WG Agile Cybersecurity: Security Champions & SME

The purpose of this document is to help security managers, Application Security and DevSecOps program managers, and project managers design an organizational structure for their teams to address security challenges in agile projects, including the main roles and activities of Application Security.

This guide can be applied to any project (or team) for which an agile management methodology is implemented. This guide is not intended to cover other project management methodologies such as Waterfall or the V/W cycle. This guide has been designed to be agnostic in the sense that no agile methodology is promoted over another. Terminology related to agility is used (product, backlog, etc.).

This guide aims to establish a model that takes into account all the roles and activities of Security Champions and AppSec SMEs (Subject Matter Experts). Everyone is free to adapt this model to their needs and the context of their organization, including all or part of the elements defined in this guide.

RACI for cybersecurity activities for agile projects

The work of the Agile Cybersecurity Working Group is complemented by a RACI matrix for cybersecurity activities for agile projects: Téléchargez la matrice ici

This RACI (Responsible, Accountable, Consulted, Informed) matrix is a model for allocating responsibilities for different roles in relation to security activities, at the level of an application-type product (activities in green) and a set of products or an organization (activities in blue), in a context where an agile project management methodology is used. It is designed to be applicable to any type of organization, regardless of size, but will nevertheless need to be adapted to the target structure.

Download

Téléchargez le livrable au format pdf