I would like to highlight some security challenges in Agile development methodology and some ways to build security into Agile development.
Challenges in incorporating security into Agile development
Some major challenges which has resulted in the security gaps are
- Security is seen as a Non Functional requirement(NFR). NFRs are hard to pin down in user stories which is a main feature of the Agile methodology. So security requirements does not make its way to real development effort.
- Agile is characterised by frequent changes and releases across different small teams with no definition of complete application. Its hard to review/test applications that have never finished. Security team does not have time to review and test each change which happens frequently.
- Lack of Agile ready security tools and processes. Older security processes and tools were not designed with agile methodology in mind and does not always work well here.
Creating a Secure SDLC process in an Agile organization
For security to work well with Agile, it has to be baked into SDLC process. With some efforts, this is achievable. Below are some thoughts (not exhaustive), that can be used to bridge the security gap in Agile applications.
- Build security in through user stories. Security requirements should be clearly defined and application security risk and activities should make its way into backlog, making them explicit so that security can be managed, planned, estimated like other things in agile. These can be thought as ‘Attacker’ or ‘Security’ stories. An example can be like “As a hacker, I can send bad data in URLs, so I can access data and functions for which I’m not authorized.” OWASP provides few more examples for security stories.
- Put development in charge of Secure Development. I think this is the most important step as I have seen even senior developers missing secure development practices. Developers are not to be blamed for this since they were never provided any training on security. No one wants to be a developer whose code has resulted in a security breach, so developers would take good interest is learning if opportunity is provided. Developers should be provided proper security trainings and tools for assistance. Guidelines should be provided for secure development, reviews and testings.
- Integrate Security in Continuous Integration (CI) process. The key idea is to automate what you can. SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) tools should be used in CI process. Its important to identify and fix a vulnerability in early phase of development.
- Security gate should be established and security bugs should be given equal importance as any other functional requirement bugs.
Agile process provides development teams an effective way to keep up with ever changing market and user needs. At first glance, it might appear Agile and security requirements or process do not complement and cannot go well together, but with some effort, clear guidelines and adopting right process and tools, an organization can have a right balance and secure development with Agile.