A 2015 Gartner report estimated that 25% of Global 2000 organizations would be using DevOps and agile development practices as part of their mainstream strategies by the close of 2016. Our experience with Synopsys customers confirms this prediction has come true.
In agile development, passes through the software development life cycle (SDLC) occur more often than in traditional development models. Some development teams complete an SDLC over the course of two weeks, while others complete one daily.
A traditional software security group (SSG) isn’t equipped to apply security activities to agile development environments effectively. Creating secure agile development processes requires the injection of security-related people, processes, and testing activities at a sprint tempo.
This tempo leaves little time for security teams and resources to review the software, deliver information on security and quality defects, and retest without disrupting the workflow. Even if SSGs dedicate staff to each project (which is usually out of the question), there still isn’t enough local knowledge of each application to get everything done well.
So how can we inject security into agile development?