The advantages of agile development have become increasingly clear in recent years, enabling developers and organizations to more efficiently build and roll out products to market.
But in the rush to accelerate application development, developers have often overlooked critical considerations such as security, according to research.
A study from the Information Security Forum (ISF) suggested that agile development methods “do not always explicitly contemplate the need for information security, even though security should be at the forefront”.
Failing to acknowledge security considerations, the ISF warned, could present opportunities for exploitation by threat actors, enabling hackers to target rushed applications with lax security.
Gunnar Braun, technical manager at Synopsys Software Integrity Group, told ITPro that the very nature of agile development practices means that security can be overlooked frequently - but this doesn’t suggest a complete disregard for product safety.
Agile development is fading in popularity at large enterprises - and developer burnout is a key factor
“The fundamental concept of agile development is to work in small iterations - on one (or a few) features at a time by completing the cycle of writing code, testing it, and deploying it, so it can be consumed by an internal or external customer for feedback,” he said.
The success of security within this process depends on “whether it is considered a feature, or a property of a feature”, Braun added. If security is treated like a feature, he explained, then it competes against others in the development backlog and therefore is “likely going to lose the race”.
RELATED WHITEPAPER
“Let's take the example of input validation,” he explained. “What is the product owner more likely to prioritize? Input validation or a shiny UI improvement that has been requested by a key customer?”
Braun noted, however, that in instances where security is part of the requirements of a feature, it “becomes a property of that feature”.
“Its implementation will not be considered complete before it implements proper input validation. Consequently, security is becoming integrated with the agile development process,” he explained.
Embedding security in agile development can be highly challenging
A key challenge for implementing security in an agile development process is that it requires “special knowledge that is often not available” or easily accessible for the development team, Braun said.
The consequence of this is that vital security considerations are therefore likely to be excluded from sprints throughout the process. This reinforces the need for a more collaborative relationship between developers and security practitioners across the entirety of the development lifecycle.
The 2023 Global State of DevSecOps report highlighted “inadequate/ineffective security training” for developers and engineers as one of the leading barriers to successfully implementing DevSecOps.
Braun said that a strategy that’s proven to be effective in addressing this is the creation of a “security champions” program.
“Security champions can evolve from existing roles, for example agile coaches or DevOps engineers, and can support multiple agile development teams with security domain knowledge,” he explained.
Braun added that the benefits of this practice have been confirmed by findings from the Building Security in Maturity Model report, which found that teams with security champions score 25% higher on average than those without one.
Security can be “naturally integrated” within agile development
Braun said he believes agile development presents an opportunity for security to become more intricately woven throughout the entirety of the software development lifecycle.
However, there are challenges here. Fundamentally, developers need to view security as a “property of a feature”. Similarly, leaders should embrace the expertise that security practitioners can offer projects.
In creating a more collaborative relationship between developers and security practitioners, teams will ultimately become more self-sufficient, and this could help improve efficiency to ensure products are rolled out to market at a faster pace.
“Agile development is an opportunity for security to become naturally integrated with the software development process,” he said.
“To achieve this, it is important to treat security as a property of a feature, automate security tests in the same way as other tests, and provide security expertise to the development team to make the teams self-sufficient and own every aspect of the development process.”
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Java developers are facing serious productivity issues: Staff turnover, lengthy redeploy times, and a lack of resources are hampering efficiency – but firms are banking on AI tools to plug the gapsNews Java developers are encountering significant productivity barriers, according to new research, prompting businesses to take drastic measures to boost efficiency.
-
Why the CrowdStrike outage was a wakeup call for developer teamsNews The CrowdStrike outage in 2024 has prompted wholesale changes to software testing and development lifecycle practices, according to new research.
-
Why are so many AI projects destined for failure? Inexperienced staff, poor planning, and a shoehorned approach to agile development are all stifling innovationWhile agile development practices work well in many circumstances, devs are encountering serious problems applying the methodology in AI projects
-
‘It’s time to question agile’s cult following’: Doubts cast on method’s future, with 65% of projects more likely to fail
News Agile development methods just aren’t delivering, and it's time devs acknowledged its failings
-
Agile development is fading in popularity at large enterprises - and developer burnout is a key factorNews Firms employing agile development practices are ‘having difficulty adapting’ in a new world of developer burnout, AI and more, a new report claims
-
What is platform engineering and will it see the end of DevSecOps?In-depth Platform engineering is not just the latest industry buzzword but could represent a profound change in how software is developed and governed
-
The ultimate guide to getting your killer app off the groundIndustry Insight When building software, the process of designing, testing, prototyping, and perfecting your project is never ending
-
Podcast transcript: Stamping out scope creepIT Pro Podcast Read the full transcript for this episode of the IT Pro Podcast
