Agile Software - But Safe!
The fact that agile methods are now state of the art, especially in software development, and that they offer an enormous number of advantages over conventional methods, should have reached even the biggest skeptic. The current discussions are no longer about whether agile methods should be used, but about how this should be done. A very important aspect is security, which has been neglected from time to time in the heat of the moment due to the enthusiasm for the new methods.
Don't neglect security!
On the dev-insider.de
platform, Stephan Augsten deals with the topic of security in agile software development. His premise is: security should never come last and this aspect should be integrated into projects from the outset. He refers to Janosch Maier from Crashtest Security, who explained the stumbling blocks of security in agile software development in more detail. In the following, we summarize the respective theses for you. Stephan Augsten and Janosch Maier agree that there must be and is time for the topic of security in every DevOps development process. The fact that project phases do not follow on from one another in a delimited manner, but rather intertwine flexibly, is what makes Kanban, Scrum and Extreme Programming so attractive. But this is precisely where new security gaps come from, because more flexible projects become more complex, but also less secure.
The benefits of agile programming
Janosch Maier summarizes the advantages of agile development in four groups. First and foremost, he mentions adaptability. Customer requests can be incorporated at every step while development is still underway, without having to complete a phase and thus wasting resources and money. This ability to respond quickly to any customization request, no matter how small, shortens the general development time. Scrum and Co also allow adjustments to be made at a late stage of project development, when it would already be too late with the waterfall method. The second enormous advantage is the close collaboration. With Scrum, a direct exchange takes place within a team every 24 hours. This improves the exchange of information and breaks down communication barriers.
More efficiency through transparency
The third advantage is transparency, especially with regard to the customer. While in the waterfall method a customer only gets to see his product at the end of the development process, agile methods enable the customer to be continuously involved in development. He can constantly give feedback and experience his product in every phase. Last but not least, efficiency is an enormous advantage. It virtually results from all other advantages. Development teams tackle problems with agile methods - and at a much earlier stage than with the waterfall method. All features are tested immediately, which weeds out bugs and other problems earlier. Efficiency increases tremendously. This saves time and money, while at the same time creating competitive advantages for the customer.
Do not postpone risks
However, Janosch Maier does not want to praise agile methods to the skies without addressing the risks. These exist. And they are often related to the nature of agile methods. Where many functions are programmed quickly and a high number of adjustments are always and constantly made, security gaps are pre-programmed. It is essential to address this - and to do so as early as possible. Although security testing at the end of a project does not fit into the agile methodology, because after all everything is constantly tested, many companies still make this mistake: They test everything possible in every step, but still save the topic of security for the end. Sounds illogical, but somehow human again. Nobody likes to think about security gaps. Neither the developers nor those responsible want to be reminded of security problems every day. At the same time, agility leads to more complexity and thus to more points of attack for hackers. At the same time, more security has a negative impact on agility.
Eliminate security risks
So what to do about security risks? Agile teams often work with DevOps because not all work steps can be executed manually at such a high speed. Work steps such as testing are automated and executed by Agile build pipelines. Security vulnerability detection tools can be integrated into these pipelines. Dynamic or static security scanners can be used to find outdated data and bugs. The automated security scanners are a great solution because, as mentioned earlier, no developer wants to perform such tests manually. Developers can pay attention to security vulnerabilities using this method and at the same time free up their time for the really exciting tasks.
A few more tips
Safety should never be viewed as a single step independent of the rest of the process - and certainly not as a nuisance. Looking at safety as an ongoing methodology is more promising. Safety must be on the agenda at every stage from the beginning, so that it never gets to the point of simply being forgotten in the first place. For executives, it is advisable to establish an unchallengeable and pervasive security culture. The use of SecDevOps actually increases productivity because security frameworks that are integrated by design make developers work even more efficiently. They are, in effect, the best way to avoid tedious security testing. You can tell your customers that using SecDevOps reduces the risk of successful attacks - and that adds value. Finally, we've learned that not all developers take security seriously enough.
Author: IAPM internal
Key words: Project management, Agile project management, Security, SecDevOps