Cybersecurity and the Agile Way of Working

The world of technology is experiencing change at an unprecedented speed, exacerbated further by the growth of remote business operations. According to the Business Agility Report (authored by the Business Agility Institute in partnership with Accenture, Solutions IQ, and TeamForm), “more organizations commencing their business agility journey and those on the journey report greater progress. Year-on-year, overall maturity has increased by 8%.” Globally, transformations are pivoting from being focused in a single department to enterprise-driven, incorporating all divisions and organizations. 

According to this State of Agile Report, reasons for adopting Agile have pivoted in recent years from cost reduction towards acceleration of software delivery, including the ability to manage changing priorities. Respondents also indicated that Agile adoption helped reduce project risk by 37% due to DevOps implementations that included non-functional requirements (NFRs).

Years ago, companies that started adopting Agile realized that implementing non-functional requirements such as performance testing, data, and cybersecurity could not be done in the same way as in large scale, monolithic development efforts, i.e. at the end. Given the Agile incremental and iterative development nature, the automation of non-functional requirements via DevOps has to become a norm.

The Security and DevOps: Agility and Teamwork presentation created by cybersecurity expert and founder of Alert Logic Misha Govshteyn shares insights from his experience and observations of Agile teams. These teams have “embraced the reality that an Agile security program can enable faster and more secure workload deployments.” Also presenting is Joey Peloquin, Director of Cloud Security Operations at Citrix, who explores their DevOps experiences and security systems within the AWS Cloud.

A few items to note from the Citrix cloud journey:

• The movement towards the cloud is mainstream. The ability to move fast, deploy infrastructure without IT overhead, and shipping code without delays is essential.
• Mature DevOps practices have identified ways to integrate security at the speed of development. How they got there is by avoiding random opinions, a broad set of control, periodic audits, and vulnerability escalation and negotiations by focusing on asking:
  • What are we protecting?
  • What controls do we need to implement?
  • How can security requirements be integrated into the daily, incremental, and iterative approach?
• They found that the ability to proactively predict attacks and protect the cyber attacks surface is compromised by the weak sense of perception. Some of the examples of ‘attack surface factors’ include:
  • Technical debt from legacy code
  • Risk of a breach from hybrid, on-premise, and cloud linkage
  • The risk from SQL injections due to three-tier architecture with relational databases

Blueprint is important! Consider leveraging microservices with deep HTTP inspection including anomaly detection, supervised machine learning, data-driven intrusion defense, and coverage for key app components.

The foundational approach to Inspect and Adapt (I&A) applies to cybersecurity as well! What has the industry learned?

• Give PPS a seat at the table early on. Automate as much as possible.
• Plan for growth
• Re-sue and centralize resources where applicable
• Don’t apply a legacy solution when superior native cloud implantation is available
• Don’t lift and shift legacy, well at least not everything
• Be open-minded, experiment, and if failed, start over
• Governance is more important than control
• Bring silos down, unify and centralize
• Proactively manage accounts provisioning and revocation 

In summary, while immature Agile organizations consider bringing non-functional requirements (NFRs) into the Agile delivery as part of Definition of Ready (DoR) and Definition of Done (DoD), more mature firms are incorporating them in their CI/CD pipeline as part of DevOps.