Talk about agile with any waterfall-committed manager in the development industry, and you'll hear several reasons why maintaining status quo works better for her or him. You'll probably also hear this: Agile is fast, and probably better suited to how today's users consume software, but it just isn't as secure.
The problem with that logic? It's all wrong. Spend an hour listening to this webinar (which features Securosis Chief Technology Officer and Analyst Adrian Lane and Veracode VP of Security Research Chris Eng), and you're certain to agree. Here's an analysis of two crucial secure agile development topics you'll hear when you tune in:
Managing developers and other related personnel is nothing like the oft-repeated euphemism that compares it to herding cats. Really, no comparison will capture such a large, diverse group of personalities accurately. But, for Lane and Eng, chickens and pigs come close.
Lane and Eng use those exact terms to describe developers (who invest a lot into a project, like a pig giving bacon) and security people (whose contributions, while incredibly valuable, are more like chickens laying eggs). It's a bit of a trope, but it's also absolutely true, and managing those two different groups is key if you want to be agile and secure.
As Lane says, security personnel don't understand why minor changes to a given project's code can take weeks to implement, while developers "don't particularly appreciate security breathing down their necks" about the possible exploits found in their code. The trick is building out different roles within development teams, then using those teams to promote a self-directed, constant culture of education among your entire staff.
Accomplishing that goal will largely depend on your management style and the personalities of your team. One fairly universal suggestion from the webinar is a management tip as old as time: Appointing "security champions" (called "team leaders," "keyholders," and various other titles across countless industries) among your developers. These champions can lead courses on security, suggest changes in practices and attitudes and so on — whatever your teams may need to flourish as practitioners of secure agile development. Offer these roles on a volunteer basis, and keep the barriers to volunteer low; it'll give every developer a chance to learn more about a topic, not to mention the common ground between two different (but equally crucial) camps.
Switching existing processes over to agile can be a big challenge. The payoff is worth it, of course, but it's hard to see that in real time. Smart administration and observation are key to making the transition as painless as possible. If you do both right, you can design a system that keeps devs and clients happy with relative ease.
Just as agile is largely designed around today's delivery/deployment practices, your own movements toward secure automation should revolve around finding issues specifically related to your team's own practices — in other words, not following arbitrary rules because they could improve things. Doing that means finding "pain points": areas where clients have to wait an inordinate amount of time or excessive human intervention is needed to produce results.
One immediate area of potential improvement comes back to the "secure" part of "secure agile development": the testing phase. By automating your testing, you free up key personnel and hardware that could be misused during supposedly baked-in downtime. That's especially true if you take a continual approach to cloud-based (or otherwise off-site) hardware. When every line of code is checked by a machine before human eyes cross it, those humans can be doing stuff better suited to their strengths while the hardware handles the grunt work.
Other dev houses may have different pain points, of course. Wherever yours lie, make sure you're at least looking into automation. You might be surprised at the number of things machines can handle on their own these days.
From people to tech and beyond, the full webinar has a lot more advice. Even if agile's a far-future, down-the-pipeline sort of plan for you, you'll come away with some new strategies and outlooks on the process. Give it a listen — you won't be disappointed.
Photo Source: Wikimedia Commons