Agile Information Security
Agile Information Security
One of the chief difficulties of the information security discipline is the need to balance the business or product with information security and assurance goals. All too often, particularly in government and financial sectors, information security personnel, developers, and system administrators and engineers are seen as competing interests, with divergent goals. This problem is compounded by the increasing prevalence of agile software development methodologies, which are seen by outsiders as a way to circumvent established processes with respect to system security and stability. Unfortunately in many environments, this misconception about agile development has resulted in an increase in the divide between development staff and the system engineers, security administrators, and IT staff charged with supporting their systems.
Rectifying this divide requires a return to the basics of information security and protection, from a philosophical perspective. The core goal of information security is summed up quite well in Information Security Fundamentals , by Thomas Peltier, Justin Peltier, and John Blackley:
Information protection should support the business objective or mission of the enterprise. This idea cannot be stressed enough. All too often, information security personnel lose track of their goals and responsibilities. The position of ISSO (Information Systems Security Officer) has been created to support the enterprise, not the other way around. 1
Their text is used in information security coursework throughout the country, and the statement above should be viewed as a guiding principle for all information security professionals, who need to understand that operational requirements and security guidelines can collide. Highly visible breaches, advancement of regulations and laws for the protection of data, and the explosion of internet-connected devices and services have brought an enormous amount of attention to the field of information security, resulting in not only a greatly increased focus on countermeasures, but "bureaucratic bloat" within organizations, particularly within the Department of Defense, where information assurance (IA) often ignores that very basic first tenet of supporting the mission rather than becoming it.
During my time at the Northern Border Integration Demonstration (NBID), I witnessed first-hand the clash between security standards and mission focus, between endless documentation and rapid change. While these problems were significant, they were not insurmountable, and over the years the NBID team found workable solutions, by distancing ourselves from traditional mindsets and working agility into our security process.
With all the books and articles on agile development, Scrum, and the larger topic of information security, you may find yourself wondering why this book matters.
Who Should Read This Book
This book is intended for information security engineers, information assurance officers, system engineers, or anyone who has been thrust into the arduous task of securing and maintaining a rapidly changing system. Throughout my experiences at the Northern Border Integration Demonstration, the challenges of maintaining adequate security posture (and complying with tomes of government regulations) became clear; when there's a new software build every few weeks, those charged with maintaining the system's security are always behind the power curve.
This book is not meant to be an exhaustive source of information on agile development, Scrum, or information security in general. The reader should feel free to take what's useful and discard the rest. This isn't meant to be a method strictly adhered to, but a rough framework and collection of ideas that you should modify as you see fit.
It is my hope that this book prevents you from experiencing the con