Mention security and testing to a group of young developers, and you'll likely hear a lot of groans. It's not that the current generation of Agile-minded code hotshots is careless; rather, it's that the culture at most companies is one of speed and achievement. It's easier to celebrate milestones than it is to celebrate a lack of something, even if that something is a lack of hacks. And often, there's a misconception that speed and security are mutual exclusives.
As a recent CA Veracode webinar on "Why Developers Need to Think about Security" finds, when it comes to software development, firms don't have to choose between speed and safety — they can have both. Here's how:
All developers recognize terms such as SQL and XSS, but that doesn't mean they think about them. Most scrums focus on the ideal end user, not the malicious one. When meeting to discuss design (totally the fun part of the job), considering everyone who might use your software is an easy way to develop with software in mind — without slowing down to talk about it. Having meetings solely about security is boring; incorporating security into every meeting allows you to keep sprinting without getting risky.
CISOs don't want more headaches, and developers don't want to be told that their software has vulnerabilities. When it becomes a question of time to market and functionality versus safety and thorough testing, team members start speaking different languages.
When that happens, it's time to change the conversation. You know that speed and security can coexist, you just have to explain that to your team members. From new roles to new goals, it's easy to build safety into the Agile software development process without compromising its famous development speed. The key is to start with an Agile mind-set.
Even after creating more safety-oriented development goals, there's no replacement for thorough testing. Instead of burdening developers with the responsibility of running all tests manually, seek a software security solution that can automate the majority of test functions alongside development. Security testing as you go eliminates the need for a separate step in the software development lifecycle, and ensures problems are detected and corrected before they can iterate throughout the product.
As more companies transition to Agile and seek to keep pace with the frenetic software arms race, there will inevitably be growing pains. But, thanks to the wisdom of companies that specialize in facilitating secure development, a major vulnerability that leads to a headline-worthy hacking doesn't have to be one of them.
Learn more on how to integrate security into the software development conversation by downloading CA Veracode's full webinar on coding securely without killing productivity.
Photo Source: Flickr