The presence of agile software development brought some ideals to software development methodology, maybe that’s why it did not take long before it gained wide acceptance. The manifesto of agile adapted to software development life cycle (SDLC) can as well improve the security status of applications which currently serves as the most exploited threat vector across the globe and reported by Symantec to have increased by 30 percent this year (web applications).
From experience, the “agility” of software development process increases vulnerability of software. Adapting the Agile development process manifesto to improve software security will boost applications security. Agile manifesto as found applicable to software security is described below:
Agile promises to value individuals and interactions over processes or tools. This concept is great for business relationship between software vendors and their clients. Adapting agile to software security, individuals, for instance, users and interactions with the system should be discussed as part of the security requirements and well measured to decide the risk appetite of the organization. While processes and tools are important, individuals and interactions eventually decide the efficacy of the security.
Agile promises working software over comprehensive documentation. The details of what makes how a software works is not as important as if the software works. However, the fact that software is working does not make it secure neither does it guarantee its quality. So, for agile security, we prefer working security over comprehensive documentation. Simply should be risk-based and not tick-the-box security.
Agile promises customer collaboration over contract negotiation. In order to improve the security of SDLC, customers and good understanding of business objectives is imperative over negotiations and deliberations. It is in understanding of the customers and their business that facilitates business collaboration and hence collaboration for secure software.
Agile promises responding to change over following a plan. Change is constant and growth is change in itself, which is another reason why continuous monitoring is imperative in agile security. Threat analyzed through modelling and risk defined software security is a more decent approach and when a change is made agile security requires that it’s security is responsive, that is, re-calibrated to reduce the risk posture of the organization.
However, as discussed in the agile manifesto it is not a bad idea to follow plans, negotiate contract, document comprehensively or rely on process and tools. It is more expedient to follow the left-side options. While we deliver software with agile process, we can adopt agile security concept for a brilliant, better and secure application.