Joint Practices for Security in Agile DevelopmentStarted in December 2020
Agile and DevOps have brought software development and testing together in a lesser formalized, and more collaboration driven, way of working and introduced the use of CI/CD (Continuous Integration/Continuous Development) pipelines.
CI/CD pipelines facilitate continuous release of functionalities in short lead times, but have also opened the door to continuous vulnerabilities. This means that it is easier to inject vulnerabilities in the code when security testing in a CI/CD pipeline is not done properly.
The "Joint Practices for Agile" project team worked on the validation of the question: "How can Agile secure development be assured?"
Activities in Explore phase: security experts from ABN AMRO, Achmea, ING and TNO looked together at the landscape of existing DevSecOps Communities, shared information on how each PCSI partner manages their own DevSecOps, and shared insights on the challenges they encounter. For example how to ensure a continuous high level of engagement of security experts and security champions at all times.
Conclusion at the end of the Explore phase: the team came to the conclusion that participating in the activities of a DevSecOps community can be one of the best ways of guaranteeing a high level of engagement. Although several excellent DevSecOps communities already exist, the project team realized that no community offers a level of consolidated and confidential collaboration among Financial Organizations, comparable with what already exists within the PCSI framework.
Proof of Concept phase & Pilot phase: the added value of the PCSI framework was the driver for pitching the idea of creating of a PCSI DevSecOps Community in the PoC phase of the project. Within the PCSI DevSecOps Community, experts and security champions from any of the PCSI core partner organizations had the chance to experience and collaborate on DevSecOps themes beyond the border of their own organization. The community meetings saw the participation of security experts from ABN AMRO, Achmea, ING, and TNO. Three topics were discussed across a series of six meetings in total: "Security Champions and how to engage them", and the security testing principles "SAST" and "DAST". During the Proof-of-Concept & Pilot phase, the community building for SecDevOps proved itself as a very good idea, capable of addressing an obvious need, and worth trying to exploit out of the PCSI process.
Exploit phase: In the exploit phase we will draft and implement a self-sustaining governance, as well as a communication platform, whose ultimate goal is to let the PCSI DevSecOps Community created within the project into an independent and self-supporting community open for all present and future core partners of the PCSI program.
This project is part of the trend
Increasing use of agile software development
The waterfall methodology for software development is increasingly making room for the agile manners of software development. Waterfall is a linear sequential life cycle model in which security structurally can be addressed at the formal stage gate. Agile methods promote iterative development, self-organizing cross-functional teams, and shorter development-testing-support cycles (e.g. CI/CD, DevOps). This requires a whole new way of working and totally different time lines for addressing security by design. Elements here are transferring security responsibility to the agile teams, education, automation etc.