Chapter 7. Risk for Agile Teams
Security professionals live and breathe risk management. But developers, especially developers on an Agile team, can get happily through their day without thinking about risk much, if at all.
Letâs look at whatâs involved in bringing these two different worldsâor ways of looking at the worldâtogether.
Security Says, No
Before we get into how risk management is done, letâs take a quick detour to the purpose of risk management and security in general.
Security teams have a reputation for being the people who say âNoâ in many organizations. A project team may be ready to deliver a new feature, but are using an approach or a technology that the security team doesnât understand, so it isnât allowed to go out. The operations team needs a firewall change to support a new system, but the security team owns the firewalls and canât coordinate the change in time, so the implementation of the system is blocked.
All of this is done in the name of risk management. Risk management is about enumerating and quantifying the unknown and attempting to control the risk. The easiest way to control the unknown and the risk is to prevent changes so that nothing can go wrong. However this fundamentally misses the point, and when tried in a fast-moving environment, results in a number of negative side effects to security overall.
Security should be about enabling the organization to carry out its goals in the most safe and secure manner possible. This ...
Get Agile Application Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.