Tuesday Morning Grind, Ep 6 - SDLC Security for IT Auditors
In this episode of Tuesday Morning Grind, we talk about the Systems Development Life Cycle (SDLC) with the IT auditor and security assessor in mind. We share some thoughts on the evolution of software development from the Waterfall methodology to Agile, then we talk about the two most common flavors of Agile we see implemented at our client organizations: Scrum and Kanban.
SDLC Security for IT Auditors
SDLC Context and The Days of Old: Waterfall Methodology
- The Waterfall method is linear and sequential, with one phase usually not starting until the next is complete.
- Generally does not allow for change or iterations mid lifecycle.
- More appropriate for buiding a house than developing software.
- Many information security frameworks attempt to over simplify change management and the SDLC.
- Oftentimes view the world from a more traditional Waterfall methodology approach.
- Assumes processes are linear and sequential.
- To outsiders, software development teams may appear to have a lack of control over their SDLC.
Dive into Agile - Kanban and Scrum
- Software development requires more flexibility. Agile accomodates changes and allows for an iterative approach to product development.
- Modern hosted software (i.e. SaaS) is oftentimes comprised of microservices or modules in the background. Developing software in this model is practically impossible in a Waterfall model.
- The two most common flavors of Agile risk3sixty enocunters are Scrum and Kanban.
- Scrum: Work is organized into “Sprints” comprised of a defined body of work.
- Kanban: Work is visualized on a board and focuses on limiting the volume of work in procgress to force task completion.