Security Architecture

Organizers:

 André Mariën, Maarten Van Horenbeeck, Johan Peeters

Objectives:

  • to understand what a security architecture is and its role within agile development
  • to identify some useful security architecture patterns

Contents:

We will explore the place and role of architecture, and more particularly security architecture, in agile projects. Security architecture is seen as an emergent property rather than an up-front artefact. Hence the session finds solutions for specific problems and then reflects on these solutions and attempts to factor out common elements - these elements, or patterns, are what we perceive as the (security) architecture of a system.

Process & Timetable:

The session starts by eliciting the security problems participants care about and forming affinity groups around them.

Next, a system that one of the group members is working on is chosen as a case study and groups look for ways of mitigating the risks.

Each group gets 5 minutes to present their proposal in a plenary session. After that, other participants are invited to find flaws in the proposal and suggest improvements. After a short break, the plenary session continues and tries, under the guidance of the session organizers, to mine the architectures presented for patterns. This activity aims to lay bare the principles underlying defensive techniques. Another topic to be addressed by the plenary session is the level of confidence afforded by architectures emerging from relatively low-cost, low-protocol exercises such as this one. What, if anything, is needed to increase that confidence? How does that fit into an agile project?

Session Format:

workshop

Intended Audience:

 Participants need to be sufficiently aware of security issues to be able to identify potential pitfalls in their own as well as other participants' projects.

Benefits of participating:

  • broaden understanding of security pitfalls
  • enrich palette of countermeasures
  • gain insight into risk mitigation

Benefits of organizing:

  • same things as the participants
  • understand the security concerns of fellow developers that are less focused on security
  • gain experience in presenting these issues in a participatory environment

Duration:

120 mins