Posted by Synopsys Editorial Team on March 23, 2016
Are you tired of waiting for the agile fad to pass so you can go back to doing security slow and steady? You might find yourself waiting for a long time. Agile software development is here to stay and is being adopted by organizations of all sizes. Firms are increasingly moving toward incremental development that builds quickly to adapt to changing customer and market demands without incurring enormous costs of lengthy development cycles.
As organizations move faster and faster, they often realize that some of their security processes don’t quite keep up with the rapid pace of development. It just so happens that agile development can be done securely, and your developers’ security expertise is going to be a huge asset when fitting controls to the development process.
Want to ensure that your #agile development and security processes align? Learn more.
Here are a few ways to make sure your development and security processes align efficiently, while keeping up with the rapid pace of adapting demands:
Leverage tools and defect discovery methodologies that don’t rely on a complete, fully functioning artifact to return issues. One example is defect discovery during design phase activities including architecture risk analysis, threat modeling, or secure design review. Another example is defect discovery during development phase activities which can include static analysis or secure code review.
If your vendor or methodology requires a finished product before security flaws can be found, conduct annual inspections, or carry out this type of inspection for major releases. When it comes to agile, opt for something leaner like some canned security-focused unit tests, an IDE plugin, or some quick threat modeling at the whiteboard before sprints.
Stop waiting for your organization to magically change its culture. Agile developers will always be busy. One way to improve is to start running short, targeted campaigns against your most common issues, one at a time (a 15-minute guide to whisking away cross-site scripting, for example).
Learn from the results of your testing, and share it with as many people as possible. If they aren’t automatically getting lessons from fixing a bug pile, pick out a few to highlight and do a very fast education session on what the key takeaways should be. Remember, developers won’t always draw the same conclusions as security practitioners, so share multiple perspectives with your team.
Make the path of least resistance the most secure path. Create cut and paste libraries that have been vetted through a slow and steady security process that agile developers can drop into their code to do common things such as:
If you are too agile to build these things, simply go looking for libraries that work really well and promote them for internal re-use. Again, the key is to make it easier for developers to do this than to find something random online or make it up as they go along.
Whether you are refining your tools, processes, technologies, repositories, resources, training materials, or even your own habits—the key to secure agile development is to accept the speed within which it operates and do the best you can to incrementally add value along the way. Agile development is built on the philosophy that adapting and responding quickly to changing needs is a way to efficiently build something cost-effective.
Similarly, learning to add security value in small amounts along the way builds a foundation upon which you can iterate and improve to reach significant levels of security maturity.
If you’re a security ace, don’t fight Agile. Learn from it.