Most of us would have read about the recent ransomware hit on Colonial pipeline, one of the largest oil pipelines in the US. They had to temporarily halt all the operations, it impacted some of the company’s IT system and suffered a huge loss. It took almost a week to bring back the services and back to normal. During this unprecedented time, as we were all working from home, Organization was worried about securing the applications, Infrastructure, etc. Cybersecurity has been slowly gaining focus and these kinds of attacks make serious attention.
For the past 3 months, as an agile coach, I am involved in coaching a team that is developing a highly critical application that is also the backbone of the business deals. This application had to be super secure and if this application gets hit, it can have a huge impact on the organization in terms of finance, brand, and assets, data, etc. Hence, we had to explore how to integrate agile development practices and Cybersecurity practices. There have been some thoughts that agile, with its frequent releases, introduces vulnerability in the system and sometimes not recommended as a development approach for high critical application.
In the past, Cybersecurity teams usually get involved in the tail end and now with frequent releases, ways of working and processes need to be tailored. There were few practices that we got started which I will be sharing in this blog. Would love to hear from you; your stories and experiments in this area.
Cybersecurity by definition is Computer security, cybersecurity or information technology security (IT security) is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. In the past, the role of security was isolated to a specific team in the final stage of development. That wasn’t as problematic when development cycles lasted months or even years, but those days are over. Effective agile development ensures rapid and frequent development cycles (sometimes weeks or days), but outdated security practices can make the application more vulnerable to attacks.
There have been some doubts about Agile development methodologies and how it lends to Cybersecurity practices. But with self-organizing and cross-functional teams, agile enables different skill sets to work as a team to deliver good quality and secure software.
Here is how we got started with the process, and practices to integrate cybersecurity practices in agile development.
1. Shift- Left: Having experts /Cybersecurity personnel at the initial stage not at the end state; not to build systems of today. They were able to determine the risk tolerance of the application and conduct risk/benefit analysis. What amount of security controls are required for this application and threat modeling exercises? What kind of testing required during the sprints and have them integrated with the testing and DevOps plan? It also underscores the need to help developers code with security in mind, a process that involves security teams sharing visibility, feedback, and insights on known threats. Based on the analysis and plan, all our developers were trained on the security protocols, processes and tools required. One of the important factors to keep in mind is the balance of cybersecurity activities with other activities.
2. Hacker as persona: We introduced Hacker as a persona for the application as a next step. By building these personas, we worked out the best defense against certain types of attacks and predict when they might next occur. It helps us to understand the motivation and plan for countermeasures, prioritize defense. This persona was included as one of the users in the identified features of the application and which then was elaborated during the requirements and backlog grooming session.
3. Tools and Automation: There are quite a several tools available now in the cybersecurity domain. Once the cybersecurity process/tests are identified, we find that most of our tasks were repetitive and manual. We started looking for ways to automate as Automating repeated tasks is key to DevSecOps since running manual security checks in the pipeline can be time-intensive. Some of these tasks can be automated, such as monitoring intrusion detection systems to search for threats.
Conclusion:
One of the major learning in this experimentation is that Shift left does not mean moving all the cybersecurity-related processes, practices, ways of working, and tools from the tail end to the initial stage of development. There had to be a balanced approach and what is required differs from application to application. But bringing this security mindset to all the team members helped a lot in bringing the balanced approach of security and frequent release cycles that was much needed for our application.
