The Challenge

Creating a Secure Development Lifecycle in an Agile Organization

The process of integrating a secure development lifecycle into the Agile development process can be described by the following high-level steps:

• Put Developers in Charge of Secure Development
  

  At this stage, we help formally define roles and responsibilities around the SDLC process, organize secure coding and code review training, create and maintain secure code review checklists, build the architecture vision taking into account security requirements.

• Implement Continuous Integration Security Practices in the SDLC
  

  During this step, we help you implement automated security tools such as static code analysis and scanners in the build pipeline. We also help define security deliverables such as automated tools reports (before minor releases) and manual penetration test reports (before major releases) as a part of quality gates.

• Adapt, Iterate, and Grow to Keep Security Agile
  

  Next, we help you maintain security awareness, organize knowledge refresh training, security retrospective, and lessons learning sessions, build and maintain a knowledge base.

• Build a Security Culture through the Above Practices
  

  As a result of previous steps, all secure SDLC sub-processes (risk analysis, continuous integration, security vision of the project) and artifacts (code review checklists, code analysis security metrics, vulnerabilities, and threats) become crystal clear, familiar, and easy to follow for everybody involved into SDLC process.

• Build Security Through User Stories
  

  At this stage, user stories are analyzed from the functionality and security perspective. All story’s specific security measures that prevent loss of confidentiality, integrity, and availability of sensitive information are designed based on the existing security architecture vision and consider the results of the risk analysis.