If you come from a development background, this might seem like a no-brainer, but for those who haven't worked in an agile shop, it might seem like fresh wisdom: working with the backlog can unlock a whole new level of cooperation between your AppSec Team and Developers. Having security asks properly prioritized in the backlog, developing securely becomes business as usual. If you're on the opposite side of the coin and this isn't fresh wisdom, it might be worth sharing with someone who is having trouble getting teams to get things done.

In my career, one near-universal constant is that those who have a reputation for getting things done get overwhelmed by people who want them to get things done for them. Developers are no exception, and something they've put in place between the askers and the doers are the backlog and work tracking systems like Rally and Jira. If a task isn't in a ticket, it's a favor. When the tickets pile up, favors give way to tickets.

Often, security professionals will have friendly contacts who will perform favors like setting up a tool, running a scan, or fixing an issue. Arrangements like this can work for years in small, informal shops, so many security teams never realize that other ways of getting tasks handled exist or are necessary.

Once upon a time, I was working to build an application security practice in a company that was transforming to SAFe Agile. Over the course of a couple of quarters, I noticed a pattern. If I asked for tool installations or prioritizing a bunch of security bugfixes during certain months of the year, I had a much shorter delay before the start of work. This was because my requests were being entered into the team's backlog prior to the quarterly PI Planning meetings.

For those of you not properly initiated into SAFe, the PI planning meeting is a big meeting where dev teams, infrastructure, and other support teams come together with backlogs of tasks that have dependencies on other teams. At this meeting, teams negotiate features and stories to ensure that blockers are resolved and everything is in place for successful launches.

As a security team, working in this structure was hugely helpful to us because we were able to negotiate our enabling security stories into their planned work efforts.

It's important to remember that we had strong CISO support in this organization. Without top-down support for properly and realistically prioritizing security asks, our asks would most likely have been washed out as low-priority tasks. Instead, we were able to plan our support and workload on a quarter-by-quarter schedule, and teams got used to working with us instead of for or against us.

Not every organization has a PI planning ritual, but most developers are used to pulling tasks out of the backlog. To ensure that security tasks are pulled out as often as needed, it takes a group effort between the AppSec Team, security-minded developers, and leadership to ensure that the product owner and dev-team lead know what to include and when. I have another bunch of words planned about how to engage senior leadership to get them on board with security, but that's for the future.

There are many other ways that developers and security teams can support each other and help build more secure software together, but it's vital to respect the workflow to get work done.

There's always more to say on a topic like this one, but I've hit my budget for now. Stay secure and never forget the humans.