Security

Security and Compliance in Agile

It's been awhile since I last posted anything but that's because I've been knee-deep in helping a Security and Compliance team move from a traditional waterfall approach to an Agile approach to developing and managing their work. Talk to any development group in a large organization, especially one that is Agile, and say the words Governance or Compliance (or worse Audit) and you will get a collective shudder and the sound of everyone running for the door.

The truth is this: Every organization has to protect their customers and their brand.  We do this in many different ways, but one thing that we don't do well typically is ensuring that our Product Development teams actually know what these groups do and the value that they can bring in knowledge to developers.  We often view developers as people who know everything, hell they can code to make features come to life so they must also know about secure coding practices and the like (guess what, they don't)

Security Governance and Compliance shouldn't be considered necessary evils, rather they should be considered insurance policies that we take out every time we push code to production.  You wouldn't think about driving a car without insurance because if you do hit someone and injure them, it will cost you a boat load of money.  Yes the odds may be small but taking that risk is one that most people won't take.  We should look at our Security and Governance in the same light, in fact an even brighter light because very few drivers are out there actually trying to hit you to hurt you, whereas hackers are doing just that to your site day in and day out.

With the speed at which hackers and attackers are figuring out new ways to breach our security protocols Security and Compliance teams need to work in a much faster pace.  Think incremental improvements over gold plating a solution.

In Agile teams are focused on delivering value to the business every two weeks and as they go through their process of iterative design and development we also focus on technical excellence.  Product Development teams need to be able to get fast feedback on security questions so that they can incorporate Security changes before development begins.  As a Product Owner you have to understand that the velocity of your team to deliver value MUST include time for them to refactor code and implement ever better secure code, it's simply not up for negotiation if you want a high quality secure product that your customers engage in.

The teams that I'm working with have been willing to engage and somewhat leery in moving to Agile and we are tackling how to handle a team that doesn't deliver code and whose work doesn't necessarily fit into a strict 2 week timeframe.  Additionally these teams aren't used to thinking in short increments so breaking down their work doesn't come naturally, but they are finding ways to do it and they seem to like the visibility and transparency Agile provides.

For Story estimation I developed a quick and easy way for them to estimate their work, taking into account that we don't have true Scrum teams but loosely aligned people working on distinctly disparate tracks of work, it looks like this:

  1. 13 points - One person working one Story for the entire sprint.  This would typically fall into the same category as a Research spike.
  2. 8 points - One person working one story for half of the sprint
  3. 1-5 points - One person working one story for 1, 2, 3 or 4 days.

Some of the team has started to use this and we are starting to see what our potential team velocity might be.  This will help us next year when we do our Roadmap planning.

Additionally since we are using Rally, I've created six-week release windows that teams can align their work to and then assign the iteration that they will complete the work.  With both the Release and Iteration views I can see what the team is planning and what they are executing.

Perhaps the biggest challenge that we need to address next is how do we build a plan for work that may span 1-3 years in duration.  The team has commented several times that moving to Agile is hard since they are used to doing everything in a Waterfall method yet the reality is that whether we are doing Agile or Waterfall as a Program Manager I would expect them to identify high level milestones, understand and describe how the project will unfold.  None of this can't be done in Agile.

The notion that Agile isn't about planning has always amused me since I know that in Agile if you are doing it right it is all about PLANNING.  One thing that differentiates Agile from Waterfall from a Project Management perspective is that we don't have a change management process.  I think we have believed that laying out a project in a Gantt chart with tons of up front planning that really results in Change Requests was effective.  Instead identify the key milestones that make up the project, commit to those and then understand that we'll change along the way but the key business value that we are delivering shouldn't.  If it does then you aren't working on the right stuff.

To those Information Security Management groups who think that they can't be 'Agile', think again.

 

 

 

 

 

Scaling Governance in Agile

Large organizations who move towards and Agile delivery model may struggle with how to scale any governance model.

I think if you polled most Agilists about governance in general, you would tend to get a shutter and an ugly stare.  Indeed we want to address technical excellence during our sprints but what we often fail to understand is that software engineers are not omniscient when it comes to all of the areas of technical acumen related to performance, security and other compliance type efforts.
As an organization grows and becomes more and more global it finds itself dealing with many different governing bodies that each have different requirements for how we deal with data protection, which in turn relates to how we develop our software.
Having run PCI compliance for a large organization I know first hand that providing specific information to developers with respect to what to look for just in a code review is an important first step.
Governance is needed for most organizations as a first defense when something happens with respect to security/privacy.  Organizations need processes in place to provide evidence to governing bodies, courts and legal inquires regarding how we protect our product our customers information.
Governance can include both standards and artifacts.  For example PCI compliance requires that we provide evidence of compliance with respect to their 13 security requirements.   From a software development standpoint these include such activities as code reviews that are focused on security, software development cycle, evidence of secure development and test practices in addition other efforts such as  Penetration testing and other monitoring capabilities.
In Agile we need to think of this in a light weight manner.  At one organization we implemented a set of standardized stories, non-functional, that were to be included into a teams feature development sprints.  For teams that are working on several sprint efforts before going into production this can work very well as the team is addressing this as part of the planning and estimation.  When the code is delivered to production the completed and accepted user stories (which have context as to what was completed) serve as the artifact for the PCI compliance (or other) auditors.
The engineers liked this because they were creating artifacts as they developed and from an organization standpoint we gained confidence in the fact that our code was being developed against high quality standards.
For Governance activities that relate to more ongoing product sustainment efforts the same standards need to apply however the manner in which we apply them within each sprint may be different that new product type efforts.  Automated testing and monitoring form a larger basis of maintaining the standard levels that we established in earlier cycles.
Recently I heard a statistic that said 90% of attacks can be mitigated by the basic block and tackle work that teams can do on a regular basis.
Governance doesn't have to be a bad name in the Agile space, we need to view it as part of our technical excellence efforts that form the basis of high performing Agile teams.
I think Governance is an area in Agile that is ripe for development especially at scale.