Over the past 15 years, software development has changed drastically due to evolving market demands.
Software development teams needed to step up their time to market with more frequent releases and, with time, it became increasingly evident that the waterfall method was ill-suited to modern demands. This led the industry to move away from the waterfall methodologies to Rapid Application Development (RAD) models that emphasize flexibility and development over initial planning.
One of the most widely accepted RAD models is agile, which has an uneasy relationship with security. The reason is that agile development emphasizes flexibility and rapid changes, while security methodologies rely on a more systematic approach to development, much more reminiscent of the Waterfall methodology, to manage risk factors and take the necessary steps to secure software before it ships.
With two, equally vital, aspects of the development process seemingly at odds, what can be done to better balance between security and agile development? What steps can be taken to ensure even the most agile development processes are done in a secure manner?
In the early days of computer programming, the waterfall method was the most common practice. Waterfall is based on the concept of sequential software development—from conception to ongoing maintenance—where each of the many steps flowed logically into the next.
One of the most widely accepted RAD models is agile software development. Loosely defined, agile development uses any number of methods to encourage an almost organic approach to programming, an approach where collaboration between cross-functional teams is encouraged. The result is a process that focuses on adaptability, evolving development and fast response to changing circumstances and needs. This approach has enjoyed widespread success in the modern development world, especially as companies and organizations have had to quickly pivot to meet the needs of the market.
This becomes especially apparent when agile development teams engage in short development sprints where a vast amount of work is done in a matter of weeks, rather than the months security teams would normally have to work with.
One area where agile development, and RAD in general, has sometimes resulted in issues, is when it comes to the realm of security.
Agile development has gained such widespread acceptance because of one simple fact: it works. As a result, while security is extremely vital to any software development process, it is important to remember that there are only so many changes that can be made to the development process before it loses the very elements that make it agile.
Therefore, security measures need to be adapted to the agile process as much as possible. In their paper entitled Integrating Security into agile Development Methods, Mikko Siponen, Richard Baskerville and Tapio Kuivalainen highlight several requirements for security to properly integrate into the agile process:
1. Security approach must be adaptive to the agile software development methods and not hinder the development process.
2. Security approach, to be integrated successfully with agile development methods, should offer concrete guidance and tools at all phases of development, i.e., from requirements capture to testing.
3. A successful security element should be able to adapt rapidly to ever-changing requirements owing to a fast-paced business environment, including support for handling several incremental iterations.
Number one, in particular, is extremely important. Because of the fast pace of any Agile process, the integration of security must be kept as simple as possible, while still being effective. So how can you adapt?
Providing visibility and some level of control to your security team over the software development process is critical and can also help reduce friction between the security and engineering teams.
Based on our experience in large enterprises, this was one of our main goals that we set up to achieve when we started to develop WhiteSource. Integrating security tools that can become part of your development process is the most effective way to secure your software, as it provides continuous monitoring, thus eliminating all questions, doubts and requests for reports. It also enables your security team to enforce security policies on your build tools/CI servers and even break it, if high risk vulnerabilities are found.
Automated security monitoring tools can help both developers and security managers to treat security vulnerabilities and other bugs as early as possible in the development process, thus making it easier and less expensive to fix.
Just because security must adapt to the agile process does not mean it is a one-way street. Developers must also show a willingness to adapt to the realities of modern security. One of the most basic, yet often overlooked, ways to achieve this is by providing proper training for your agile development team. Because agile development focuses so much on speed and flexibility, agile teams need to be taught to understand and anticipate the potential threats to the software they create.
Many developers can easily get tunnel vision when working on projects, so focused on their own vision of how the software should work that they fail to see it from any other perspective. One of the most important perspectives to consider it from, however, is that of an attacker intent on gaining access or exploiting a security hole. That is why it is so important to train developers to analyze a project and their code from an attacker’s perspective throughout all phases of the project, including conception, development, and testing.
In the early days of computer programming, when the waterfall method was the standard, it was not uncommon for developers to give the QA (Quality Assurance) teams code to test that had not yet been vetted. This has left it to QA to find any and all bugs, from the most basic annoyances to serious security flaws.
Once your developers have been trained to look at their code from an attacker’s perspective, however, the next step is to establish guidelines for the code to be reviewed by the developers before turning it over to QA.
An effective way to achieve this is by insisting on daily unit testing. By insisting unit tests be done during development, it increases the likelihood of finding major bugs before the development process has moved too far ahead.
Another important tool is peer review. Again, because developers are often focused on how they think the code should work, it is easy to miss errors, even obvious ones, which can leave software vulnerable to attack. Another set of eyes going over a section of code can be an invaluable investment of time. Setting guidelines for how often this occurs can go a long way toward securing your Agile process.
Without a doubt, the agile development process is here to stay. It offers companies and development teams an effective way to keep up with today’s ever changing market and consumer needs. While at first glance Agile and security needs may seem to be at odds, with a little effort, clear guidelines and use of available tools, your company can strike the right balance between Agile development and security concerns.