What was the challenge?
Our client was the Head of Information Security, responsible for ensuring effective security controls were embedded in processes across the organisation. The in-house development team had shifted from a traditional waterfall change approach to a more agile delivery model. Our client needed support in designing and implementing a risk-based approach to agile security assurance that ensured risks in developed applications were surfaced without impacting the monthly release cycle.
What was our role?
We supported the information security team in developing their process for triaging the high volume of small changes being delivered each month to identify those risky changes which would trigger a security testing requirement.
We then refined our embedded security assurance partnership to ensure that we were able to gain early visibility of high-risk changes in a release cycle. As we have developed a detailed understanding of the client's application portfolio, we are able to scope focused testing, focusing only on high-risk changes, and deliver that testing in our protected testing window as part of the broader 'route-to-live'.
What was the outcome?
Our client is now comfortable that an established process for assessing and testing changes delivered via the agile delivery models is in place. We continue to work with the client to seek to improve and refine the process as the scope of the agile delivery model increases to include more systems and applications.