Securing the agile development lifecycle

The use of agile development methodologies is very popular due to its ability to deliver software quickly and efficiently. However, with this increase in speed, there is a risk of compromising security. This is where Omegapoint should shine, mixing the agile philosophy with our knowledge of application security.

We all know it is important to integrate security practices into the agile development lifecycle. One way to achieve this is by following the CIS (Center for Internet Security) v8 controls. These controls are a set of best current practices that organizations can use to improve their security posture. Omegapoint has interpreted the CIS controls and summarized efforts that can be taken by teams working with cloud-native applications to implement the CIS controls. These efforts are the basis for the security review conducted as a service by Omegapoint Gothenburg.

In this blog post, I will discuss how all this corresponds to my AMP (Academy Master Program) project and how we as a company secure our development lifecycle and consequently the code we are developing, maintaining, and operating.

Quantitative assurance

There have been many successful initiatives regarding software security in Omegapoint’s history. Right now, there is work being done in compliance-as-code (as described in an earlier post) as well as Cydig’s work on automated controls that proves that we practice what we preach regarding security-related controls. Both these initiatives will enhance the security of our products by forcing best practices to be used. These checks are part of the quantitative assurance in Omegapoint’s new delivery model.

Qualitative assurance

The qualitative assurance part of Omegapoint’s delivery model is more about the “soft” parts of good practices. This is where my AMP project comes into play. I will concentrate on the “softer” parts of a secure development lifecycle. My main goal is to document a set of questions which can be used to assess if a development team follows the CIS v8 security-related controls. Omegapoint development teams should be able to use these questions to self-assess their security posture and the questions should also be used when assessing the development teams at our clients. The questions should be based on the work already conducted by Omegapoint regarding the CIS controls, while also drawing from the extensive experience our colleagues have regarding secure software development.

I am not alone.

I will not be alone on this journey. To help me are my two mentors, Tobias Ahnoff and Martin Altenstedt, as well as my fellow AMP students and their corresponding mentors. With the help of these competent colleagues, I believe this project will be extremely educational for me and will hopefully accelerate my knowledge of application security.