Continuous Security in Agile Development
The word continuous gets thrown around a lot when talking about agile and DevOps. One area that often doesn’t get enough attention is how to continuously build, test, and deliver secure applications.
Just like for quality, you can’t test security in, so you need to have a plan for how to build it in from the ground up. Here are some tips on how to do that.
Create your security architecture up front. While in agile we don’t to a lot of upfront planning and design, some amount of thinking around the overall architecture is always necessary. As part of this architectural work, you must put in thought about how to make your architecture secure and what kinds of security controls are going to be used to thwart attacks.
This kind of security analysis is typically done by a systems architect with security expertise or a senior person from your corporate security team. Care must also be taken to make sure the planned architecture conforms to any industry or corporate security standards for protecting data and other critical assets.
Design defensively every sprint. Part of every sprint includes team-based design where new features that were committed to are integrated into the existing software design. This design work needs to also focus on providing defense in depth from a security perspective. Understanding what critical assets must be protected within the application and the security controls necessary to protect them should be discussed every sprint.
As part of backlog grooming activities, make sure security requirements are present and part of the priority process. If you don’t prioritize putting the appropriate security controls in place, you will get to the end of a release cycle and not have designed your application to protect itself.
Implement secure code as you go. Some security issues are design flaws. Others are implementation bugs in your code. As your software developers create new features, care must be taken to not introduce vulnerabilities.
Fortunately, there are now plenty of interactive IDE plug-ins that will “grammar-check” your code for security as your developers type in new functionality. This capability not only highlights security issues as they are introduced, but also educates developers on them so they create better code going forward.
Also make sure any code review process done as part of your day-to-day agile development includes a look at the security of the code being produced. There are security-scanning tools available that will supplement the interactive capabilities described above to do more thorough code analysis periodically.
Perform security testing at every level. Continuous security implies identifying vulnerabilities as close to where they are introduced as possible. A key component of this approach is to analyze the security of your units, components, features, use cases, and end-to-end workflows at the earliest possible point in the testing process.
Security testing should be incorporated into each testing activity performed, not left for the end of the process. Incorporate security acceptance criteria into the quality gates you use to determine whether code is ready to move toward production.