Consistency is key.
While those words may sound general, they carry a lot of meaning in the software world. The ground-level view of an average company may look like chaos from time to time, but the organizations that beat their budgets and time-to-market goals are often the ones that have found a way to replicate a good system.
When a company is experiencing explosive growth, the problem lies in figuring out what must change to suit the needs of a bigger, better organization, and what should stay the same. From a security standpoint, keeping consistent in a scaled Agile or waterfall environment is just like growing any other part of a software business: The best practices are repeatable at multiple sizes of operation. When you can maintain the same application security processes under a 10-person developer team or a distributed pool of 1000 engineering teams, your company's products and pocketbook tend to be better off.
Consider your office's main door. While your company may have changed how employees access that door over the years — say moving from keys to badges and a security guard — it would become frustrating if the company introduced a new way of entering the office every time the company grew.
That idea, in large part, sums up why repeatable, scalable security processes are so important for growing companies. Though they provide more benefits than employee placation, that aspect alone can make them worthwhile for a scaled Agile workplace. Your people may or may not care about the scores of new employees your company brings on, but they sure as heck don't want them interfering with the way they do things.
The same idea works from the perspective of your company's bean counters. If you're paying to train new and old employees on new processes at every growth milestone, then you're effectively paying more for the same thing each time. And that's before considering "meta" costs that come along with implementing new systems, such as licensing fees, mistakes employees make while reacclimating and so on.
Now, take a look at how a scalable, consistent security system can make security training more efficient, even within huge companies.
Security is a game of concepts. There's still some nitty-gritty work involved, but keeping the right ideas in mind can reduce all sorts of errors on a given dev's end. This makes on-demand, situationally tailored training more efficient than packing everyone into a meeting room and training them on the mistakes only a handful of employees made.
Take that idea and expand it across an entire distributed organization: There could be hundreds or thousands of employees, each coached on specific issues the testing system finds, with nary a conference room to be found.
Exciting, right? Developers get the training they need when they need it, and the company saves dough it would have spent pushing that training across the entire organization.
Going back to the "meta" part of secure development, the repeatability factor also works when it comes to implementing the tools devs use across an upwardly mobile company. Engineers, as a rule, aren't primarily focused on security. Giving them a cloud-based platform with easily repeatable steps for testing not only makes their processes easier, it also ensures the work they submit is held to the same policies — and the same interpretations of those policies. The latter point in particular can be a problem with widespread use of manual testing and code review, especially in distributed workplaces and third-party vendor offices.
Whether you're in a scaled Agile or waterfall environment, that kind of consistency and repeatability means errors are caught faster, which in turn means they're easier and less expensive to fix. By being able to repeat the testing process outside of a set schedule (a big concern in waterfall environments), less time is spent going back to fix the bad code. That, in turn, saves time, money, and any good code that might have been scrapped during the fix.
There are several reasons practitioners of Agile and traditional development methodologies alike preach the heavy use of automated testing early during development — the ability to be consistent in a growing workplace is one of them. Training, testing, coaching, code review — the list of things that get more expensive as a company expands is a long one. But throwing automated solutions into the mix can slow growth in one place where that's a good thing: the "costs" column.
Don't be afraid to get an expert's opinion on your security situation, and make sure you're giving automation its due attention. Whatever your company's trajectory, there's undoubtedly a solution with positive benefits for every arm of your operations.
Photo Source: Flickr