Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

If we give a security auditing company a working system, and ask them to audit i

ID: 658807 • Letter: I

Question

If we give a security auditing company a working system, and ask them to audit it, and only do that once during a project because it's expensive, this is basically waterfall.

How can security auditing be integrated into an agile project without turning it into a waterfall project, and thereby introducing audit fail risk?

What we want to do is know the detailed security requirements upfront, so that we can create stories for them (and/or integrate them into existing stories), and write automated tests for them which give us some degree of confidence that the security requirements have been fulfilled. This is the agile way.

But the trouble is, if you don't know exactly what the first production deployment is going to look like until soon before deploying to production, because it's an agile project, you can't tell a security auditing company what exactly it's going to look like. So they may tell you "the number of possible vulnerabilities in an arbitrary system is extremely large, so we have to know what it looks like to narrow it down, so come back when you know what it's going to look like, and then we will give you the requirements". In that case, you can't do it in an agile way.

Explanation / Answer

As others have suggested, you can build in stories about security. And I would certainly encourage you to do that.

But if you're talking about an external team coming in and spending several weeks doing an audit ... that, it seems to me, is more about agile than security.

I know that agile places a heavy emphasis on shipping frequently -- after all, how are you going to shorten the feedback cycle if your software isn't in customers' hands? But for many organizations, releasing every 2/3/4 weeks simply isn't a option. Or they have a lengthy QA/QC review process and the QA organization isn't ready to go agile. Or they have other certification requirements (e.g. ISO) which don't fit into the agile lifecycle.

Consequently many agile teams discovered early on that they needed to decouple their releases from their iterations or sprints.
That is, instead of promoting to production, you promote changes to an environment dedicated to security / QA / whatever. When the code has been certified there, you promote it to production (or to the next gate).

If you've been building in "misuse" stories, presumably your defect / issue list should be short.

If a defect is found, it can be put into the backlog or prioritized for an immediate fix, depending on its severity.

Of course the extra environment isn't free ... but in my experience it's cheaper than the alternatives (which typically result in teams stepping on each other's toes).

Related Questions

If we are interested in determining whether two variables are linearly related,
Question #3221914
If we are interested in testing whether the mean of population 1 is significantl
Question #3176068
If we are told both the temperature and pressure for a system containing a pure
Question #1859784
If we are using a binary search on a list of size 1024 what is the worst case nu
Question #3690745
If we assume H vap is independent of temperaturethe following equation can be de
Question #686916
If we assume a market risk premium of 8%, and, an expected return on the S & P 5
Question #2791548
If we assume that Le Châtelier\'s Principle has pushed the reaction entirely to
Question #1030139
If we assume that energy can take any arbitrary values, we should be able to obs
Question #3813891
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
If we fit a linear model for the effect of advertisement money spent (doliars) o
Next
If we graph Mary Granola\'s indierence curves with avocados on the horizontal ax

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.