Definition of done, ready — and security

Photo by Daria Nepriakhina on Unsplash

What is DoD and DoR?

  1. Story level
  2. Feature level

Dissecting the security criteria for DoD and DoR

What security requirements to exclude from DoD or DoR?

What security requirements to include in a DoR?

  1. A threat and risk analysis of the feature must be done and the acceptance criteria is updated with mitigation requirements (e.g. hardening requirements, access control specific requirements, etc.)
  2. Security testing criteria should be identified in the acceptance criteria. E.g. perform denial of service testing (if the feature is likely affected by it).

What security requirements to include in a DoD?

  1. Acceptance criteria satisfied (so that all security criteria mentioned in the acceptance criteria is also met).
  1. Acceptance criteria satisfied (so that all security criteria in the acceptance criteria is also met).
  2. Code scanning results are checked and corrective actions taken such that security coding guidelines are followed.
  3. Dependency analysis results are checked and corrective actions taken such that no vulnerable libraries are used in the code specific to the story.

--

--

--

I am a computer security enthusiast living in Finland

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Your container is in security risk by design?

Python __slots__ when size and speed are important.

#1 Stack Data Structure for LIFO Work

“Funslingers” Devblog #23 | Building and Testing Our Unity Game

Breaking Down Git and GitHub

FOAM at ETHNewYork

Native vs Cross platform mobile apps

ChatterBox WriteUP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gaurav Bhorkar

Gaurav Bhorkar

I am a computer security enthusiast living in Finland

More from Medium

Preventing Your Cloud Migration And Management Costs From Going Off the Rail

Compute — A Brief History

Establishing an Enterprise DevSecOps culture

How to Use Slack for Project Management