Agile Security & Secure DevOps
The core of secure software development with agile methods is the definition of security requirements and their verification. We distinguish the requirements by their scope: First, project-wide requirements are kept as Secure Coding Guidelines and used as a reference for peer reviews within the scope of pull requests as well as a reference point for new project members. Second, a certain amount of tickets needs special security properties. That includes important steps in a user’s workflow such as the login, the registration or resetting forgotten passwords. Those requirements have to be coordinated with the decision-makers and must be defined in the developers’ language.
Ideally, the verification of the requirements happens shortly after the code is completed, e.g. shortly before or after the merge of the feature branch. As a rule of thumb: the project-wide requirements can usually be tested automatically with the help of certain tools, whereas the ticket-based requirements often have to be manually tested.
- architecture and process reviews in the early project phase
- security integration into existing ticket and collaboration workflows
- coordination and definition of security properties on ticket level where appropriate
- planning of manual or (semi-)automated penetration tests, code analyses and security audits and their realisation
- setup of automated security tests and implementation of its technical processes
- support with the adoption of continuous integration and continuous deployment processes
- Threat Modelling
- Secure Coding Guidelines
- Automated Application Security Testing
- Case Study: Security-by-Design with the help of a Security Champion
- Case Study: Scalable Security Support with Lean Application Security
Our Lean Application Security approach to developing secure applications from the ground up, seamlessly integrating with modern agile development models and DevOps processes.