Agile Practices for Security Teams

Back to list of all Outcomes

Original Working Session content: Agile Practices for Security Teams


A draft list of agile security practices

Synopsis and Takeaways

The following categories highlight some of the key activities of an agile security team:


  • Define and deliver security training programmes


  • Security team to be visible, present at standups, available
  • Connect dev to production
  • Empower security champions

Standardisation and Compliance

  • Own strong guidelines, e.g., data classification, regulatory, compliance
  • Two tier security standards? Mandatory, depend on risk/sensitivity, etc.
  • Library of standard stories


  • Technical support
  • Help create security user stories, personas, anti-personas, patterns
  • Culture of “security is not to say no, but to help”
  • Testing
  • Automation is needed for CI/CD e.g. tool to track third party licenses
  • “Development enablement tribe”


  • Project initiation touch point to define “gates”
  • Prioritisation of involvement based on risk assessment, lifecycle stage
  • Define “done”
  • Third party maturity assessment
  • Internal compliance checks
  • Centralised tracking in primary colours
  • Security team KPIs
  • Security organisation must be separate from development
  • Monetary value on risks helps prioritisation
  • Risk acceptance/escalation process


  • Bring in shared security solutions such as WAF- engineering effort


  • Perhaps agile not applicable, more lean/kanban
  • View security as functions, not people - resourcing can change but functions don’t
  • Don’t be a blocker to agile, e.g., in operational approvals
  • “Security team as a service”
  • Struggle to manage BAU and hence forecasting: separate functions
  • Need visibility of project portfolio
  • Separation of duty can be a constraint

Working materials

OWASP Proactive Controls


  • Draft list of “Agile Security Practices”

Back to list of all Outcomes

Edit this page here