Dashboard > JavaPolis 2004 > ... > JavaPolis BOFs > Secure agility and agile security
JavaPolis 2004 Log In   View a printable version of the current page.
Secure agility and agile security
Browse Space    
Added by Stephan Janssen, last edited by Robin Mulkers on Dec 20, 2004  (view change)  

Hosts

Konstantin Beznosov, Wouter Joosen, Pascal Van Cauwenberghe, Dirk Dussart and Johan Peeters

BOF Topic: secure agility/agile security

Agile processes have taken the software development world by storm. Nonetheless, there are still some bastions of resistance to these winds of change. Security is a notable example; received wisdom has it that security requirements cannot, indeed must not, be implemented with an agile process. The BOF examines whether there is a case for this reluctance.

The panel includes Konstantin Beznosov and Wouter Joosen, both academics with ample experience in industry, who are conducting ground-breaking research on how to reconcile security concerns with the benefits of agile development.
Pascal Van Cauwenberghe is one of the mainstays of the agile movement in the low countries and finds it hard to see how anyone could want to tackle any serious development in any other way.
Dirk Dussart has a background in security audits and remains sceptical.
Johan Peeters will be moderating the session. Being currently involved in an extremely security-sensitive project with fuzzy requirements, he will make sure to steer the discussion towards pragmatics.

The session starts with a brief position statement by the members of the panel. Then, a selection of contentious statements will be discussed. Comments from the audience are also invited.
Candidate discussion points are:

  • Agile processes are the only guarantee for cost-effective security.
  • User stories are perfectly adequate for capturing all security requirements.
  • If you go agile, you relinquish control over an application, so it will never be secure.
  • Security requires such a high degree of expertise that you cannot entrust it to ordinary team members. You must draw on external security experts.
  • Security does not add business value, it merely avoids costs. Therefore the usual agile planning criteria do not apply.
  • Agile development is the logical corollary to the insight that, rather than aiming for perfect security, we should manage risks.

Please feel free to add and alter.

Target Audience

Developers, project managers, product managers who are wondering how to reconcile agility with security. Of course those who have the answers are very welcome as well.

Related JavaPolis presentations

Interesting Links
JavaPolis 2004 Talks

Site powered by a free Open Source Project / Non-profit License (more) of Confluence - the Enterprise wiki.
Learn more or evaluate Confluence for your organisation.
Hosted by JavaLobby
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.2.5 Build:#520 Jun 27, 2006) - Bug/feature request - Contact Administrators