As companies mature, adaptability and speed tend to give way to hierarchy and a slower pace. When things slow down, innovation might too—unless there is a conscious decision to foster it. Agile software development is one effective way to ensure innovation, speed, and security remain at the heart of your company, even—and especially—as it grows.
In simplest terms, Agile refers to an iterative development approach in which collaboration and continuous, incremental growth are top-of-mind. Working iteratively is great for security, as it prevents it from being an afterthought. With that in mind, here are three tips to prioritize security during agile development.
Tip 1: Choose a framework or strategy
In the Agile space, you will come across several frameworks and strategies, including
- Scrum
- Kanban
- FAST Agile, and
- LeSS
Once again, because these are iterative approaches, they have the potential to prioritize security on an ongoing basis. Choosing the right framework or strategy is simply dependent on what works best for the team. Allow teams to choose an approach. Timebox the chosen approach and then reflect after a period of time. Ask the question: “does this approach work for us?” If the answer is “yes,” continue using it. If not, then try something different.
Many resources exist comparing various frameworks or strategies, including how each:
Before selecting a framework or strategy, be sure to read the guides (such as this one for Scrum or this one for Kanban). Make sure to check for updates on a consistent basis.
At the same time, be flexible. Let teams experiment with different frameworks or strategies and be open to using concepts from each. You can be doing Scrum and complement it with flow metrics from Kanban. If you’re too rigid, the whole agile mindset dies.
Tip 2: Consider security from the beginning
No matter which approach you choose, teams must ensure cybersecurity needs are met early in the development process, as it minimizes wasted time and reduces risk. This is commonly referred to as “shifting left” on security, since it moves security considerations and concerns to the beginning of the initial request. This means having security specialists looped into conversations earlier in the application design before the work in an iteration begins. This ensures all team members understand common vulnerabilities. Just as the overall product is tested on an ongoing basis, so should its security posture. There are many resources outlining the top security risks in agile development. Make sure to test your code in a sandbox environment for the worst-case scenarios on an ongoing basis.
To evaluate security, many teams use the CIA triad, which breaks security into three buckets: confidentiality (i.e. protecting sensitive information with data encryption); integrity (keeping data free from tampering through audit trails); and availability (avoiding interruption through redundancy). This framework is useful to ensure security is not only far left but is being considered throughout development. If teams wait until the end of a sprint to think about security, they may find they’ve wasted time and could need to rework their recent development progress.
Tip 3: Communicate, communicate, communicate
If someone asked me for the simplest definition of Agile, I’d say it’s people communicating effectively. To a large degree, communication is built into Agile, including the big visual charts it relies on. But each framework has its own language of sorts, and those can influence how effective or ineffective a team may be on addressing security concerns throughout the development process. The Daily Scrum, for instance, is a 15-minute stand-up meeting when the team gets together to look at work that’s in progress and any impediments to its completion. This may not be enough time to deal with an evolving security weakness. The final event in the Scrum guide, meanwhile, is a Retrospective. This is a meeting in which the team jointly reflects on the sprint and identifies possible areas of improvement – ideal for improving security continuously. In Kanban, on the other hand, teams will frequently communicate about flow metrics, which allows for looking at data over time, such as how often work items get completed or how long a work item is in progress. This can be highly beneficial to long term security planning across an organization.
Regardless of which approach you choose; communication must be a priority throughout—both within the development team and with leadership. When leadership teams have their own Scrum or Kanban system, it’s easier for them to understand how other teams are working. Additionally, communication between cybersecurity experts and developers is crucial for ensuring vulnerabilities get addressed on an ongoing basis. Without communication, sufficient cybersecurity isn’t possible.
The bottom line is that agile development has many benefits, with each framework or strategy boasting different strengths for developing secure software. At the same time, Agile principles are more flexible than many people realize. It’s a myth that Scrum is only used for software development, as many teams also use it for support. However, Scrum can be utilized outside of these environments, such as at call centers, service centers, and help desks. And while Kanban is often chosen for support and maintenance, many teams do build software with it.
To get started with Agile, choose the approach that seems to best fit the team and situation. So long as it’s implemented with a culture of flexibility, communication, and security, you’ll be well-positioned for success.
Learn how to keep security at the center of your Agile software development with 3 tips from Blog 3 of our series, 3 Ways to Keep Security at the Center of Agile Development.