There are many discussions about what Scrum teams should include in their Definition of Done (DoD). However, security is rarely mentioned during these talks, even if more and more hacking incidents are revealed to the public. This article outlines some major security best practices for Agile teams.
Agile is a project management approach that delivers the project in increments and iterations throughout the project life cycle. Agile was first introduced for software development, where it remains a popular approach.
Developing software requires excellent attention to security. Agile teams need to follow best practices to deliver a working yet secure product. Security has to be an active consideration throughout the entire life cycle. Unfortunately, many teams neglect security since it’s considered a non-functional requirement. This article will outline some of the major security best practices for agile teams.
Security starts from the top
The approach to cybersecurity is rooted deep within a company’s culture. In the last decade, companies have moved away from well-thought-out yet slow projects. Now, they focus on projects with quick turnaround and little testing. But, recent spikes in cyber incidents have forced many to rethink their approach.
Now, cybersecurity is a trending topic among C-level executives, which spills over to the agile development teams. This trend has to continue for security to be a central focus point during the development process. CEOs have to prioritize cybersecurity throughout the organization.
Many teams are dead-set in their ways, and even if they have the technical skills, the organization’s culture may stop them from collaborating. If there’s a culture problem within the organization, changes have to come from the top.
Rethink the CIO and CISO relationship
Instead of acting as gatekeepers, CISOs and security teams need to work closely with the development teams. Their cooperation is crucial in developing effective security paradigms despite short deadlines.
It is also wise to transition members from development to security roles and vice versa. Doing so will improve cohesiveness between the two teams. Often, there is a disconnect or an us-against-them mentality between development and security teams.
Deploy automated security tools
Automation is an easy way to bolster security throughout the software development life cycle (SDLC). However, automation also brings challenges, and security teams shouldn’t use it mindlessly. Begin by looking at areas where you can deploy automation that would bring a good ROI and improve security.
It is best to deploy automation tools in increments. Start by automating a few small tasks and slowly increase automation with each product iteration. Adding too many new tools at once can slow down development and put more pressure on the agile team.
Keep in mind that vulnerability scanning tools return a lot of false positives, roughly 40% of total alerts. To measure the efficiency of each tool, track the number of false positives it generates and the extra work they create for the developer teams.
In addition to tools that work directly with the software, the devices of agile team members also have to be protected. Advise the team to use strong passwords and store them in a password manager. Install security software that scans devices for malware.
Passive review tools
Agile requires quick reviews for each product iteration. Thus, using specialized tools to help with the process can be a major factor in meeting deadlines. Some of the most beneficial tools in agile development are passive review tools.
These tools are designed to help QA professionals by assisting them in the code-review process. They allow the QA team to skim through code without having to focus on each line. The tool will monitor their movement as they go through the code and provide supplementary information to simplify the troubleshooting process.
Use user feedback to your advantage
One of the primary use points for the agile methodology is the ability to incorporate user feedback into the product’s development. With each iteration, you can gather valuable information about security bugs or concerns that users have.
Incorporating user feedback into development comes in three steps:
- Gathering
To make use of user testimonials, you need to deploy one or more communication channels between your team and users. Encourage users to provide actionable reviews about their experience with the product.
- Documenting
Organize feedback and identify significant concerns that users have.
- Prioritizing
Instead of tackling everything at once, prioritize issues and address those that bring the most security risk.
Apart from user testimonials, team leaders could also ask for peer reviews on the code before it hits the market. Two extra sets of eyes are likely to detect vulnerabilities that the team might’ve missed during development.
Promote secure code development practices
Organizations should support developers in implementing controls that promote secure code development. OWASP (The Open Web Application Security Project) outlines ten controls that emphasize security throughout the application. Some of the most notable are:
C1: Define security requirements
A security requirement is a statement of a specific security function that the system should have. You can derive these requirements from
- past experiences
- known vulnerabilities
- industry standards, and
- laws.
C2: Leverage security frameworks and libraries
Encourage the development team to leverage secure code frameworks and libraries. If the team is writing the code from scratch, it might be challenging and time-consuming to implement security features correctly. With that said, the frameworks should preferably be peer-reviewed and come from reputable sources.
C6: Implement digital identity
Digital identity is a user’s digital footprint. It allows for the implementation of authentication security measures. Authentication requires the users to confirm their digital identity before being able to continue using the system. Disabling unauthenticated users from accessing the system is a crucial step toward improving security.
C8: Protect data everywhere
You need to protect sensitive data like passwords, credit card information, health records, and others that may be stored on the system. Particularly if the data falls under data or financial protection regulation laws. Classify data by importance, and install appropriate security measures to protect it. Some focus areas should be figuring out a safe way to store data and protect data in transit.
Encourage developers to identify security risks
Most developers are preoccupied with the actual functioning of the system, leaving little room to think about the inherent security risks that come with it. Encourage the team to step away for a second and think of all possible ways someone could breach the system in its current state.
Sure, user stories can provide great feedback, but no one knows the inherent workings of the software better than the developer teams. A practical method for doing that could be envisioning the software from an “evil” user’s perspective.
For example, developers should pay close attention to critical entry points and valuable assets within the system that an attacker might target. Strengthening security in those areas will make for a much better end-product.
Be prepared to innovate
Security requirements are changing rapidly. The systems you build have to be able to support security innovation to keep up with rising vulnerabilities and consumer demand. To achieve this, conduct regular reviews of your product’s security posture and the industry you’re in as a whole.
An innovative approach is a long-term plan that can bring significant benefits in the future but will cost additional time and resources in the short term.
Final Thoughts
Agile development requires swift action and leaves little to no room for mistakes. Agile developers have to work closely with security teams throughout the SDLC to ensure the best security practices.
Developers, security teams, and quality assurance professionals can utilize security tools to help scan code and identify vulnerabilities.