Fifteen years after the Agile Manifesto was released, similar inefficiencies still plague application security efforts in software development. Security is often seen as something separate from—and external to—software development. It’s time to change the approach to building secure software using the Agile methodology.
When building secure software in an Agile environment, it’s essential to focus on four principles. These principles are patterned after those in the original Agile Manifesto: while we value the things on the right, we must value the things on the left more.
The goal is to guide the development of new activities and make adjustments to existing activities to make it natural and efficient to build security into an agile process. These four principles are meant to inspire us to build secure software in an agile way:
- Rely on developers and testers more than security specialists.
- Secure while we work more than after we’re done.
- Implement features securely more than adding on security features.
- Mitigate risks more than fix bugs.
Building secure software in an agile way is fundamentally the same as building software in an agile way.