Posted by Jim Ivers on June 7, 2016
Originally posted on SecurityWeek
A journalist asked me an interesting question this week: “Why doesn’t the Agile Manifesto address security?” After some thought, I think I have a good answer.
Recently, I’ve been carefully reviewing “The Manifesto for Agile Software Development,” the seminal document for agile development principles. The document, better known as the Agile Manifesto, was created in 2001 to provide guiding principles for the emergence of agile development. The Manifesto includes “Twelve Principles of Agile Software” that support the key concepts. In examining the Manifesto and the Key Principles, I believe the team that wrote the document was careful to use broad language and minimal words in framing the principles, to purposefully enable them to be applicable as the world of development evolved.
Think about it. The document was written before widespread adoption of the cloud, mobile applications, or the continuous implementation cycles we see today. Even with these foundational changes, the principles hold up well, which is a testimony to the authors’ brevity and careful word selection. I am not ascribing “James Madison framing the Constitution” levels of admiration here, but I do think they left the document open for interpretation as technology naturally evolves.
So back to the original question. The very first principle in the manifesto speaks to the “delivery of valuable software.” I believe the answer lies in the interpretation of “valuable.” There is a wide variety of business drivers that may qualify as “valuable,” such as return on investment, time to market, and usability. In my opinion, security is also a “valuable” business driver, and has become a growing point of emphasis up to the board level.
I attended a CISO forum in London that featured a lively panel discussion between various IT security providers and CISOs. They represented over 15 organizations, ranging from large banks to a news outlet. One CISO encouraged the providers to understand what the “crown jewels” — the valuables — of the organization really are. To illustrate his point, he noted that most would assume money would be his crown jewel. But it wasn’t. Instead, protecting his crown jewels was about preventing the loss of customer trust in a very competitive environment. Security mattered to him because a security breach would rupture that trust. So for that CISO, secure software translated to valuable software.
Of course, this is not limited to banks. Most organizations realize the importance of security to some extent. To an organization under unrelenting attack, security is viewed as not just valuable, but necessary. To organizations under regulatory control, security is an essential requirement to continued operations, which qualifies as valuable. Given that the attack point for most breaches has moved from the network and endpoint to the software, the emphasis on building secure software has increased in the past 15 years, since the Agile Manifesto was penned.
So by using the broad term “valuable,” I believe the framers of the Manifesto did include security, albeit not explicitly. When you consider the security bugs that create vulnerabilities as a flaw, then the manifesto does address security, because agile development is about reducing flaws and building valuable software. Secure is an essential component of valuable.