I tend to operate in accordance with the four principles of Cigital‘s recent Agile Security Manifesto.
[su_pullquote align=”right” class=””]NOTE: I cannot state whether I’ve employed Cigital professionally but I have had interaction with them in my career.[/su_pullquote]
These principles align with security governance, education and scaling throughout an organization versus roles in security domains taking on the burden of providing security through older methods of policing.
Industries have been working towards being more agile, more responsive and putting reasonable expectations on solution delivery teams. Those teams can compose and produce creative and effective services faster than we can secure them. “Shadow IT,” which meets business delivery needs but misses consistent and repeatable protections and assurances, embodies the nature of this movement.
As we swing towards delivery teams operating with more autonomy, I believe the burden falls into two areas of focus for us in security.
Protection with Automation
We must utilize automation and tooling to provide capabilities that meet the volume of demand that comes with more people having more freedom.
We’re moving back to where I started as a system implementer and administrator. Teams want to have the ability to stand up infrastructure and services at their need and not according to our schedules. Hopefully we’ve developed understandings of what it looks like to secure some of those things well enough to develop layered security to support those types of automations so that we’re only brought in for exceptional situations.
Education and Advocacy
As we offload some of the approval and governance to automation we must educate teams so that they can understand what controls fit specific situations; again, with our knowledge, this investment to arrive at standard controls for an organization so that a team can select any vendor/service and know how to vet them or which analysis tool to run against a codebase should be easy to follow.
I cannot speak effectively to hundreds of agile team members but I can provide educational and governance content and capabilities and work to gain influence with senior management in order to set expectations of ownership so that the risks accepted reflect our organization’s risk appetite.
I like Cigital’s encapsulation of principles but I hope for a broader level of engagement instead of one organization dictating the principles, even when that organization is peopled with smart, talented individuals. I think there’s a lot of wisdom throughout the industry and I’d hate to see us miss out on that.