choss@outlook.com
DevSecOps Lead
Java Developer
Payments / Retail Banking
Mid-large Companies with:
Regularly Beaten to market by challenger startups
Goal: Deliver an MVP in 12 weeks
Developers
IT Security
Sprint 1
SPIKE User story to design mobile app integration with oAuth Provider and store access token on server
Given: I am a mobile app user And: I wish to authorise access to an oAuth2 resource Then: I can provide grant code to project backend And: project backend will obtain access token And: access token will be stored for later use
DevSecOps Engineer and SME document and Threat Model design and identify the following security controls:
DevSecOps Engineer and SME review threat model with IT Security Liason, discover company standards for each control
DevSecOps Engineer writes re-usable component for encrypting data at rest which complies with IT security standards
Based on developer design, BA writes smaller stories ready for next sprint.
DevSecOps engineer ensures that security control is part of Acceptance Criteria.
Given: Project backend has received a grant code Then: Backend can use code to obtain access token And: Token will be stored for later use And: Token must be encrypted using agreed library
Based on controls identified during threat modelling / engagement session, stories are created to implement controls
Given: Mobile App authenticates with oAuth provider Then: All communications will use certificate pinning And: Pinning implementation is reviewed by SME
Given: App requires access to secrets Then: Agreed secret retrieval mechanism is used And: Secret retrieval is reviewed by SME