The (lack of) security architecture in Agile

Structure of Agile

Steps to building security architecture into Agile

  • Stay engaged as part of the agile teams (even if only as a shared resource) and across the delivery cycles. Agile teams will evolve and mature the solution often by pivoting or changing quickly. Stay informed during sprints in order to respond to changes and keep pace.
  • Be involved when establishing and reviewing product backlogs. Participation in user stories and planning sessions is important in order to provide guidance on requirements.
  • Establish common benchmarks across the teams so that solutions are delivered with the appropriate security posture. At minimum, those benchmarks should be communicated as a set of principles that can be understood by all members of the team.
  • Develop security architecture that remain loosely coupled so that it provides autonomy to teams for building solutions. The design should establish patterns for solutions that can be reusable across multiple teams.

Staying engaged in Agile delivery cycles

  • Participate in establishing user stories (or better yet, establish security-focused user stories). This helps build the rationale to why particular security controls are required in a given solution.
  • Be involved in product backlog grooming and review sessions to help prioritise security controls needed. It also allows the team to look at how controls can be incrementally applied during delivery cycles along with other product features.
  • Build ‘security’ user persona’s for potential threat actors to the solution. I wouldn’t do this exhaustively for all threats, but it good when modelling the threat of ‘rouge insiders’. With agile teams operating with more autonomy it helps place consideration to the potential impacts of a rouge employee.

Keeping pace with Agile delivery cycles

Commencing a Sprint cycle

Concluding a Sprint cycle

Establishing iterative security architecture


Want to Learn More ?




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Connectivity Options For a Virtual Private Cloud

Manipulating Dates and Time Zones in iOS Development

Spring-02: Working with Data

PlaceWar Ingrates Berry Oracle

Useful OSINT Browser Extensions

How I Automated Booking OLA CABS

Topics you should Read before appearing for the interview for Java Developer

Why I am Learning Haskell

A green lattice with a light beige background. Each vertice of the lattice has a water droplet hanging from it.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ken Fitzpatrick

Ken Fitzpatrick

More from Medium

A proposal for an internal development platform implementation

Gitops agent to create the resources specified in Git

Observability: What and Why

What Are Ephemeral Environments? + How to Deploy and Use Them Efficiently

Site Reliability Engineering: Setting up the right Monitoring System