A 2015 Gartner report estimated that 25% of Global 2000 organizations would be using DevOps and Agile development practices as part of their mainstream strategies by the close of 2016. Our experience with Synopsys customers confirms this prediction has come true.
In Agile development, passes through the software development life cycle (SDLC) occur more often than in traditional development models. Some development teams complete an SDLC over the course of 2 weeks, while others complete one daily.
A traditional software security group (SSG) isn’t equipped to apply security activities to Agile development environments effectively. Applying security to agile processes requires the injection of security-related people, processes, and testing activities at a sprint tempo. This tempo leaves little time for security teams and resources to review the software, deliver information on security and quality defects, and retest without disrupting the workflow. Even if SSGs dedicate staff to each project (which is usually out of the question), there still isn’t enough local knowledge of each application to get everything done well.
So how can we inject security into Agile development?
Developers are familiar with an organization’s software. They are familiar with the organization’s development groups. And they have a deeper understanding of the technical issues and challenges that the organization faces. Recruit these developers as Security Champions. Train them in defensive programming and how to identify security defects. Additionally, empower them with responsibility for the security of the applications they work on.
Security Champions are developers who have a direct impact on the resiliency and security of their firm’s software. They are enthusiastic volunteers willing to participate in advanced software security training to perform an important role. They are also a part of a greater community of Champions exchanging ideas and techniques.
Since Security Champions come from within the development organization, they have the right relationships to better assist developers, testers, and architects in accomplishing their goals. Security Champions can usually communicate more effectively with software teams than the centralized SSG can.
It’s important to note some qualities that make a good Security Champion. Candidates provide the most value when they can draw on past development experiences. To do this, Champions must have experience working as developers within a company’s development organization. One way to find Champions is to seek nominations from application owners and stakeholders within this organization. The best way is to recruit those developers who are self-starters in software security topics.
Additional Security Champions criteria:
With Agile becoming a popular development methodology, a Security Champions program can help an SSG apply security activities throughout an organization and
in agile environments. Additionally, Champions have a unique perspective and can provide the SSG with valuable feedback to help guide the continuous improvement of the software security initiative.