Jan 22, 2013

Agile and Secure (I)

The objective of this post is not to discuss deeply about the Agile software development methodology, but it is worth to review some key concepts. You can read the ‘Manifesto for Agile software development’ or even the 12 principles in which derives, but basically when we talk about Agile development, we are considering an unique goal: to create a working, functional software product. With that in mind, they work very closely with project stakeholders throughout the development lifecycle, knowing it is the stakeholders who possess the knowledge the system must embody. Agile teams work very hard to deliver working software iteratively and incrementally, and they adopt techniques representative of that ideal.

There are a variety of Agile processes available to choose from, and each abide by the spirit of the manifesto and its 12 supporting principles. You can use eXtreme Programming (XP), Scrum, or other project management and development methods associated with the “Agile Development Movement”.

The strength of Agile is that it can save organizations significant amounts of development time and money, while still allowing them to deliver high-quality software.

The challenge here is to integrate security testing to the fast release cycles of Agile projects without risking test coverage, delaying release schedules or reducing features.

There is the perception today that these Agile methods do not embrace secure code and coding practices, and to some extent, historically, security has not been given the attention it needs when developing software with Agile methods. With Agile’s fast pace, it’s easy to see how many organizations would simply consider testing for application security defects to be too costly in terms of both time and resources.

If fact, nowadays is difficult to find an organization using the Agile methodology and focused in information security. You will find a good reading in this article: ‘Agile Software Development: The Straight and Narrow Path to Secure Software?

This is the abstract of the article:

 “In this article, the authors contrast the results of a series of interviews with Agile software development organizations with a case study of a distributed agile development effort, focusing on how information security is taken care of in an Agile context. The interviews indicate that small and medium-sized Agile software development organizations do not use any particular methodology to achieve security goals, even when their software is web-facing and potential targets of attack. This case study confirms that even in cases where security is an articulated requirement, and where security design is fed as input to the implementation team, there is no guarantee that the end result meets the security objectives.

The only way the perception and reality can change is by actively taking steps to integrate security requirements into Agile development methods.

In reality, since Agile methods focus on rapidly creating features that satisfy the customers’ needs, and security is a customer need, it is important that it not be overlooked. It’s obvious that application security cannot be ignored, even with the adoption of Agile development practices. It is an imperative to include security testing as part of your development.

In the following post we analyze some considerations to integrate both: agility and security.


Post a Comment