How do companies develop industry-leading apps? Often the answer lies in a horizontal, Agile development environment structured around team-based, iterative design over strict adherence to policy and leadership hierarchy. And how do companies protect their newly developed apps? With vertical AppSec strategies that focus on conformity over creativity. The result of these efforts is a critical intersection at the corner of Agile and AppSec. So, how can companies handle this right angle?
As described in a recent Forbes article, the world of Agile development is naturally horizontal. Team members pass ideas among themselves and iterate on the fly, designing software with the ultimate goal of engaging end users. While vertical components do exist — teams must report to someone, after all — a strict top-down methodology tends to kill Agile creativity and lengthen the time required between software-related idea development and application delivery.
But this disconnect has many managers frustrated and, as Forbes puts it, trying to act like "the adults in the room." Part of the problem is a lack of knowledge, since most leaders aren't familiar with Agile methodology. According to a post from NextGov, efforts are being made to remedy this situation. This includes developing tools such as the "Agile Development Handbook," which aims to give managers a better understanding of Agile processes and how they exist outside of vertical hierarchies, rather than trying to replace them.
In some cases, however, vertical thinking is a necessity. Managers often point to AppSec as one such case, because without the strict adherence to guidelines of vertical management, effective AppSec becomes almost impossible. Consider the case of Facebook Messenger. As noted by Dark Reading, the app was a mess of spyware and surveillance code, a rushed effort designed to make users download the app instead of connecting through Facebook itself, with the ultimate intention of grabbing as much data as possible from mobile devices. Understandably, user backlash was severe, and the social company has been backpedaling ever since.
Here, solid AppSec could have prevented a host of trouble, but speed trumped security and the results were as expected: awful. Dark Reading argues better collaboration could have prevented this problem, since it's likely software engineers and policy makers didn't consult one another during the build process. But top-tier oversight was also necessary — a vertically demanding decision that mandated specific AppSec features to head off any problems.
With the Agile development environment essential to end-user satisfaction and vertical management seen as crucial to security, how do companies get the best of both worlds? By designing for the corner. This is a hard angle, certainly, but not impossible to navigate; it simply requires slowing down and putting the right kind of slope in place, one that levels off with designers and ramps up with executives.
What does it look like? Think about agility: The most agile environment for development is the cloud. Think about security: The most reliable method is repeatable testing that occurs at every level of the development process. The result is a cloud-based AppSec platform able to analyze software from end to end at any stage of the game. Horizontal thinkers get the benefit of on-demand rather than mandated use, while vertically minded executives gain peace of mind knowing that at every step in the process, AppSec is being built in, rather than shoehorned just before the ship date.
Right-angle thinking isn't easy, especially since Agile and AppSec processes don't always see eye to eye. But this isn't a brick wall: Programmatic, cloud-based security environments can handle any degree of difficulty.
Photo Source: Flickr