Agile continues to be the most adopted software development methodology among organizations worldwide, but it generally hasn't integrated well with traditional security management techniques. And most security professionals aren’t up to speed in their understanding and experience of agile development. To help bridge the divide between these two worlds, this practical guide introduces several security tools and techniques adapted specifically to integrate with agile development. Written by security experts and agile veterans, this book begins by introducing security principles to agile practitioners, and agile principles to security practitioners. The authors also reveal problems they encountered in their own experiences with agile security, and how they worked to solve them. You’ll learn how
This book has a good idea: try to approximate two areas with some conflicts. On one hand, agile teams are constantly trying to deliver value faster. On the other hand, traditionally security teams are constantly trying to avoid risks so they are usually known as blockers.
This conflict is very similar to what happened with feature and ops teams and was resolved with the DevOps movement. Another thing I can relate to is what we call "the error of omission vs the error of commission". This is not in this book but I learned about that in this amazing presentation from Russel Ackoff: https://www.youtube.com/watch?v=MzS5V....
Basically, it says there are two types of errors: - The error of commission is when you did something you shouldn't have done. - The error of omission is when you didn't do something you should have done.
By working as blockers, security teams tend to see only from the perspective of error of commission. If nothing changes, they will never do something they shouldn't have done. But this is a huge mistake because avoids not only the risks but also avoids innovation!
Although the book's idea makes sense, I think it is not well executed. I think the scope of the book was not well established. It talks about agile, it talks about security and it talks about how to tight them together (but not very well). Sometimes it gives some practical advice, sometimes it shows very specific lists that are hard to see some value in them. I think it could make much more sense if this book was separated into three: agile, security, and agile + security. Or it could focus only on the third subject since that is a lot of better material about agile and security separately.
This book helps you understand what security is about, what threats exist and the language that security practitioners use to describe what is going on. This book helps you understand how to model threats, measure risk, build software with security in mind, operate software securely and understand the operational security issues that come with running a service. But book talk more about information security while there are other types of security like physical security and personal security. Security or software security more specially is about minimizing risk. It is the field in which we attempt to reduce the likelihood that our people, systems, and data will be used in a way that would cause financial, reputation or physical harm. Book provides good advices about minimizing risks. Book also examines challenges that exist between developers and security experts and provides good advices to handle them to improve security. It also introduces good tools and resources for security. If you want to get familiar with different aspects of software security, read this book.
This book provides practical and actionable advice for anyone working in a modern development environment. One of the gems of this book is the authors sharing their experience of what they've seen work in the real world. The authors also provide a lot of links and options to further investigate. While they may become dated in time (though are not yet dated), the spirit of this book would still make it worth reading.
The combination of the most prevalent modern development methodology Agile, and the requirements of application security modifications (CSSLP) to software development, can "appear" to be in conflict; the resulting problems, can be multifacted, an attempt to resolve some of them are present here as a comprehensive methodology, combined with standard CI/CD. I may not recommended this approach myself, nor use it.
El mundo del software se mueve muy rápido, y la seguridad no se ha puesto a tono aún. Éste libro va en la dirección correcta en este sentido, dando tanto a desarrolladores como a especialistas en seguridad una ventaja gigantesca para integrar seguridad y software.
Very good overview of the modern approach to security in agile software development. The book has a very good structure, it's easy to read, lots of links to additional materials, good information about tools and frameworks for security. It's quite enough to read this book to be able to start building a security practice in your organization.
Excellent primer on the melding of agile principles with application security. Good read for security OR agile professionals. Easy read, highly accessible.