{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1400px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

Secure and Agile – Can They Go Together?

by Fred Pinkett on March 11, 2011

Secure and Agile?Agile has become a religion among some in the development community, and that is not an issue that I will address here - I am not that brave. However, since Agile has become so prevalent, I do want to talk about a related issue, and that’s what happens to application security and SDL activities in an Agile environment. After all, SDL is modeled on the traditional software lifecycle activities and maps to a ‘waterfall’ process, so can we develop applications securely AND with an Agile process?

My answer, like any good technical person is the ever hedging ‘it depends.’ Agile process requires a unique type of team discipline and tends to hold a magnifying mirror to both the good and bad of a company’s approach. The things an organization does well can be done even better in Agile, and the things an organization is bad at can be exacerbated by Agile. For example, let’s take Product Management. If you were not good at understanding the customer for writing requirements, you will be no better at understanding the customer for writing user stories, and since user stories require a deeper role-based understanding, you will probably be worse.

Applying this to application security, if your approach to security is haphazard and the appropriate processes and education are not in place, you will absolutely get worse in Agile. User stories, backlogs, scrums and sprints have a way of sharpening focus on manageable top priority items at the expense of others, and if security is not a high enough priority, it will fall by the wayside. On the other hand, if you are threat modeling, attack surface minimizing and turning that into secure requirements, architecture and design, all of these activities can be mapped into the Agile process. If your developers are educated in defensive coding and you have input validation libraries and other good security systems in place, all these can be effectively used and are less likely to be forgotten in short, focused sprints.

Here are a couple of good places to start when thinking about Agile security:

  1. At the high level, Adrian Lane of Securosis did this presentation on the topic that I like and sums up recommendations nicely.
  2. At a more detailed level, Microsoft has published material mapping SDL activities to Agile processes in MSDN Magazine and in the MSDN Library

Finally, whether you are Agile or not, developer education and reference tools are essential. At some point, an engineer is actually sitting at a computer writing code, and that is one thing that that doesn’t change no matter how the process is managed.

Topics: security engineering, application security

Most Recent

What's Trending

Featured Resource