Agile and Security didn’t get off to the best start when they met. It was an awkward first date – they didn’t know each other very well, it was hard to find the common ground to start a conversation, and Agile had turned up in something much more casual than Security would have ever considered wearing. There was no second date for a long while.
But with time, Agile and Security are discovering common interests, and we’re starting to see the emergence of approaches that are helping to smooth-out this unlikely union, such as DevSecOps and Rugged. There’s still a long way to go to understand how agile methods can better include the things we care about in cyber security, and conversely, how security can be considered as an enabler rather than an inhibitor. This is what we are exploring in our fourth CyberUK In Practice track ‘Securing Agile Delivery’, which has been put together jointly by Michael at GDS and Chris and Helen from the NCSC.
The term ‘agile’ refers to the set of values that were expressed in the original Agile Manifesto, but the possibilities of how these are implemented are broad. There are now many different flavours of agile as the manifesto has been gradually interpreted into various process, Scrum being the most well-known and ubiquitous of these. In our opening session of the track, we will revisit the fundamental values of agile, explore what it looks like now, and how it might evolve in the future. This will all be brought to life by the popular and charismatic speaker Dan from Dan North Associates. Regardless of you experience with agile, this session will undoubtedly be enlightening and thought provoking.
‘How security professionals interact with agile teams’, ‘what agile methods can most effectively be used for (and not used for)’, and ‘how more security requirements can be embedded into user stories’ are all topics that are sure to feature in our panel session that explores the question ‘Does Agile make security easier or harder?’ . For the second session, we’re bringing together a spectrum of professionals from government and industry to ensure a passionate and lively debate, and we’re eager to hear your thoughts and ideas too when we throw it open to the floor.
Lessons learned and face-to-face interactions are key parts of an agile approach, and it’s important that ideas and experiences across government and industry are shared to enable more effective dialogues between security professionals and agile teams. We want to kick this off in our third stream session on day one, with four short retrospectives that show where security has successfully been integrated into agile projects in both industry and government settings.
Day one of Securing Agile Delivery will come to an exciting conclusion as our sponsors, Lockheed Martin, share their thoughts on the intersection between cyber security and agile delivery, as an ever-increasing number of their projects use agile approaches to improve responsiveness, reduce cost, shorten cycle time for delivery and increase quality.
The theme of sharing real experiences and ideas is continued into day two, where we have in-depth talks from Microsoft and the Ministry of Justice Digital team exploring two aspects of the sociotechnical problem of adding security into the already significant pressures on development teams. We’ll discuss how their organisations have adjusted their practices and processes to help achieve this.
We hope these talks will provide some some pragmatic takeaways to help you make effective adjustments to you own security approaches, agile methods and organisational practices. And in the process, help you improve what has historically been a difficult relationship.
I look forward to seeing you all at CyberUK soon!
Ian M.
Source: National Cyber Security Centre
