2012 icsq ia presentation_20121003

Who is at the Helm?

An Agile Assurance Case Study

A particular instance of Agile Assurance analyzed to illustrate Sustainable Security Practices

October 31, 2012David Brown

Peter Woodhull

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

"The most difficult thing is the decision

to act,

the rest is merely tenacity.

The fears are paper tigers, and the procedures, the process are

their own reward.“Amelia Earhart

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

An Exercise in Contrast

Concepts

Issue Resolution

Evolution of the Analyst

New Techniques

Virtual SSP

Agile Management

Goals

Agenda

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

Compare & Contrast

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

Key Concepts

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

ownership sustainable

program value

cost, schedule,

capability trade-off

upfront assurancenear real-time

decision support

cross-cutting

concerns visualizationinformation →

decision → action

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

Action Based Management

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

Do we care?

Dependable?Actionable?

Deep Environmental

UnderstandingThe evolution of the Analyst into

a Nexus

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

New Techniques

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

Shared Ownership →

Modified Assurance

Capability →

Education →

Best Practice, Tools,

Deputized Project Team →

Education Leads…

Results Follow!

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

Virtual SSP

• Requirements

• Control Point• Intersections of

Accountability and Authority

• Tooling

• Auditing

• Visualization

• Traceability Matrix

• Validation & Verification

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

→

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

Agile Management Workstreams

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

Agile Management

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

Task Management

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

Sprints - User Stories - Control Work Items - Workflow

Sprint

Backlog

Project Backlog

Gro

om

ing

Feedback

Working

IncrementTest-driven

Development

N-1

Testing

Product Owner

Delivery

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

Agile Goals

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

Validation & verification

Replace emotions with facts

Empirical metrics

Collaboration

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

“Education is a better safeguard of security

than a standing army.”

Edward Everett

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals

Target IA Commitment

29-31 Oct 2012 International Conference on Software Quality - ICSQ 2012

the kanban Assurance Manifesto

We are uncovering better ways of providing Assurance by doing it and helping others.

Through this work we have come to value:

Explicit communicationsOver intuitive abilities

Small stepsOver big changes

Quality systemsOver heroic individuals

Requirements driving our understandingOver assumptions in which we must trust

While we appreciate the standard concepts below,

we value the bold principle above.

Contrast | Concepts | Resolution | Analyst | Techniques | Virtual SSP | Management | Goals