Agile development has a security problem - and developer ‘champions’ could be the key to ensuring safer software

Agile development concept art showing team members discussing project progress on a computer screen with software code.
(Image credit: Getty Images)

The advantages of agile development have become increasingly clear in recent years, enabling developers and organizations to more efficiently build and roll out products to market. 

But in the rush to accelerate application development, developers have often overlooked critical considerations such as security, according to research.

A study from the Information Security Forum (ISF) suggested that agile development methods “do not always explicitly contemplate the need for information security, even though security should be at the forefront”.

Failing to acknowledge security considerations, the ISF warned, could present opportunities for exploitation by threat actors, enabling hackers to target rushed applications with lax security.

Gunnar Braun, technical manager at Synopsys Software Integrity Group, told ITPro that the very nature of agile development practices means that security can be overlooked frequently - but this doesn’t suggest a complete disregard for product safety.

Agile development concept art showing team members discussing ideas with woman writing talking points on a white board

(Image credit: Getty Images)

Agile development is fading in popularity at large enterprises - and developer burnout is a key factor

“The fundamental concept of agile development is to work in small iterations - on one (or a few) features at a time by completing the cycle of writing code, testing it, and deploying it, so it can be consumed by an internal or external customer for feedback,” he said.

The success of security within this process depends on “whether it is considered a feature, or a property of a feature”, Braun added. If security is treated like a feature, he explained, then it competes against others in the development backlog and therefore is “likely going to lose the race”.

RELATED WHITEPAPER

“Let's take the example of input validation,” he explained. “What is the product owner more likely to prioritize? Input validation or a shiny UI improvement that has been requested by a key customer?”

Braun noted, however, that in instances where security is part of the requirements of a feature, it “becomes a property of that feature”.

“Its implementation will not be considered complete before it implements proper input validation. Consequently, security is becoming integrated with the agile development process,” he explained.

Embedding security in agile development can be highly challenging

A key challenge for implementing security in an agile development process is that it requires “special knowledge that is often not available” or easily accessible for the development team, Braun said. 

The consequence of this is that vital security considerations are therefore likely to be excluded from sprints throughout the process. This reinforces the need for a more collaborative relationship between developers and security practitioners across the entirety of the development lifecycle.

The 2023 Global State of DevSecOps report highlighted “inadequate/ineffective security training” for developers and engineers as one of the leading barriers to successfully implementing DevSecOps.

Braun said that a strategy that’s proven to be effective in addressing this is the creation of a “security champions” program.

“Security champions can evolve from existing roles, for example agile coaches or DevOps engineers, and can support multiple agile development teams with security domain knowledge,” he explained.

Braun added that the benefits of this practice have been confirmed by findings from the Building Security in Maturity Model report, which found that teams with security champions score 25% higher on average than those without one.

Security can be “naturally integrated” within agile development

Braun said he believes agile development presents an opportunity for security to become more intricately woven throughout the entirety of the software development lifecycle.

However, there are challenges here. Fundamentally, developers need to view security as a “property of a feature”. Similarly, leaders should embrace the expertise that security practitioners can offer projects.

In creating a more collaborative relationship between developers and security practitioners, teams will ultimately become more self-sufficient, and this could help improve efficiency to ensure products are rolled out to market at a faster pace.

“Agile development is an opportunity for security to become naturally integrated with the software development process,” he said.

“To achieve this, it is important to treat security as a property of a feature, automate security tests in the same way as other tests, and provide security expertise to the development team to make the teams self-sufficient and own every aspect of the development process.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.