Skip to main content
October 28, 2014

How Agile Development, Automation and Security Can Work Together

How Agile Development, Automation and Security Can Work Together
Cutting corners is rarely good business. Whether you're flipping burgers, schmoozing clients or practicing law, taking the short route in your industry will almost always make someone angry.

Take software, an industry governed by (generally) stringent standards and high-paying clients. Agile development, an ever-growing practice that ranges somewhere between beards and UGG boots on the trend-o-meter, has a lot of good things going for it: it's fast, it often eschews outmoded development practices, and it goes a long way toward eliminating the so-called "baked-in" wait times that come with the old-school way of doing things.

But all that speed comes with a price. And more often than not, that price comes in the form of security, a baffling trade-off given the exploding focus on privacy and stability in the software world.

The good news? It doesn't have to be that way. Automation, a major tenet of pretty much every Agile variation out there (and one we've discussed before), can work just fine on the security end of things — no matter which development practices you currently employ. You just need to have the right mind-set.

Traditional Methods

For all their shortcomings in this brave new world of software development, there's something to be said about traditional methodologies such as waterfall. They tend to be quite a bit more thorough than more contemporary practices, for one thing: In the days when web-based delivery was not yet a thing in the development field, people tended to release as complete a product as possible on their first shots.

As with Agile's speed, however, that get-everything-done approach isn't without its problems. When everything is built at once, waiting until the very end to fix problems can introduce a whole slew of other issues, many of which butt directly against contemporary thoughts on how things should be done. To that end, having a set time to identify and eliminate issues (especially those that aren't the proverbial "showstoppers") makes precisely zero sense. It's a lot faster and more fluid to address security problems as they come.

With or without an Agile mindset behind it, automating the grind work that comes with fixing security issues solves a lot of problems. Keeping human hands on the things that need human intervention is just sound logic. Not every security flaw can be picked up by dedicated hardware or software, but a surprising number can be these days — and every error that is caught and repaired by computers is another one QA doesn't have to flag and devs don't have to fix.

Modern Practices

The same idea applies when we think about Agile development, though in a slightly different way. With Agile, tons of things are automated — it's a methodology that more closely matches the way consumers and clients get their software in this day and age. The problem with Agile often comes down to what can be automated versus what people think can be automated. Bug catches and fixes are one thing; security issues, which tend to require a bit more in the way of active, engaged (read: human) minds, are another.

But security can be automated with Agile. For a methodology obsessed with speed above all else, that's a potential game changer.

Think about it: The most common security issues aren't exactly new on the block — they're the same old things, made exploitable yet again in new bits of software. In that sense, isolating security concerns before they become customer-facing flaws isn't much different from dealing with bugs automatically.

Better yet, Agile's focus on centralized, off-site hardware carries over to security, too. That means less baked-in downtime for a business's hardware and its people, all while resolving issues regarded as must-fixes before a product ever hits shelves.

Finally, it may help to change assumptions about what "automation" means. When we said not every security flaw can be picked up by machines, we meant it — but that doesn't mean they can't be handled in an Agile environment without disrupting the rest of the development and deployment cycle. Outsourced experts, which are increasingly viable options in the highly specialized security world, have many of the same benefits as leaving the work to computers and provide that dynamic, adaptive help only humans can offer.

Agile and Security Are Not Oil and Water

Whether your office is Agile or still employs traditional methods, make sure you're paying attention to automated security. Whatever your security goals and however you plan to reach them, there's a good chance you can save some money or time in the long run — and in development, saving one almost always means getting more of the other. At least, it does if you have the right mind-set. Stay secure out there.

Photo Source: Flickr

Related Content

Evan Wade is a professional freelance writer, author, and editor from Indianapolis. His time as a sales consultant with AT&T, combined with his current work as a tech reporter, give him unique insight into the world of mobile/Web security and the steps needed to properly secure software products. Follow him on Twitter.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.