Security in Agile Methodology

Many large organizations are moving towards the Agile software development lifecycle (SDLC) methodology. Agile methodology is a combination of iterative and incremental process models with a focus on process adaptability and customer satisfaction by rapid delivery of working software product.

The general characteristics of any Agile methodology are:

  1. Prioritizing feedback. Agile teams rely heavily on the feedback they get on the products they deliver.
  2. Speedy delivery of small batches. Agile teams prefer to present their product in small iterative chunks instead of a single large one.
  3. Team ownership. Most of the decisions are made at the team level, making the Agile team responsible and accountable for the work they complete.
  4. Familiarity with Repetition. Agile methodologies encourage the team to repeat the process as much as possible to be familiar with it and, eventually to automate it if possible.
  5. Inspect and Adapt. Iteration is an integral part of any Agile methodology can be seen in the development of a product as well as in the methods and processes that the teams follow. It encourages the team to adapt to new changes and challenges in an enterprise by facilitating a continuous learning culture and openness.

There are several agile methods and approaches that software development teams pick and choose for the type of products they build. Scrum, Extreme Programming (XP), Kanban, and Lean Development are some of the popular ones. Most organizations choose Scrum and Kanban as the base for its Agile methodology.

A security team should always look for ways to make the Agile team’s job easier by helping them to develop and deliver software securely. They will be an enabler for an Agile team if they follow the recommendations listed below.

  1. The security team should be part of the agile team and be engaged as much as possible in the delivery of their product. They should be Agile to keep up with the Agile teams by thinking and acting quickly and iteratively. They should respond fast and keep learning and improving along with the development team.
  2. A Cybersecurity Architect (CSA) should be engaged in the review of a user story before it becomes part of the product backlog of the agile team. They are encouraged to participate in the product planning sessions.
  3. An Information Risk Manager (IRM) aligned to the line of business (LoB) should be engaged at the beginning and towards the end of each sprint.
  4. An Application Security Champion (ASC) should be part of a sprint team guiding the developers and helping them find solutions to fix security defects in the code.
  5. The security checks and tests must be automated so that they can be efficiently and transparently plugged into developer workflows and build pipelines
  6. The security team should develop a Reference Architecture as a tool that enables agile teams to deliver products that are compliant with the firm’s policies and standards. The Reference Architecture would help the agile teams move fast and continuously learn and improve.
Continue reading “Security in Agile Methodology”