Agile development and security: Are you doing it right?

Jessica Cyrus
#agile #security
Agile
© Shutterstock / Iconic Bestiary
Agile development is great for a lot of things. However, it’s important to remember security issues in the development process. In this article, Jessica Cyrus goes over the best ways to make sure security concerns are adressed properly in the Agile development process.

While we value the principles laid down in the original Agile Manifesto released in 2001, we must now seamlessly integrate the principles of security into the Agile environment. A decade or later, things haven’t changed much in the software development corner of the industry. Similar issues plague application security efforts. Security is the Testing team’s responsibility and considered as separate from the activities & planning that goes into the software development process. Naturally, security features do not fit organically into any of the software development activities.

Integrating security specialists into the development process

Very often, we don’t think about security as something that’s part of the software we’re building. Continuous Integration/Continuous Deployment (CI/CD) need not be put on hold for an external security review before moving forward.
Security specialists are just like experts in any other discipline, like performance or user experience, working to achieve goals in security. They are experts in building security tools seamlessly into the development toolchain and the CI/CD environment.

SEE MORE: Agile machine learning: From theory to production

Integrating the security team into task planning

On a variant of the 1st principle, software developers must absorb security processes into software activities. When a software team is satisfied with the agile process they’re working on, security activities can become a part of that process, otherwise, it isn’t efficient at all.
A good example of this principle is in the way security specialists coordinate with development teams. In theory, security specialists can walk their own path. But they need to use the same whiteboards, sticky notes, or online tools that the development team uses. Simply put, the security team needs to use the same planning tools that the software team uses to sketch out security goals.

Secure implementations instead of add-on security features

Due to constant add-ons, the security of any software evolves over time. Instead of concentrating on the business value of software and achieving its mission, we end up adding security features like authentication controls, password storage schemes, etc. that are best left to security specialists whose business is to handle security kinks.
When software asks a user to save passwords, or when it turns on encryption, etc., the user sees the inner workings of the software’s security. Software developers in any software development company in India Must choose to change the code to make secure software features rather than inadvertently allowing users to see how their software’s security works.

SEE MORE: DevOps for IoT: Getting ready for the next phase

Fix security risks rather than bugs

Most software development activities include hunting for security vulnerabilities, fixing them, and terming the software as ‘secure’. While building software, security specialists & developers need to consider how to minimize risks to the business, the users, or the data. Only rarely is security as simple as fixing a bug. But frequently, it’s more complicated, with software & security specialists having to work out the right ways to deal with risk – prioritization risk management.
A holistic view of things that could go wrong is the best way to handle risk management, whether managing risk by writing some code; monitoring and reacting to bad behavior, using legal and contractual controls instead of technical controls, instead of making a never-ending list of individual bugs that need to be suppressed.
Most Agile teams fall into the trap of trying to go with the easiest fixes, which may include the dictum: “write the least amount of code that makes the security report go away.” Taking an all-rounder view of security risks negates that attitude. This would include looking at business processes, monitoring, legal contracts, etc. to discuss the risk to the business, not the just parts pertaining to coding.
The Agile Manifesto favors working software over reams of documentation, which does not mean it recommends forsaking documentation entirely. While risks must be mitigated, bugs to need fixing. With all things being equal, we cannot favor one component of the software development process over another.

Comments

Post a Comment

Popular posts from this blog

How adopting an agile approach can optimize your business outcomes

Image
Jan 11, 2018, 3:15am EST INDUSTRIES & TAGS   Career & Workplace SHARE   Order Reprints   Save Article   Print Get Newsletters and Alerts Morning Edition >> Afternoon Edition >> Breaking News Enter your email address Sign Up Mark Langley Contributing Writer RELATED  CONTENT How to bridge the project management talent gap How to drive organizational change by making the most of sponsors Five management tips to improve project results Since an organization’s strategic initiatives are implemented through projects and programs that drive change, enhance competitive advantage and fuel growth, it is imperative that companies take a holistic approach to project management and select the project management method that best suits the needs of a given project.  Agile approaches can complement traditional project management methods to quickly meet customer demands in t
Read more

Why Agile Is Eating The World​​

Image
Steve Denning   ,   CONTRIBUTOR I write about radical management, leadership, innovation & narrative.     Opinions expressed by Forbes Contributors are their own. Image Wikimedia Commons: Brocken Inaglory Great white shark at Isla Guadalupe, Mexico. In 2011, Marc Andreessen wrote his famous essay, “ Why Software Is Eating the World, ” in The Wall Street Journal, leading to the cliché that “every company needs to become a software company.” (A useful update by Jeetu Patel on the situation in 2016 is here: “ Software is still eating the world .”) In one way, Andreessen’s 2011 article was remarkably prescient. In 2011, IT firms were looked down on by Wall Street. Andreessen was telling Wall Street: “Pay attention! These companies are more valuable than you think they are.” And Wall Street listened. In 2018, the five biggest companies in the world by market capitalization are IT firms: Amazon, Apple, Facebook, Google and Microsoft. But it turned out that Andrees
Read more

Agile Transformation? Time To 'Rehumanize' The Business

Image
Jason Bloomberg   ,   CONTRIBUTOR I write and consult on digital transformation in the enterprise.     Opinions expressed by Forbes Contributors are their own. The story of extending the principles of Agile to the organization as a whole as I discussed in my article   Digital Transformation Requires Enterprisewide Agile Transformation   earlier this year is so powerful, I decided to run two workshops on the subject. I presented the first workshop at no-code vendor kintone’s inaugural   Connect conference in San Francisco, then headed to Orlando for Rising Media’s   Building Business Capability   (BBC) conference, where I ran a longer version of the same workshop entitled   Agile Digital Transformation . You can imagine my surprise, therefore, when one of the keynoters at kintone Connect presented a powerful story of transformation that aligned with mine – although he didn’t begin his story with software as I do. The reception to my workshop at BBC, however, was quite di
Read more