Software Integrity Blog

 

Adding security steps to your agile development process

How do you transition from traditional software security to agile security? Learn how to integrate security into your agile development process.

You can build security into your waterfall software development life cycle (SDLC) when you have days or weeks to dot your i’s and cross your t’s. Don’t have time for that? Well then, agile is the fastest way to add add security to your SDLC.

What do you do when you’re engineering at high speeds? How do you transform your processes to fit your fancy new agile lifestyle? The following sections offer a glimpse into how to add security to your agile development process and how to determine the best way to add them.

How are agile security and traditional security similar?

Agile and traditional security use the same security activities. An agile application security approach doesn’t change the touchpoints, because changing the speed of development doesn’t change the types of security bugs or flaws you introduce. Continue using the security fundamentals your business is accustomed to:

  • Application security training for everyone involved with application building projects
  • Security requirements during requirements gathering
  • Architecture risk analysis during design
  • Static application security testing or secure source code review during development
  • Dynamic application security testing or penetration testing before production

Get the Agile Security Manifesto

How are agile security and traditional security different?

The implementation of security steps differs between traditional and agile security. Agile processes aren’t special snowflakes. They just make process inefficiencies more obvious than their waterfall counterparts. Here are a few examples of how:

  • Releasing every 14 days means a security assessment can’t take 5 days each time.
  • Stopping or slowing down development for days or weeks may actually pose more risk to your business than getting code through without detailed analysis.
  • Operating outside of the build cycle isn’t practical, since we are always in the build cycle with agile development.

How do I transition from a slower secure SDLC to a faster one?

Your secure SDLC needs to be as “incremental” as your SDLC. However fast you release, your software security risk indicators must fire at the same speed. You don’t need to do security testing every minute, but you need to know whether your code has changed enough each minute to merit a security test. Your risk indicators will set the threshold for when the codebase has changed enough to require software security activities. Some examples of risk indicators:

  • Type of data being handled (e.g., personally identifiable information or other sensitive data)
  • Change to security features (e.g., authentication, crypto, authorization)

The best kind of security is the kind that fits your business style. Here are a few ways you can start implementing agile security into your business:

  • Create new and updated processes that match the culture and are realistic.
  • Make incremental changes to the process. Revisit additions if they cause issues.
  • Determine the risk threshold for stopping or slowing down. Not every minor change needs a full review, but maybe every major one does.
  • Automate and add tools to catch low-hanging fruit. Options: a canned set of security requirements, a well-tuned security tool that only identifies a few findings but with high precision, and so on.
  • Do things the old-fashioned way periodically to make sure the new and “improved” way is working properly.
  • Create a process where compliance is guaranteed by virtue of following the right build process.
  • Create passive reviews that sound alarms for deeper testing without stopping the production line entirely.
  • Learn your technology well enough to know what tools will play nicely with what you have in place today.

Things to remember

When adding security steps to your agile process:

  1. Don’t reinvent the wheel. Your waterfall secure SDLC has plenty of raw materials. Maybe today you’re doing things such as code review, penetration testing, and threat modeling. You can add the same steps to your agile process, but do them only when needed, based on your risk indicators.
  2. Think strategically. When you shine a light on your risks, your headlights should outpace your travel speed. In other words, make sure that if you change a function that handles PII in a one-day release, you’ll be notified of a change to something handling PII that day.
  3. Build incrementally. Agile is about incremental development. In the same way, your foray into agile security should take the form of manageable, bite-sized sprints.

As you start to shift the discussion from “what” to “how,” you can think about how to draw from your current security SDLC to add security steps to your people, process, and technology for agile development.

The Agile Security Manifesto

Nearly 20 years after the Agile Manifesto was released, similar inefficiencies still plague application security efforts in software development. Security is often seen as something separate from—and external to—software development. It’s time to change the approach to building secure software using the agile methodology.

To build secure software in an agile environment, it’s essential to focus on four principles. These principles are patterned after those in the original Agile Manifesto: While we value the things on the right, we must value the things on the left more.

The goal of the Agile Security Manifesto is to guide you as you develop of new activities and adjust existing activities to make the switch to agile security. The four principles it describes are meant to inspire you to build secure software in an agile way:

  1. Rely on developers and testers more than security specialists.
  2. Secure while you work, not just after you’re done.
  3. Implement features securely instead of adding on security features.
  4. Mitigate risks rather than fixing bugs.

Learn how adding these principles to your own agile process can help you integrate critical security measures in a natural, efficient way.

Get the Agile Security Manifesto

 

More by this author