the conclusion that participating in the activities of a DevSecOps community can be one of the best ways of guaranteeing a high level of engagement. Although several excellent DevSecOps communities already exist, the project team realized that no community offers a level of consolidated and confidential collaboration among Financial Organizations, comparable with what already exists within the PCSI framework.
This added value of the PCSI framework was the driver for pitching the idea of creating of a PCSI DevSecOps Community in the PoC phase of the project. Within the PCSI DevSecOps Community, experts and security champions from any of the PCSI core partner organizations will have the chance to experience and collaborate on DevSecOps themes beyond the border of their own organization. First themes could be security testing in CI/CD pipelines and metrics for assessing the impact and benefits of security-related activities in DevSecOps.
This project is part of the trend
Increasing use of agile software development
The waterfall methodology for software development is increasingly making room for the agile manners of software development. Waterfall is a linear sequential life cycle model in which security structurally can be addressed at the formal stage gate. Agile methods promote iterative development, self-organizing cross-functional teams, and shorter development-testing-support cycles (e.g. CI/CD, DevOps). This requires a whole new way of working and totally different time lines for addressing security by design. Elements here are transferring security responsibility to the agile teams, education, automation etc.