On Funkschau.de, Janosch Maier reports on why agility is only possible in conjunction with security and why there can be no agile projects without security. Janosch Maier is the founder of Crashtest Security and has been working on this topic for several years. Maier points out that agile programming has become the standard in many companies and teams today. Developers are taking advantage of agile to create benefits for customers. Of course, there are also risks that come with using agile methods. One of those risks - probably the main risk - is security. According to Maier, there can be no agility without a certain level of security. Below, we summarize his viewpoints for you.
In some agile projects, security comes up short - of course, this must not happen and must be taken into account from the very beginning.
Software development: advantages over old methods
For many years, even decades, projects were handled using the waterfall method. This means that each project phase was completed and based on its results the next project phase was started. The outcome of one phase was always the compelling blueprint for the next. This is no longer the case in the age of agile methods. Maier highlights the four most important advantages of these agile methods for modern companies, and the first of these is adaptability. When programming in individual phases, it constantly happened that project steps or entire projects were completed, only to find out immediately that the customer's wishes were not actually fulfilled as a result. Dissatisfied customers, wasted time and resources were often the result. The agile methods allow and require a constant close contact to the customer, so that every change can be discussed together with the customer directly during the respective phase. The need for change at the end of a project can thus be minimized. The individual development cycles are shorter, allowing developers to make significant changes much later in the project without torpedoing the entire project. In addition, there is continuous testing and review, which means that new products are also brought to market much more quickly.
Advantages of agile methods
The second enormous advantage of agile methods is the collaboration, which is considerably closer and more concentrated than in conventional methods. In Scrum, as in other agile methods, the product owner always sits at the table as well, so that decisions can be made directly, which speeds up communication and makes the entire process faster and more efficient. The third advantage of agile methods in software development is transparency. Just a few years ago, it was common for a customer to see his product only when it was ready. This has been completely abandoned in agile development. The customer is involved in every phase, which means that the product owner always knows exactly what is going on and can put a stop to it if something does not meet his expectations. This saves time and money on unnecessary steps and changes. Advantage number four is efficiency, which is somewhat derived from the aforementioned advantages. Agile software development simply means a huge increase in efficiency. Problems and bugs can be discovered at an earlier stage, which saves money and time. New tools are tested directly and so it is immediately clear whether they work and are useful. The customer gains direct competitive advantages from this. He receives his product faster and it is better coordinated with him.
Risks in agile development
As already mentioned, agile development also involves risks that were not present to the same extent in conventional software development. Since numerous functions are created in a very short time, it often happens that security tests are only performed towards the end, while functional tests are ubiquitous. Developers often do not write their own security tests for their software, but release versions that have not been tested for security or have been tested insufficiently. After all, testing costs a lot of money and time. This is where hackers see their opportunity and products become vulnerable. So it's no wonder that 30,000 websites are hacked every day.
Agile but secure
Maier emphasizes that a compromise is the best solution. High agility leads to high development speed. More complex software products can be developed in less time. Maier calls complexity the enemy of security, because in complex structures there are many points of attack for hackers. The pursuit of security, for its part, is the enemy of agility, because more security means more testing, which takes time. Below, Maier lists his tips for companies looking for a suitable and good compromise between maximum agility and maximum security.
Last but not least, it means finding a compromise
Many agile development teams are so fast because they no longer perform various steps manually. In the team, developers are also responsible for running the software thanks to DevOps. So-called build pipelines run tests automatically, and security gap detection tools can be incorporated here as well. Using dynamic or static security scanners, they can detect old libraries or point out other gaps. With manual tests, this is hardly possible across the board. So automatic scanners are a great help because the developers can concentrate on the actual development. The second tip is more about attitude: don't consider security as an additional step, but as part of all steps. Incorporate security on an ongoing basis. This includes making sure that a company's leadership takes security very seriously. Educate your colleagues on safety culture and how important this aspect is. It also doesn't hurt to mention more often that more security means more productivity. An integrated security framework gives developers more time to do their jobs. This has a positive effect on sales because products are finished faster. Think about data protection: Your data is at risk, as is your customers' data, if your software has gaps that invite hackers in. Not to mention the loss of trust with your customers. In addition, good security integration can ultimately save you money. A rule of thumb says that bugs that get dragged into a next phase will cost ten times more there when they need to be fixed. Flawless software that has already been tested for security therefore shifts the costs of fixing security vulnerabilities to an earlier and therefore less expensive phase.
Author: IAPM internal
Key words: Agile project management, security, guide, tip
The IAPM certification
The certification can be taken via a reputable online examination procedure. The costs are based on the gross domestic product of your country of origin.