Software Engineering, Project Management, and Effectiveness
“It is not necessary to change. Survival is not mandatory.”—Edwards Deming
I gave a talk for the developer security MVPs at the Microsoft 2010 MVP Summit last week. While I focused primarily on Azure Security, I did briefly cover Agile Security Engineering. Here is the figure I used to help show how we do Agile Security Engineering in patterns & practices:
What’s important about the figure is that it shows an example of how you can overlay security-specific techniques on an existing life cycle. In this case, we simply overlay some security activities on top of an Agile software cycle.
Rather than make security a big up front design or doing it all at the end or other security approaches that don’t work, we’re baking security into the life cycle. The key here is integrating security into your iterations.
Here is a summary of the key security activities and how they play in an agile development cycle:
The sum of these activities is more than the parts and using a collection of proven, light-weight activities that you can weave into your life cycle helps you stack the deck in your favor. This is in direct contrast to relying on one big silver bullet.
Note that we originally used “reviews” which are more exploratory, but we later optimized around “inspections.” The distinction is that inspections use criteria (e.g. a 12 point inspection.) We share the criteria using security checklists for design, coding, and deployment inspections.
There are two keys to chunking up security so that you can effectively focus on it during iterations:
Stories are a great way of chunking up value. Each story represents a user performing a useful goal. As such, you can also chunk up your security work, by focusing on the security concerns of a story.
A security frame is a lens for security. It’s simply a set of categories or “hot spots” (e.g. auditing and logging, authentication, authorization, configuration management, cryptography, exception management, sensitive data, session management.) Each category is a container for principles, patterns, and anti-patterns. By grouping your security practices into these buckets, you can more effectively consolidate and leverage your security know-how during each iteration. For example, one iteration might have stories that involve authentication and authorization, while another iteration might have stories that involve input and data validation.
Together, stories and security frames help you chunk up security and bake it into the life cycle, while learning and responding along the way.
For more information on security engineering, see patterns & practices Security Engineering Explained.
Just to let you know - this post has been included in a link roundup on the SATURN Network Blog at http://saturnnetwork.wordpress.com/2010/03/01/link-roundup-march-1-2010/.