Consider you are working in a delivery project where you have a set of hosts talking to each other over TLS and you need to establish trust between them? The customer wants TLS/HTTPS all over, for vertical as well as horizontal traffic!
The documentation reveals, “if you want to enable TLS on this port, here are the instructions to generate a self-signed certificate. Remember to import this certificate into relevant trust stores”
Things are very easy if you have two computers talking to each other. But when it comes to deployments where there is high-availability, load balancers and a large number of applications talking to each other, Admins or Solution Architects often find themselves frustrated with the sheer cognitive overload of where to import what certificates. This is especially the case, when self-signed certificates are used throughout the deployment, which is generally the case when it comes to applications deployed to internal networks. …
We all do some kind of agile software development these days. While people may argue over the benefits, a large number of software development houses are transforming themselves to “go agile”. These transformation periods are generally chaotic and there may be difficulties in following an organisation’s security policy when implementing agile.
In this post I will explain how some (not all) of the security requirements can become part of Definition of Done as well as Definition of Ready.
I have worked in a organisation which was going through a transformation period to use Scaled Agile Framework (SAFe) for agile software development. We updated our DoD and DoR criteria and managed to include a few security requirements set by the product security policy of the organisation. …
Rob is a manager for a newly developed product which is getting customer interest and starting to sell nicely. The development team is gearing up for the next program increment planning.
One morning, Rob gets a request from the delivery team asking for a “security report” of the product urgently, without that the customer will not allow any production deployment unless the security aspects are “cleared” by their security team. Rob now runs to his team to generate some kind of security evidence that summarises what security measures have been taken to protect the product. …
About
