Agile has become a religion among some in the development community, and that is not an issue that I will address here - I am not that brave. However, since Agile has become so prevalent, I do want to talk about a related issue, and that’s what happens to application security and SDL activities in an Agile environment. After all, SDL is modeled on the traditional software lifecycle activities and maps to a ‘waterfall’ process, so can we develop applications securely AND with an Agile process?
My answer, like any good technical person is the ever hedging ‘it depends.’ Agile process requires a unique type of team discipline and tends to hold a magnifying mirror to both the good and bad of a company’s approach. The things an organization does well can be done even better in Agile, and the things an organization is bad at can be exacerbated by Agile. For example, let’s take Product Management. If you were not good at understanding the customer for writing requirements, you will be no better at understanding the customer for writing user stories, and since user stories require a deeper role-based understanding, you will probably be worse.
Applying this to application security, if your approach to security is haphazard and the appropriate processes and education are not in place, you will absolutely get worse in Agile. User stories, backlogs, scrums and sprints have a way of sharpening focus on manageable top priority items at the expense of others, and if security is not a high enough priority, it will fall by the wayside. On the other hand, if you are threat modeling, attack surface minimizing and turning that into secure requirements, architecture and design, all of these activities can be mapped into the Agile process. If your developers are educated in defensive coding and you have input validation libraries and other good security systems in place, all these can be effectively used and are less likely to be forgotten in short, focused sprints.
Here are a couple of good places to start when thinking about Agile security:
-
At the high level, Adrian Lane of Securosis did this presentation on the topic that I like and sums up recommendations nicely.
-
At a more detailed level, Microsoft has published material mapping SDL activities to Agile processes in MSDN Magazine and in the MSDN Library.
Finally, whether you are Agile or not, developer education and reference tools are essential. At some point, an engineer is actually sitting at a computer writing code, and that is one thing that that doesn’t change no matter how the process is managed.