James R. Fitzer - Agile Information Security: Using Scrum to Survive In and Secure a Rapidly Changing Environment

Copyright 2015 by James R. Fitzer.

All rights reserved. No part of this publication may be reproduced, distributed or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other academic or noncommercial uses permitted by copyright law. For permission requests, write to the publisher at the address below.

James Fitzer

james.fitzer@agilesecuritybook.com

Book Layout 2013 BookDesignTemplates.com

Ordering Information:

Quantity sales. Special discounts are available on quantity purchases by corporations, associations, and others. For details, contact the Special Sales Department at the address above.

Agile Information Security/ James R. Fitzer. 1st ed.

ISBN 978-1511804240

ISBN: 9781483556185

Contents

Foreword

When I first met the author nearly 15 years ago, my first impression could be summed up with just two words: Leadership challenge.

He was a walking dichotomy; a towering tattooed guitar player that covered up a hidden nerd. I had no clue that this barely 18 year-old kid had already acquired industry recognized IT certifications, or that he would become one of my greatest successes as a leader, and one of my closest friends.

Over the next few years in the Army, I watched James grow from an unruly but somehow professional young Soldier into an outstanding example of what an Army non-commissioned officer should be. His eye for detail and desire to get things right the first time made for a winning formula, when combined with his genuine care for people and desire to help those in need. He went on to serve as a Drill Sergeant, a role of vital importance, as it is the first impression young Soldiers have of the army. And he excelled at it.

When James left the Army, he expressed an interest in restarting his IT career. With my own IT management career in full swing, I was able to offer him a position on my help desk in Washington D.C.

Can you tell Im a glutton for punishment?

It was obvious that he was destined for a larger role from the very beginning. He managed to resolve several problems that our infrastructure team had been unable to fix, some of which had existed for several years. This was the first time that I really got to see James research abilities in action.

If youre still reading this, youve noticed a common theme: Attention to detail, understanding and interpreting requirements, and thorough research. James ability to remove the fat from what the customer is asking for, hold jargon-free conversations with the business, and his dedication to quality research will be on display as you read through these pages.

Ive set a pretty low bar for you here, so obviously it has to get better after this.

Right?

Thank you for reading, and please enjoy this book.

Stefan Still

Vice President of Service Delivery Enstar US

Friend, Former Squad Leader, Manager, and Partner in Awesome

Tampa, FL

This work is dedicated first and foremost to my wife and daughter, whose support and love have kept me sane. And to the developers, management, and my team of engineers at the Northern Border Integration Demonstration, whose advice and hard work made this book possible.

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

Dr. Eugene H. Spafford, Executive Director, Purdue University Center for Education and Research in Information Assurance and Security (CERIAS), as quoted in A.K. Dewdney, Computer Recreations: Of Worms, Viruses, and the Core War, Scientific American, March 1989, 110.

CHAPTER 1

Introduction

One of the chief difficulties of the information security discipline is the need to balance the business or product with information security and assurance goals. All too often, particularly in government and financial sectors, information security personnel, developers, and system administrators and engineers are seen as competing interests, with divergent goals. This problem is compounded by the increasing prevalence of agile software development methodologies, which are seen by outsiders as a way to circumvent established processes with respect to system security and stability. Unfortunately in many environments, this misconception about agile development has resulted in an increase in the divide between development staff and the system engineers, security administrators, and IT staff charged with supporting their systems.

Rectifying this divide requires a return to the basics of information security and protection, from a philosophical perspective. The core goal of information security is summed up quite well in Information Security Fundamentals, by Thomas Peltier, Justin Peltier, and John Blackley:

Information protection should support the business objective or mission of the enterprise. This idea cannot be stressed enough. All too often, information security personnel lose track of their goals and responsibilities. The position of ISSO (Information Systems Security Officer) has been created to support the enterprise, not the other way around.

Their text is used in information security coursework throughout the country, and the statement above should be viewed as a guiding principle for all information security professionals, who need to understand that operational requirements and security guidelines can collide. Highly visible breaches, advancement of regulations and laws for the protection of data, and the explosion of internet-connected devices and services have brought an enormous amount of attention to the field of information security, resulting in not only a greatly increased focus on countermeasures, but bureaucratic bloat within organizations, particularly within the Department of Defense, where information assurance (IA) often ignores that very basic first tenet of supporting the mission rather than becoming it.

During my time at the Northern Border Integration Demonstration (NBID), I witnessed first-hand the clash between security standards and mission focus, between endless documentation and rapid change. While these problems were significant, they were not insurmountable, and over the years the NBID team found workable solutions, by distancing ourselves from traditional mindsets and working agility into our security process.

With all the books and articles on agile development, Scrum, and the larger topic of information security, you may find yourself wondering why this book matters.

Who Should Read This Book

This book is intended for information security engineers, information assurance officers, system engineers, or anyone who has been thrust into the arduous task of securing and maintaining a rapidly changing system. Throughout my experiences at the Northern Border Integration Demonstration, the challenges of maintaining adequate security posture (and complying with tomes of government regulations) became clear; when theres a new software build every few weeks, those charged with maintaining the systems security are always behind the power curve.

This book is not meant to be an exhaustive source of information on agile development, Scrum, or information security in general. The reader should feel free to take whats useful and discard the rest. This isnt meant to be a method strictly adhered to, but a rough framework and collection of ideas that you should modify as you see fit.