Agile Guidance for SAMM
This session discusses how to make secure software development work in Agile. This is not specifically covered in the core model of SAMM, which needs to be agnostic to the type of development approach. Because there is a strong need for such guidance in the industry, I have worked since 2018 on extending SAMM, together with the SAMM working group, industry peers and clients. How do you squeeze all the necessary activities in a sprint: requirement selection, threat modelling, verification? What do you do with stories, with abuse stories and with the definition of done? How do you get security teams and developers to co-operate instead of just working with quality gates? Based on studying many organisations on what works and what doesn’t work, by doing interviews and by studying publications, a straightforward set of notes for Agile guidance were written, reviewed, validated and integrated into the SAMM website.
You are of course free to join and just listen in. Also, we’d like to encourage people to join the discussion. The following questions will be asked during the session:
1. What are your big challenges with secure development in Agile?
2. What resources or framework are you using? What would you recommend as a good source for process guidelines for Agile security?
3. What are mistakes that you know of in your organization that you’d like to warn us for?
4. What is your trick to achieve continual threat modeling?
5. What resource do you use for your requirements and how do you channel them (tooling? wiki? cards?)
The material can be viewed at https://owaspsamm.org/guidance/agile/
Rob van der Veer has more than 35 years of software industry experience, as CEO, CTO, programmer, researcher, hacker and consultant. He established and leads the Security and Privacy practice at Software Improvement Group - guiding organisations through shifting left. Rob is a frequent speaker, advisor and author with ENISA, CIP, NCSC, IEEE and OWASP - where he created the Agile guidance for SAMM and co-leads the Integration project, driving the Common Requirement Enumeration initiative. His personal mission is to bring security standards and guidelines together, to help them succeed.