Securing the digital product by

implementing S-SDLC in Agile Scrum

(augmented with ITSM framework)
Shinta Amalia Kusuma Wardhani, S.Kom., M.Kom
Shinta Amalia Kusuma Wardhani,. S.Kom., M.Kom
Tempat dan tanggal lahir : Blitar, 1 November 1996/27 tahun
Domisili : Tangerang Selatan
Pendidikan
1. S1 Sistem Informasi Universitas Jember (2014 - 2018).
2. S2 Sistem Informasi Institut Teknologi Sepuluh Nopember (2019-2021).

Pengalaman Kerja
3. Dosen Program Studi Sistem Informasi UNUGIRI Bojonegoro (2020-2022)
• Reviewer Jurnal Nasional Terakreditasi
• Berbagai jurnal maupun international conference terindeks scopus dalam
bidang: Social commerce, IT Service management, dll.
2. System Analyst PT. Telkom Indonesia (2021-Sekarang)
• Stream Lead tim system analyst untuk projek Telkom IoT Platform
• System analyst team untuk projek FACP, Inventory management, YAKES
Care Corner, etc.
2. System Analyst PT. BFI Finance (2022)
• Serve in Project Collection Management System for BFI Finance
Nationwide.
2. DIgital Product Owner PT. BFI Finance (2023-present)
• Collection Management System
• Loan Management System - Payment System.
Cybersecurity

Cybersecurity risk occurs because institutions

are often unable to ensure an appropriate set
of tools, technologies, training, and best
practices to protect networks, devices,
programs, and data from unauthorized
access. (Uddin et. al, 2020)

Cyber security memastikan suatu aset digital hanya diakses oleh user/pihak yang ter-otorisasi.
Recent Cyber attack story
Lesson learned?
● Awareness terhadap Cybersecurity meningkat untuk seluruh karyawan
● Sistem keamanan perusahaan yang lebih baik
● Hanya diperbolehkan install aplikasi sebagai alat kerja
● Dipasang crowdstrike untuk memonitor aktifitas laptop karyawan
● Adanya server khusus untuk back up seluruh digital asset perusahaan
● Server swing secara berkala
● Pergantian password secara berkala dan wajib

Security Awareness sebagai Product Owner?

 Security Awareness sebagai Product Owner

Gather the requirement Searching the best solution

Backlog grooming Design the solution

Make sure the functionalities UI/UX

Collaborate with engineers Sharpen the test case with QA

Backlog prioritisation
Open Discussion

Agile; Waterfall;
Sprint; Scrum
Secure SDLC
is either a SDLC process augmented with various security practices or activities like a
security specification language, security requirements engineering process, secure
design specification language, set of secure design guidelines, secure design pattern,
secure coding standard, and software security assurance method (e.g., penetration
testing, static analysis for security, and code reviews for security).”

1. Microsoft SDL (Security Development Life Cycle)

2. Software Assurance Maturity Model (SAMM),
3. Software Security Framework (SSF),
4. Open Web Application Security Project (OWASP),
5. McGraw’s Touchpoints, Comprehensive Lightweight Application
Security Process (CLASP)
Is Agile methodology secure?
As Mohino et. al (2019) mentioned that agile methodologies take advantage of the
flexible response to functional requirement changes but these kinds of
methodologies do not usually take practices for secure software development
into account
Agile methods are too fast to incorporate security. the developers are trained for
developing features fast, and the whole idea of agile methods is focused on
faster delivery. A two-week sprint may deliver the feature; however, incorporating
security aspects may “need more than one sprint. (Arora et. al, 2021)
Secure SDLC for Agile
1. Software Requirement Specification Meeting
untuk mengumpulkan basic requirement
2. Mendefinisikan scope dan context project
3. Menentukan backlog activities, functional boxes,
dan security boxes
a. Functional boxes -> functional requirement
b. Security boxes -> non-functional requirement
4. Menentukan critical activity dan dependency
antar proses
1. Menspesifikasikan fase atau step pada software
development
2. Meng-assign functional boxes dan security boxes
dalam backlog activity
3. Mengadakan semacam backlog grooming untuk
assign backlog pada roles tertentu
4. Menentukan sprint goals dan sprint planning
THE FRAMEWORKS
Information Technology Infrastructure Library (ITIL) 4

Guiding principle

Service Value System ITIL 4 1. Focus on value

2. Start where you are
3. Keep simple & practical

Governance

Governance The means by which

an organization is directed and
output : Value controlled

The outcome of the SVS is

value, that is, the perceived
Input : opportunity and demand benefits, usefulness, and
importance of something
1. Opportunities represent
options or possibilities to
add value for
stakeholders or otherwise
improve the organization. A recurring organizational activity performed at all
2. Demand is the need or levels to ensure that an organization’s
desire for products and performance continually meets stakeholders’
services among internal expectations
and external consumers.
Information Technology Infrastructure Library (ITIL) 4

Service Value System ITIL 4

A set of interconnected activities

that an organization performs to
deliver a valuable product or service
to its consumers and to facilitate
value realization.

Service value chain

Practices Sets of organizational

resources designed for performing
work or accomplishing an objective
ISO 27001
ISO 27001 is designed to ensure the selection of adequate and proportionate
security controls; these controls help protect information assets and gives
confidence to stakeholders such as customers. Individual controls are neither
specified nor mandated; these are dependent on the size and type of
organisation, and what is applicable to their business
16 domain area ISO 27001
Information Security Policies
Organization of information security
Human resource security
Asset Management
Access Control
Cryptography
Physical and environmental security
Operations Security
Communication Security
System Acquisitions, development, & maintenance
Supplier relationships
Informations Security Incident Management
ITIL and ISO 27001

ITIL 4 Practice ISO 27001

IT Security Management A.5.1.1 Information security policy document

A.5.1.2 Review of the information security policy
A.6.1.1 Management commitment to information security
A.6.1.2 Information security coordination
A.6.1.3 Allocation of information security responsibilities
A.6.2.1 Identification of risks related to external parties
A.10.6.2 Security of network services
A.11.1.1 Access control policy
Vulnerability on fintech
● Criminal activities such as theft of confidential personal identification number
(PIN) of a bank manager may lead to several fraudulent transactions in the
banking system
● criminals can steal customers’ identity and PIN to avail banking services and
withdraw cash. These types of criminal activities involving fraudulent
transactions may have litigation risks for financial institutions besides direct
economic losses
● The intentional IT system failure distributed denial of services (DDoS) attacks
may completely shut down banking services, allowing the criminals to plant
malware or other spyware within the banking system
Vulnerability on fintech
● frequent changes in the computer operating systems and
● insufficient data processing logs to identify the precise reasons for system
breakdowns
● developing a variety of hybrid financing products with the development of IT-
based financial engineering in which the assessment of risk is complicated
due to uncontrollable cyber-crimes
● financial institutions are exposed to higher credit risk because of the
probability of selecting wrong borrowers based on manipulated data
Case Study
Problem: Saat ini cukup banyak kasus proses pinjaman online yang
mengatasnamakan identitas/KTP orang lain yang bukan penerima dana.
Solution: Membuat fitur KYC yang proper dan memastikan calon customer ketika
mengajukan pinjaman adalah benar-benar valid