How not to make the news - Build security into your Agile project from the ground up.
When a group of stakeholders and team members come together to plan a new product or feature, they often focus on identifying stories that deliver end user value through solving a business problem, delighting the customer or disrupting a competitor. While these are critical stories, they are not the whole picture. Every product has non-functional or cross-functional stories which must be played.
Security stories are an important part of these but are often not considered at all. When they are considered, they are often an afterthought or are assumed to be part of the project infrastructure. Trying to bolt on security as an afterthought in this way is a mistake that can lead to disaster at one extreme, and compromises to reduce product usability or don't support good end-user security practices at the other.
The challenge, of course, is that from the stakeholder perspective, security is not seen as a priority. This workshop is for software delivery teams who want to learn how to change this perspective and work with their stakeholders to help them to understand more about the importance of security. The goal is to help technical and non-technical stakeholders understand security and why it should be given priority and built into their product from the ground up. We show participants how to facilitate a structured meeting or workshop with their stakeholders where they use a simplified threat modelling technique to identify risks. The outcome is the identification of user stories (or evil user stories) which when played will mitigate identified risks.
Outline/Structure of the Workshop
- The workshop begins with a definition of terms and background to Threat modelling for the participants.
- We introduce the concept of security objectives and why we need them
- We then introduce the project we will be working with and provide a demo.
- A practical exercise is then conducted to identify security objectives, using a structured approach.
- Participants are introduced to the concept of S.T.R.I.D.E. and how it can be used to guide the threat modelling process.
- Participants are then divided into smaller groups and work through the second practical exercise to identify assets and threats and then prioritise them using the S.T.R.I.D.E process initially at the project level and then at the individual story/use case level.
- Teams then work through the process of turning the risk and its identified mitigation into story cards for the project backlog.
Finally, we wrap up by discussing how teams can facilitate their own threat modelling workshops and incorporate the technique into their own processes.
- How to facilitate a threat modelling workshop.
- How to identify the most important security risks, especially the not-so-obvious ones.
- How to identify mitigations for security risks and turn them into playable user stories.
Anyone involved in iteration planning
Prerequisites for Attendees
Familiarity with Agile approaches to software development. Specific security knowledge is not required.