Software developers don't take a security first approach.As you lead your organization in securing software development and delivery, you will come across several challenges – despite the recent growth and increased adoption of the agile methodology. Application vulnerabilities and coding issues are typically time-consuming to find, document, and fix with traditional testing tools. Short agile sprints don’t lend themselves to these long processes; however, there are ways to effectively integrate secure development with agile methods. The very nature of agile development lends itself to keeping developers working efficiently within their toolchain by giving them the tools to finish the job before they move on to the next feature.

The classic waterfall methodologies related to development cycle is typically top-down in nature and lacks visibility into the day-to-day workings of developing software. While high-level objectives around timing and meeting roadmap deadlines take precedence, the quality and often the security of the product can be comprised. The subsequent disconnect between Security and Development teams further delays both the implementation of compliance requirements as well as the delivery of secure software.

In an agile environment, developers write code based on work committed in the current sprint. At various points in the process they use their Integrated Development Environment (IDE) to upload code to Veracode’s cloud-based service for static application security testing (SAST). Once assessment is complete, the results are downloaded to their development environment. Developers can now address any vulnerabilities introduced before check in. By finding vulnerabilities during the coding phase instead of during a separate security hardening sprint, developers need not switch context to work on code written long ago. This saves time and increases velocity – while at the same time ensuring the security of the software being developed, tested and shipped.

As a result, the agile methodology will enable those leading Development teams to have first-hand insight into security of the code being built -and be able to reconcile these assessments with timelines around product testing and release dates. This ability begins to reduce the gap between the goals of the Security side of an organization and those of the Development teams. Neither innovation nor security is sacrificed.

Stay tuned for my next post on how to embed security into an actual sprint – increasing effectiveness and reducing time spent on the security assessment process. In the meantime, I welcome any thoughts or experiences you are able to share on agile methodologies for secure software.

Related Content

More PETETalks

Use Multiple Techniques for Security Assessments

Find it Early, Fix it Early

About Pete Chestna

As Director of Developer Engagement, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec experience as both a developer and development leader, Pete provides information on best practices amassed from working with Veracode’s 1,000+ customers. Pete joined Veracode in 2006 as a platform developer and was instrumental in delivering the first version of Veracode’s service to customers. Later, as Director of Platform Engineering, Pete managed the Agile teams responsible for delivering Veracode’s SaaS platform and built the first DevOps team.  Pete also spearheaded Veracode’s initiative to automate the use of Veracode products into the company’s development processes. Using this experience, he has spoken with hundreds of Veracode customers to help them set up similar programs. Pete has more than 25 years’ experience developing software and has been developing web applications since 1996, including one of the first applications to be delivered through a web interface. 

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.