Does Agile make security stronger or weaker? (Panel)


  • Can regulators be Agile? Can they keep up?
    • Probably not!

Panel Questions

  • Microsoft: millenials - don’t want to talk to greybeard security experts
    • Provide tools, guidance processes to support building things securely
  • Rather than being “security police”, focus should be on supporting teams build in a secure way
  • “Accreditation is what is driving security”
    • we’re doing it wrong
    • no consensus what good security looks like in an agile environment
    • Technology should be driving security
    • If assurance people don’t talk to technology people…
  • how do you deal with security stories which always get leapfrogged
    • microsoft: Default stories get added to every sprint
      • Also they make individual teams accountable for when the read team owns their stuff.
        • This is maybe not a good idea - doesn’t help to blame devs
  • “How easy can we make it to develop security?”

Wrap up question

What single thing could we do to improve security in Agile

  • Resource it: need more people
  • Show developers the effects of their decisions
  • Collaboration: Devs, security, features, everyone talking the same language
  • Kill the IT healthcheck
    • it’s driving bad behaviours
  • Learn to build software 100X better than currently