DevSec In Agile model

Development teams need to fix errors faster to deliver more pieces of software at the end of each iteration. But how do you combine speed and security in Sprints so the customer gets as few software failures as possible? Using pipeline tasks for sast and dast within their flows it’s the right way.

From the moment the software development industry started producing web and mobile applications, the term security has been increasingly present in software development teams. It’s no secret to say that developing a secure application today no longer depends on just good implementation, architecture, modeling, and other traditional means of defense. In recent years there has been a reactive security movement towards new high-level attacks that are emerging and growing network vulnerabilities in the form of more sophisticated threats emerging every day. What is really worrying is that development teams are not premised on the implementation of security controls and validations in the code produced, together with periodic penetration testing to verify that the controls and validations have been correctly implemented. In order to build safer software and combat cybercrime, software developers should increasingly know the particularities of each language and its most common vulnerabilities in order to be more proactive or work closely with evolving security professionals in a secure and resilient network threat scenario. How can you benefit from information security best practices, secure development techniques, and agile methodologies to manage these different environments and develop mature and efficient software that is resilient to new threats? As a conclusion of this work will be proposed controls and security checks necessary to be adopted by agile development teams, in order to increase the robustness and security of software developed with agile methodology, seeking a balance between current security standards, increasing its resilience and reducing vulnerabilities.

This short talk addresses a very topical topic about devsec in companies. I currently work for a booming financial payment company in Brazil and have several development teams where I have been watching and participating in the DevSec evangelization process with the development teams. We use software quality analysis tools and perform manual and automatic code analysis tests, as well as periodic penetration tests to maintain the certifications required by the market. I would like to share my experience in this work that I researched since the beginning of my specialization in information security at UFRJ and the company where I’m working.