Aug 15, 2018
With 1-week sprints, continuous deployment and just-in-time planning, the agile methodology has transformed the world of software development. However, as with any revolutionary change, new benefits are often tempered by new risks – and agile development brings with it a unique set of challenges for dev and security teams to get to grips with. Today we’re looking at a handful of security issues unique to agile development – and exploring ways to reduce the threat they pose to your latest development project.
1) Agile Doesn’t Prioritise Security
There’s an inherent conflict between the best practices of secure development, and the priorities of developers. With developers judged primarily on their ability to create effective and functionality-rich code, on time, and on budget, committing valuable time to improving application security is often seen as counterintuitive to their goals. With the agile manifesto guiding the practices of myriad agile developers, this failure to prioritise security once again rears its head. Despite outlining the core principles of agile, at no point does the manifesto mention security:
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation
- Responding to change over following a plan
The same problem applies to the 12 principles of agile. Whilst they refer to all-manner of desirable developer traits, from technical excellence to sustainable development, they never address the fundamental need for security. Explicit recognition of the importance of security is a vital component of securing agile developments. Without organisation-wide security awareness, development teams will struggle to recognise the importance of secure code – and when push comes to shove, fast development will take precedent over secure development.
2) Older Security Programs Don’t Tackle Agile Development
This problem has filtered-through into a surprising number of security programs. Despite attempting to offer up-to-date guidance and education on the best practices of application security, many training courses fail to offer any agile security training. Development manager Jim Bird illustrates the problem in this blog post, pointing out that a popular security textbook dedicated only 2 of its 572 pages to secure agile development. Agile is a hugely popular development process, and growing in popularity. The days of big waterfall-style development stages are long behind us, and with increasing visibility into the need for application security, it’s essential for agile developers to engage with training courses that explicitly tackle the issues they face.
3) It’s Hard to Test and Review Apps That Are Never Finished
Agile development is characterised by a fluid, iterative process – one without defined hand-offs between development stages. Whilst this can work wonders for fast, effective development, it can make security reviews and testing extremely hard to schedule and implement. Running a single penetration test at the end of the development cycle doesn’t suit the ever-changing nature of agile, especially when development can rarely be viewed as ‘finished’. With both design and code constantly changing, security tests need to be run more regularly. To achieve that, it’s essential to adopt testing strategies that are cheaper, and easy to use early within the software development lifecycle – like peer review, in the form of pair programming.
How to Secure Agile Software Development Projects
Agile development is here to stay – and unfortunately, so are the security vulnerabilities that affect agile development. However, despite the barriers to secure development I’ve covered here, it’s possible to dramatically improve security by following the four best practices of secure agile software development:
- Start with pre-development security planning.
- Get into the habit of iterative testing.
- Let experienced devs address high-risk issues.
- Take small steps towards security.