There's no question that Agile and DevOps are the way of the future. The traditional waterfall method of making and releasing software simply doesn't fit with how people consume it these days. By building software incrementally, Agile accommodates the constant change that is the hallmark of today’s software development.
DevOps takes this even a step further by blending the teams that build all the components of a given software product. In response to the need for a more agile transition between development and operations, DevOps combines two traditionally siloed aspects of IT – development and operations – into one entity.
How Security Fits Into Agile and DevOps
Traditionally, Agile and security had a strained relationship because the standard ways of security testing code didn’t mesh with the Agile methods of software development.
For instance, the waterfall development process has very distinct phases, and each security activity is completed before moving on to the next phase. Agile, on the other hand, doesn’t have such distinct phases.
However, security assessments can fit within Agile processes – and, in fact, be more effective in Agile – as long as security practitioners realize that security must adapt to Agile, not the other way around. For example, to gel with the way Agile works, security should be embedded into the coding phase, rather than tacked on at the end.
A recent Veracode blog post noted that “by finding vulnerabilities during the coding phase instead of during a separate security hardening sprint, developers need not switch context to work on code written long ago. This saves time and increases velocity — while at the same time ensuring the security of the software being developed, tested and shipped.”
Security tasks can be further integrated into Agile development by including functional security requirements in story development, tagging security tasks and vulnerabilities so they can be tracked like any other feature or bug, and automating as much testing as possible into the build process.
Pete Chestna, Veracode’s Director of Platform Engineering, sums it up by saying, “the Agile methodology will enable those leading Development teams to have first-hand insight into security of the code being built, and be able to reconcile these assessments with timelines around product testing and release dates. This ability begins to reduce the gap between the goals of the Security side of an organization and those of the Development teams. Neither innovation nor security is sacrificed.”
Security Solutions Suited for Agile and DevOps
Some security solutions are better suited to working in Agile than others. For example, classic security testing tools may require 100 percent of code to be fully built before tests can be conducted. This requirement doesn’t work with Agile’s small iterative code changes delivered weekly or daily. On the other hand, static analysis, or SAST, which can scan code for potential vulnerabilities when the software is in a non-running state, lends itself to the Agile process. This assessment technique enables developers to assess their software for issues without waiting for the entire code to be ready.
In addition, application vulnerabilities and coding issues are typically time-consuming to find, document and fix with traditional testing tools, and short Agile sprints don’t cater to these long processes. Solutions built for paradigms such as Agile and DevOps have to be able to scan code quickly, without significant configuration. Therefore, an automated, cloud-based service like Veracode’s is ideal in this environment.
For example, the majority of Veracode assessments finish quickly — within hours or overnight (in fact, 80 percent of assessments for Java and .NET applications are turned around in less than 4 hours). That means that security assessments can fit into a one- to two-week sprint that is typical in most development organizations.
Finally, a solution that integrates with developers’ existing processes and tools is key to coding securely with Agile. Veracode tightly integrates security assessments with existing processes and tools, including IDEs (e.g., Eclipse, Visual Studio), build systems (e.g., Jenkins, Ant, Mave, TFS) and issue tracking systems (e.g., JIRA, Bugzilla, RSA Archer).
Balancing the Competing Demands of Speed and Security: Ad-hoc is no way to approach software security, http://www.veracode.com/solutions/by-role/developers
Protect Applications Across the Entire SDLC: Secure Web Application Development, http://www.veracode.com/solutions/by-need/secure-development
Secure Agile Development: New Blog Series by Analyst Firm, http://www.veracode.com/blog/2014/09/edit-blog-post-secure-agile-develop...
The Agile Dope Slap, http://www.veracode.com/blog/2014/10/agile-development-dope-slap
Do You Code Securely? Three Reasons You Must Say Yes, http://www.veracode.com/blog/2015/04/do-you-code-securely-three-reasons-you-must-say-yes
Secure Agile Development. Think like a Developer, http://www.veracode.com/blog/2014/11/secure-agile-development-think-developer
Find it Early, Fix it Early: PETETalks, http://www.veracode.com/blog/2014/12/find-it-early-fix-it-early-petetalks