CISSP · Question #1136
A company is moving from the V model to Agile development. How can the information security department BEST ensure that secure design principles are implemented in the new methodology?
The correct answer is D. Information security requirements are captured in mandatory user stories.. When transitioning to Agile, security must be embedded natively into the development process using Agile artifacts. Capturing security requirements as mandatory user stories ensures they are treated as first-class development tasks within each sprint.
Question
A company is moving from the V model to Agile development. How can the information security department BEST ensure that secure design principles are implemented in the new methodology?
Options
- AAll developers receive a mandatory targeted information security training.
- BThe non-financial information security requirements remain mandatory for the new model.
- CThe information security department performs an information security assessment after each
- DInformation security requirements are captured in mandatory user stories.
How the community answered
(56 responses)- A9% (5)
- B4% (2)
- C16% (9)
- D71% (40)
Why each option
When transitioning to Agile, security must be embedded natively into the development process using Agile artifacts. Capturing security requirements as mandatory user stories ensures they are treated as first-class development tasks within each sprint.
Security training improves developer awareness but does not directly ensure that secure design principles are systematically implemented or verified within the Agile development workflow itself.
Mandating non-financial security requirements does not integrate security into the Agile process mechanics; it merely carries over a policy constraint without providing a methodology-native mechanism for tracking or implementing secure design within sprints.
Performing security assessments after each sprint is a reactive, detective control that identifies issues post-development, whereas the question asks for the best way to ensure secure design principles are implemented proactively during development.
In Agile methodology, user stories are the primary mechanism for capturing and tracking requirements within sprints and backlogs. By encoding information security requirements as mandatory user stories, security becomes an integral, trackable, and actionable part of each iteration rather than an afterthought, directly aligning with the 'shift-left' security principle and ensuring secure design is built in from the start of each development cycle.
Concept tested: Integrating security requirements into Agile user stories
Source: https://www.cisecurity.org/insights/white-papers/agile-development-secure-coding
Topics
Community Discussion
No community discussion yet for this question.