Agile shops tend to put a premium on lightweight processes that minimize impact on iteration timelines.
Some of the key differences we've seen work in agile shops rather than waterfall include: * Aversion to documentation * Heavy reliance on collaborative tools, such as bug tracking and wikis * Implicit design evolution rather than deliberate focus on design * Less scrutiny of third party code if it can help get the job done quickly Implications for secure SDLC include: * As with all other types of SDLC, education is a critical prerequisite to convince stakeholders of the importance of security * Despite best intentions, Agile shops will tend to avoid new security activities if they fail to present enough value or if they slow down iteration plans. Rather than forcing a security review at every iteration, define a set of criteria that will force a deliberate, formal security review (e.g. large changes to front end, changes to authentication / access control, new modules, major rewrites, etc.). * Most bug tracking tools offer some measure of extensibility. Leverage bug tracking tools to also track security vulnerabilities by creating a special security tag * Thorough manual source code review *is possible* and maybe even feasible for short iterations. This is particularly true for shops that already perform non-security specific source code review at the end of each iteration * Building security static analysis into continuous integration is a natural fit * Documentation, such as secure coding guidelines / checklists, should reside in dynamic platforms such as a wiki or web page rather than static documents that don’t evolve * Threat modeling needs to be agile and done in a matter of hours rather than days. The focus should generally be on important high/risk use cases rather than attempting to be comprehensive * Automated front-end testing tools, such as Selenium, are a great place to perform fuzzing for common data validation flaws * For ISVs in particular, making the case for building a large enterprise security library all at once may be a tough sell. Build security libraries iteratively, just like the main product, focusing on the least complex / biggest risk reduction controls first On Wed, Sep 8, 2010 at 8:05 AM, Jari Pirhonen <j...@iki.fi> wrote: > 8.9.2010 11:37, Martin Gilje Jaatun kirjoitti: >> >> I may have mentioned before on this list that my dream is to do an >> in-depth comparative study of "traditional" and "agile" development >> organizations to determine which produces the best (i.e., most secure) >> code? The first challenge would be to figure out how to compare the >> "security level" of two different types of software products... >> (Actually, the first challenge is to get funding for this...) >> > > This study would be very interesting. I've asked around if there're any > studies/papers showing that agile actually produces better (or as good) > software than waterfall/iterative methods. I understand that there are many > advantages and many organizations are happy with agile development. It would > be nice see some serious studies, though. > > Jari > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > _______________________________________________ > -- Rohit Sethi Security Compass http://www.securitycompass.com twitter: rksethi _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________