"Agile" does not have to mean "insecure." Development is a game of trade-offs, and speed often means sloppiness no matter what kind of project you're working on. But keeping secure development practices on lockdown from day one doesn't have to vanish with the waterfall.
Take a look at Microsoft. While its "switch" has been more of a gradual scoot and may not necessitate a wholesale change, there's no doubt the company's interest in Agile is turning heads. Here are some key takeaways from Microsoft on the secure development lifecycle (SDL) and Agile:
Core Security Training: Microsoft's advice applies specifically to the SDL, but the basic idea is useful for any Agile practitioner: train as often as needed to efficiently develop a secure product. The company recommends everyone in a technical role attend "at least one unique security training class each year" and tack more on as needed — especially if a class pertains to the project at hand.
Establish Security Requirements: Setting expectations for security and quality up front makes the rest of your secure development practices operate smoother throughout the software development lifecycle (SDLC). It can also help you "identify key milestones . . . and minimize disruptions to plans and schedules," two problems that can result in missed deadlines and overblown budgets with Agile. It's a practice worth getting into early and repeating often.
Perform Attack Surface Analysis and Reduction: Though it's similar to threat modeling (see below), attack surface analysis is also a critical stand-alone step. OWASP says the point of this practice is to protect applications from an external attack by determining what areas of a product are most vulnerable and how to fix them. This is a one-time job, according to Microsoft, but it's a crucial one all the same.
Use Threat Modeling: Microsoft reports, "Applying a structured approach to threat scenarios during design helps a team more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations." In other words, using threat modeling now can save developers a lot of trouble and cost later. Plus, it keeps your security and design teams limber and prepared in case one of the events they model actually occurs. As with many secure development practices applied to Agile, the goal here is to be flexible early. This allows you to be reactive later down the line with minimal cost or effort.
Perform Static Analysis: Frequently employing static analysis tools (i.e., automated ones) allows you to test third-party components — as well as your own — without needing to analyze the source code directly. This offers several benefits over manual testing, including how thorough and quick it is to both find errors and help engineers remediate them before the next step in the SDLC.
Perform Dynamic Analysis: This step helps you find key errors prior to release, many of which static analysis alone can't identify. Using dynamic analysis in combination with static analysis (especially in an automated, continual setting) helps keep Agile-developed products secure without trading the speed and flexibility that made the methodology popular in the first place.
Create an Incident Response Plan: Contingency planning is key in any business setting. Development, with the critical data that end products often access and utilize, is no different. Knowing what to do in an emergency keeps a business from getting caught unawares. Considering the ever-evolving nature of digital security threats, calling in experts to help you craft a plan might be a wise idea.
While Microsoft's post is geared towards its own SDL process, the company's take on secure development practices under an Agile methodology are certainly worth knowing. With or without the SDL, some nuggets still hold true no matter how you currently develop or how you may develop in the future. With Agile, you get a development method built to match today's software delivery methods; you also get a faster, leaner way to build your software in general, and you get it without having to sacrifice security in the process.
When a big name like Microsoft works toward a major change, you know it has some serious merit. Here, it's just another sign of Agile's secure future in the development world.
Photo Source: Wikimedia Commons