PCI DSS and Agile. Is this possible?
Companies which have to adhere to PCI-DSS (Payment Card Industry Data Security Standard) in order to meet card payment requirements for application security always doubt about if it is possible to use Agile and be compliant with PCI-DSS at the same time.
In most of my journeys the teams develop their web application, web services and mobile applications in accordance with OWASP secure development guidelines. This guidelines could be implemented easily with the assistance of Microsoft Security Development Lifecycle (SDL) that helps to fit the weighty security requirements into the svelte Agile frameworks.
The SDL is an elegant and lightness software development process which define three categories of requirements defined by frequency of completion.
Every-sprint practices
The first category consists of the SDL requirements that are so essential to security that no software should ever be released without these requirements being met. Every SDL requirement in the every-sprint category must be completed in each and every sprint, or the sprint is deemed incomplete, and the software cannot be released.
Bucket practices
The second category of SDL requirement consists of tasks that must be performed on a regular basis over the lifetime of the project but that are not so critical as to be mandated for each sprint. Currently there are three buckets of related tasks in the bucket category: verification tasks, design review tasks, and planning tasks. Instead of completing all bucket requirements each sprint, the teams must complete only one SDL requirement from each bucket of related tasks during each sprint.
One-time practices
The third category are the SDL requirements that need to be met only once. These are generally once-per-project tasks that won't need to be repeated after they're complete. For example, choosing the security advisors or updating the projects to use the latest version of the compiler.
A Final Security Review (FSR) is required at the end of every agile sprint. The security advisor only needs to review the following:
All every-sprint requirements have been completed, or exceptions for those requirements have been granted.
At least one requirement from each bucket requirement category has been completed (or an exception has been granted for that bucket).
No bucket requirement has gone more than six months without being completed (or an exception has been granted).
No one-time requirements have exceeded their grace period deadline (or exceptions have been granted).
No security bugs are open that fall above the designated severity threshold (that is, the security bug bar).
If your company needs to adhere to PCI-DSS requirements, I recommend you to include SDL into your teams software development lifecycle to ensure you will successfully pass the annual PCI Audit and make sure your company adheres to all the security obligations.
So, what is your experience with that? Have you been in a similar Agile Journey? What were the main takeaways from your journey? Please share in the comments below… 😃
