Scaling Security in Agile Scrum presented at AppSecCalifornia 2015

by Chris Eng,

Summary : Agile Scrum is here to stay, and security teams are finding themselves under-resourced and unprepared for the pace of modern software development. “Best-practices” models for Agile security make too many simplifying assumptions about how software is built. These models impose impractical requirements without providing the necessary support or expertise.
In the real world, development teams know that software development often includes multiple Scrum teams working on various components of a larger project that will eventually be integrated. They also recognize that only the most well-funded and resourced enterprises and ISVs have the bandwidth to execute on the idealized Agile SDL. Smaller organizations, or development teams without vast resources are forced to adapt and make tradeoffs that often include sacrificing security.
In this session, I’ll discuss how our company has incorporated security into our own Agile development lifecycle for a product that involves about ten Scrum teams working in concert to ship monthly releases. I’ll explain how we’ve optimized the way our security research team interacts with our engineering teams and accommodates their processes. I’ll also share some of the lessons we’ve learned along the way, including things that haven’t worked as well as we thought. I’ll also describe how we’re organically “growing” more security experts within the organization. Security practitioners will be able to leverage our experiences to work more effectively with their own Agile Scrum teams.