Today’s business cycles require faster and more innovative results more than ever before in order to stay competitive. As organizations speed up their time to market, they are realizing the waterfall methodology is no longer working. Now they are creating and adopting rapid application development methodologies. One of those methodologies, agile software development is arguably the most popular of these methodologies, and thousands of organizations around the world are now operating in an agile software environment.
Agile Software Development: A New Development Paradigm
Agile software development is all about speed, and is characterized by continually setting and hitting short-term goals, called sprints, every two to four weeks that fit into the bigger, long-term goals of the business. Sprints are completed by small groups of cross-functional developers who meet daily in scrum meetings to complete daily or weekly tasks that fit into the short-term goals. Agile processes encourage constant self-inspection, adaptation, and improvement and relies heavily on a philosophy of teamwork, accountability, and self-organization.
The benefits of developing in agile environments are abundant, including the ability to better and more quickly respond to customer feedback and the general market, more active, engaged developers, as well as the ability to deliver products faster than ever. The benefits offered through the agile methodology have brought major successes to many of the organizations who’ve adopted agile development processes.
The Current State of Security in Agile Software Development
Unfortunately, for all the benefits that agile provides, security has become a major challenge for many organizations as they adopt agile processes.
One reason for this is the lack of security processes and checks during agile development processes. Security may be considered in the beginning stages of the SDLC during design and planning, but is most often saved for security testing done near the end of the cycle, right before release. This leaves a huge gap in the middle, through the entire development process, where many security issues are often created due to poor coding and a lack of secure coding knowledge.
Instead, organizations rely on manual testing and/or DAST, Dynamic Application Security Testing, at the very end of the SDLC to detect and fix security issues. The result? Applications too often are released with major security issues that either weren’t found through pentesting or DAST or that were deemed not serious enough to hold back release, with developers needing to quickly fix the issues and release a patch ASAP. The bugs that are deemed serious enough to require fixing hold back the release and are much more expensive to fix than if they were found earlier in development.
While the above is true for many organizations, whether agile or not, the issue is compounded for agile organizations because of the potentially higher risks created through fast delivery and the lack of integrated security processes that would bring the risk level down.
Why You Need Automated Security in Your Agile Software Environment
Security needs to better adopt to agile processes, because agile is here to stay. It’s important for security teams to understand they can’t change too much of the agile process before it stops being an agile process: Agile can’t slow down in order to let security have it’s time in the sun. The good news is that there are several ways in which security can be tightly integrated into agile development. Automating security in development is one of the best ways to do so.
Automation is one of the main tenets of the agile methodology, and it makes sense for the focus on efficiency that is so important in agile organizations. By performing static, mundane tasks, automation allows employees to work on more difficult, abstract, and innovative tasks. Automation is hardly restricted to software development, of course; Everything from production lines to cars to drones now include automation for precisely the above reason.
Security should be no different. The vast majority of security flaws are the same old issues we’ve seen for the past 20 years: XSS, SQL Injections, CSRF, and all our other ‘friends’ of the OWASP Top 10 and beyond. Many developers simply don’t know about these issues, because security testing is so far removed from their coding. By integrating security checks into their development process, such as having developers running security tests before they check-in code and providing instant results so that they can fix the issues at that moment, you’re not only testing for security at the best possible moment, you’re also teaching developers about secure coding.
Developers typically want to be good at their jobs, as we all do, but when it comes to security many weren’t taught of its importance or how much effect they can have on security. When team leaders, however, begin eschewing the importance of regular security testing and adopting clean security checks as part of their test-driven development processes, the myth that security isn’t important or isn’t part of their job is shattered.
Further, automating security in the development process will provide a higher level of visibility with continuous monitoring, which can help further identify areas in which security controls can be better fitted to agile processes. This is another step towards increasing collaboration between developers and security and will allow for a better relationship in the future.
Security testing is no longer as big and bulky as it once was. Static code analysis tools have matured greatly, and many of them, such as Checkmarx’s CxSAST, offer key solutions to many of the challenges posed by the differences between traditional security and agile environments. These tools can be built into the developer’s IDE, which can create instant reports of found vulnerabilities and how to best fix them, making it simpler and cheaper to resolve, and creating a more harmonious, collaborative environment for security and developers.
Not everything that can be automated should be, of course, and DAST and manual testing still have a place in agile environments. It’s about finding the best balance for your organization – balancing risk with agile’s need for speed. Security is and always will be an important part of any organization, and with the right tools, partnerships, and willingness to adapt, security can thrive in agile organizations.
Build Security into Your Agile Software Environment
Read an Introduction to Interactive Application Security Testing