Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Agile security lessons from Aetna and the state of Texas

Maria Korolov | May 28, 2015
The move to agile development practices poses both challenges and opportunities to security teams -- with the challenges often dominating. But some organizations have found ways to make it work. What is agile security? And how can you incorporate it into your strategy?

Steven says that this is a much more effective approach than coming in, talking to developers about security, run a pen testing tool, point out vulnerabilities, and leaving.

"If you go back six months later, the developers are still forgetting about security and implementing vulnerable code," he said. "If you want to help developers code securely, you have to be with them."

Thycotic bakes in security

Washington, D.C.-based Thycotic Software Ltd. bakes security into the agile development process with a security training process, but also embeds security staffers when needed.

"We have a security architect on staff who helps us with security processes about encryption," said Thycotic CEO Jonathan Cogley. "We have a hardware security model, and doing encryption in hardware is pretty complex. He was involved in a lot of the work from the beginning and followed it from conception all the way to delivery to customers."

Cogley suggests that companies looking to make the switch to agile do it one small step at a time.

"It's one of the biggest things where people go wrong," he said.

For example, if a company is starting with a waterfall development team, then the first step might be to change the release cycle from six months to one month.

"The idea is that you can always unpeel the change and reverse it quickly," he said. "When you make a lot of changes, it's hard to see where things went wrong and reverse them effectively."

 

Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.