Booz Allen Secure Agile Development

Booz Allen Secure Agile Development

• 1.
  0Booz Allen Hamiltonand Client proprietary and business confidential 0Booz Allen Hamilton and Client proprietary and business confidential June 2016 SECURE AGILE DEVELOPMENT A TRANSFORMATIVE APPROACH TO SECURE SYSTEMS DELIVERY
• 2.
  1Booz Allen Hamiltonand Client proprietary and business confidential MEET OUR PRESENTERS MARC MURPHY BOB WILLIAMS RYAN SKOUSEN A Vice President our Systems Delivery Group, Marc is an expert in Agile software development services, ERP, and AWS cloud operations. Prior to joining Booz Allen, Marc served as CEO of SPARC where he oversaw all business and operations done in concert with several Department of the Defense contracts. He was also a former partner for Deloitte DoD/Federal group as well as served as an Officer in the U.S. Army. A Chief Engineer at Booz Allen, Ryan is leading the development and maintenance of a DoD Big Data analytic platform focused on exploitation of unstructured data under the Joint Improvised-threat Defeat Agency (JIDA). Ryan’s experience ranges from software development, Linux systems administration, and big data management to information security and Certification and Accreditation under both RMF and ICD 503. Ryan applies these different disciplines to deliver mission-focused, operational systems to the field. A Chief Scientist at Booz Allen, Bob is a leader, architect and hands-on engineer specializing in building application frameworks and development platforms, as well as building teams, and architecting scalable, robust, data-intensive systems in accordance to FIPS, NIST and OWASP compliance. Prior to joining Booz Allen, Bob served as the CTO for SPARC where he provided vision, strategy and direction to the Engineering organization.
• 3.
  2Booz Allen Hamiltonand Client proprietary and business confidentialBooz Allen Hamilton and Client proprietary and business confidential 2 WHAT’S THE CHALLENGE? How can we adopt modern development practices, and transform a federal agency’s delivery model without sacrificing information assurance and system security controls?
• 4.
  3Booz Allen Hamiltonand Client proprietary and business confidential THREE PILLARS OF SECURE AGILE DEVELOPMENT When developing any system, security requirements and controls can’t be segmented from technical requirements. There must be a deep understanding of how these security requirements complement capability requirements for the system under development. Expertise in how security is incorporated, tested, and monitored as a part of DevOps (continuous deployment, infrastructure as code, containerization, continuous diagnostic monitoring) methods is critical to increase velocity with confidence. A deliberate organizational change approach, led by experienced professionals is required to transform an agency’s delivery model - this is the difference between “Doing Agile” and “Being Agile”. MISSION UNDERSTANDING TECHNICAL ACUMEN AND INNOVATION “SECURE FIRST” CULTURE
• 5.
  4Booz Allen Hamiltonand Client proprietary and business confidential MISSION UNDERSTANDING  Is Security talent embedded within teams and is each team member, from developer to security professional, “security intelligent”?  Are software security fundamentals implemented, such as user authentication and access controls, protection against known attack vectors?  Does the development team have an understanding of current and impending regulatory security requirements (e.g. Risk Management Framework, ICD 503, DISA STIG, US-CERT)? Have these requirements been addressed as technical stories and applied to sprints?  Does the development team have an understanding of agency specific SDLC governance models (e.g. VA’s Veteran Integration Process, DoD 5000) and how modern methods and tooling can be leveraged to meet these requirements with Agility? CHECKLIST: SECURE AGILE DEVELOPMENT
• 6.
  5Booz Allen Hamiltonand Client proprietary and business confidential TECHNICAL ACUMEN  Are automated security scans included as a part of Continuous Integration for each code commit and providing a transparent, real-time view of the security posture?  Does your security strategy address the entire technology stack to include secure containers, network, firewalls and operating system for vulnerabilities?  Have automated security test scripts been developed and executed to verify security features, such as authorization, authentication, field level validation, and PII/PHI compliance?  Does the configuration of security components such as the perimeter firewall, Intrusion Detection / Prevention System (IDS/IPS) follow a similar model in terms of provisioning and configuration as application servers?  As a part of the DevOps process, is dynamic network monitoring in place to actively discover vulnerabilities or active attacks? CHECKLIST: SECURE AGILE DEVELOPMENT
• 7.
  6Booz Allen Hamiltonand Client proprietary and business confidential CHANGE MANAGEMENT  Is the process of defining, implementing and monitoring security an iterative cycle throughout the development and maintenance lifecycle of the software? Is the team providing constant feedback, reevaluation, maturation and evolution of secure software?  Is the project employing Agile coaching to drive organizational or project level change management?  Have appropriate organizational resources been allocated to sponsor, measure, and reinforce the implementation of security standards as a part of Agile development activities?  Is the delivery team addressing security concerns, as a part of traditional Agile ceremonies and practices (e.g. stand ups, release planning, information radiators, story elicitation)? CHECKLIST: SECURE AGILE DEVELOPMENT
• 8.
  7Booz Allen Hamiltonand Client proprietary and business confidential
• 9.
  8Booz Allen Hamiltonand Client proprietary and business confidential 8Booz Allen Hamilton and Client proprietary and business confidential AUDIENCE Q & A
• 10.
  9Booz Allen Hamiltonand Client proprietary and business confidential LEARN MORE READ THE FULL WHITE PAPER Interested in what you heard today? Read the full white paper on Secure Agile Development. You’ll receive this after today’s meeting. STAY TUNED FOR OUR PODCASTS In the coming weeks, we’ll be releasing a series of podcasts focused on topics related to Secure Agile Development including tools and policy. CHECK OUT OUR OTHER SYSTEMS DELIVERY HIGHLIGHTS Visit www.boozallen.com/systemsdelivery to learn more about our approach to systems delivery and viewpoints on other technology topics.