Software security requires a systematic and rigorous requirements-based approach to development that seems more in keeping with the linear progression prescribed in the Waterfall methodology. However, we believe you can effectively balance agile implementations and rigorous security protocols to achieve greater speed to market, while maintaining transparency and integrity—equally vital aspects of the development process.
Agile development methodologies provide leading edge solutions in modern software development. In addition to Agile’s other notable advantages over the older Waterfall methodology, it encourages developers to consider and build security into systems from the beginning of a project.
Both Agile and Security Operations Center (SOC) teams rely on speed and transparency to achieve business value activities. Agile development teams engage in short development sprints; and similarly, SOC teams frequently are asked to conduct rapid security assessments to identify and triage threats and incidents. By involving members from both the development team and security operations in the identification and response to threats, we can collaborate to achieve a balance between agility and security and avoid sacrificing security for speed. Integrating security specialists within the Agile development teams provides the needed expertise and guidance and drives best practices and adaptability.
Limitations to the secure development process are counter-intuitive to the very elements of agile. For example, security gates and controls involve slow, manual and inflexible processes. Thus, success requires aligned agility and security.
Consider three key factors when aligning and adapting security measures to the agile process:
- Security approaches must be adaptive and iterative, like the Agile software development methods, and not hinder the development process.
- Security approaches provide concrete guidance and tools at all phases of development, i.e., from requirements capture to deployment.
- A successful security activity adapts rapidly to ever-changing requirements.
When security teams or SOCs understand how to integrate agile practices into their processes, they can realize the benefits of the fast pace of Agile. When Agile Teams understand how to integrate security practices as part of their daily development practices, they build in quality and security up-front and reduce the risk of introducing vulnerabilities into their systems and infrastructures.
Five steps to a secure foundation
Use these five steps, each aligned with an Agile Manifesto principle, to build a secure foundation for any new Agile software development project.
Get the security team embedded on day one
Embed a security team member on your project from inception and throughout subsequent increments to help ensure that security does not become an afterthought, and drastically reduce the risk of a schedule slippage and unnecessary re-working.
This aligns with Agile Principle #11: “The best architectures, requirements and designs emerge from self-organizing teams.”
Train Your Agile developers to think like hackers
Security must adapt to the agile process, but that is a two-way street. Security subject matter experts work with developers to teach them how to adopt a security mindset and examine the software they are creating through the eyes of a cybercriminal. Where are the software’s vulnerabilities? What security holes are they missing that someone could exploit? Because agile development focuses so much on speed and flexibility, agile teams need to learn to understand and anticipate the potential threats to the software they develop.
For this reason alone, developers must be trained in security, and continuously analyze a product and their code from a hacker’s point of view throughout all phases of product development.
This aligns to Agile Principle #5: “Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done.”
Integrate security automation tools in development environments
Integrating security automation in the development environments provides the security team with visibility and a layer of control over the software development process. This type of automation
minimizes friction between the security and engineering teams, optimizes productivity and encourages developer adoption of security best practices – all key ingredients to a successful implementation of a DevSecOps model.
Integrating security tools provides continuous monitoring. This enables the security team to enforce security policies and quickly take any necessary steps to prevent security breaches.
This aligns with Agile Principle #8: “Agile processes promote sustainable development.”
Define a unit testing and peer review process
When most used the Waterfall method as their standard project management methodology, developers commonly provided untested code. This put the onus on the quality assurance (QA) team members to find all the bugs in the system. However, once developers know how to look at their code from an attacker’s point of view, developers can review their code before involving QA. Increase the effectiveness of this approach by including security in the agile team’s coding standards and each developer committing to daily security unit testing. By instituting this policy throughout the development process, the likelihood of finding major bugs and vulnerabilities early on substantially increases.
Peer review serves as another important tool in this process. Developers frequently focus on the happy path, or how the code should work, so it becomes easy to miss errors, even obvious ones, which can leave software vulnerable to attacks. Engaging a second set of eyes review a section of code results in an invaluable investment of time. Ideally, peer review prior to deploying anything into the development environment should serve as a minimum requirement to achieve maximum security and quality. Setting guidelines for how often peer reviews are conducted, or implementing Extreme Programming (XP) peer-coding techniques, can go a long way toward building in security and quality and achieving technical excellence.
This aligns with Agile Principle #9: “Continuous attention to technical excellence and good design enhances agility.”
Find the right balance for you
While at first glance, agile and security methods may seem at odds, with some effort, clear guidelines and use of available tools, the organization can strike the right balance between agile development and security requirements. The key is to remain vigilant and be willing to adapt to the ever-changing world of technology and cybersecurity.
This aligns with Agile Principles #1 and #2: “Our highest priority is to satisfy the customer through early and continuous delivery of valuable software” and “welcome changing requirements, even late in development.”
The Agile development process is here to stay. Agile provides a means to quickly adapt to changing business requirements and market conditions to focus on the most immediate needs, and then continually iterate to implement improvements expected to provide additional value.
Thoughtfully integrating security protocols into an Agile software development project ensures a high level of confidence in the security and availability of the resulting system and can help better prepare for project success.