Building Security into Your Apps One Story at a Time

In the agile software development, a story is the smallest element of your application and setting up appropriate security threshold dictates the security of your application.
This paper discusses the implementation and validation of security controls in the lifecycle of a story in the agile software development environment. The three 'Ws', what, when, and who are emphasized with reference to WHAT security controls to implement, WHEN to verify and validate the implementation and WHO should assure that the security control provides the intended safeguard. The role and time of engagement of product owner, security engineer, quality engineer and test engineers are explained as a story progresses from one stage of the lifecycle to the next.
With the help of examples the paper demonstrates the necessary security controls at the product definition. Once the security controls for a story are defined, the implementation needs verification by the security engineers and the product owner. The test team is then responsible to validate that the security controls are working as intended in the context of the application and without degrading the customer experience. The paper also highlights the post deployment security related activities and measures that should be taken for an uninterrupted operation.

  • Identifying proper security controls for your Web Application
  • Implementation of security controls
  • Static and dynamic testing of security controls
  • Integrating these concepts in an agile development

BHUSHAN GUPTA, Principal, Gupta Consulting LLC

Proven champion for quality and well-versed with software quality engineering, and a WebApp security researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. In WebApp security his research areas are; infusing security in SDLC, OWASP Top10, Risk Analysis and Mitigation, Attack Surface Measurement, and Static and Dynamic Application Security Analysis. As a leader of Open Web Application Security Project (OWASP) Portland Chapter, he is dedicated to driving the web application security to higher levels via technical education and training. Bhushan often provides training workshops and presentation to corporations and non-profit organizations. He is also an invited speaker and a panelist in discussions for both application security and agile software development. Bhushan serves as a Program Team member for the Pacific Northwest Software Conference and has been a member of the Program team for the Global AppSec Conference 2020 organized by OWASP.

Bhushan has been a Certified Six Sigma Black Belt (American Society for Quality and Hewlett Packard), and possesses deep and broad experience in solving complex problems, change management, and coaching and mentoring. Bhushan has a MS in Computer Science (1985) from New Mexico Tech and has worked at Hewlett-Packard and Nike in various roles. He was also a faculty member at the Oregon Institute of Technology, Software Engineering department, from 1985 to 1995 and is currently an Adjunct Faculty member.