Agile software development has many benefits, including the opportunity for developers to iterate and be flexible. To that end, many Agilists reject big upfront project design in favor of smaller, incremental deliveries that build toward growth. Traditionally, cybersecurity is designed to be a downstream consideration in these big project with lots of upfront planning. Often, many opportunities to tighten up security protocols along the way are missed with this approach. To build secure applications, cybersecurity must be baked into the process from day one. Put another way, security should be shifted left in the development process. When security isn’t shifted left, development teams run the risk of introducing security risks and wasted efforts that lead to rework.
There are several steps organizations can take to ensure cybersecurity is the throughline of agile software development. Let’s dive into three of them.
1. Flexible sprint commitments
Sprints—short timeboxed periods during which the team is expected to complete a particular task—are a staple of agile software development. The goal of sprints is to break the project into smaller, manageable chunks. But to ensure security isn’t sacrificed in the name of speed, the project leader or Scrum master must allow for flexibility regarding sprint times. Some Scrum masters expect teams to commit ahead of time to finishing a certain number of features per sprint. But if your team is too myopically focused on completing features on time, they may cut corners on security to do so.
It’s better to have developers complete fewer stories with sufficient security than to have more stories with bugs in them. Cutting corners is never anyone’s intention, but by focusing too much on speed, developers are more likely to feel pressure and overlook buggy code. Put simply, the most secure code doesn’t have bugs and is more likely to be created in an environment with flexible sprint commitments.
2. Security is part of the definition of “done”
In addition to determining reasonable sprint commitments, agile teams also must define what “done” means for a feature. Too often, security is an afterthought in this regard. It’s only after the feature is completed that security is considered, tested, and measured. This practice is not productive in developing a secure application. In addition to being costly and time-consuming, it makes it far more likely that the application will not be sufficiently secure.
To ensure security doesn’t fall by the wayside, it must be part of the definition of “done” for every single feature that’s built. Shifting left means integrating security concerns and requirements as early in the process as possible and marking a feature as complete only when everything, including security requirements, are met.
3. Everybody owns security
A core tenet of Agile is breaking down silos. Instead of having separate teams for design, quality assurance, and other components of a feature, everyone should be collaborating and communicating continuously. This mindset must extend to security as well. If your development team is working with the CISO or cybersecurity team, they need to be engaged for every feature early on and through the development lifecycle. But cybersecurity isn’t just their responsibility. Everyone on the team should own security, which means being ready and able to flag any security issue that arises.
One way to ensure everyone owns security is through mandatory security training. Particularly with more applications in the cloud, everyone needs to be empowered to spot vulnerabilities. When issues are flagged, they should take immediate priority. Put another way, with cybersecurity, it must be all hands-on deck.
The bottom line
There are many benefits to agile development, but speed should never come at the expense of security. Only testing software once it’s produced is insufficient. Instead, security needs to be shifted left in the development process and prioritized throughout.
In the age of the cloud, cybersecurity simply cannot be an afterthought. Security must be considered from day one, risk assessments should be carried out as early as possible, and everyone on the team should consider cybersecurity their responsibility. By following these steps, your team can be both agile and secure.
Learn how to build a greater culture of security by integrating an Agile approach to software development with DevOps practices using these 3 tips from Blog 4 of our series, 3 Tips to Evolve your DevOps Practice to a DevSecOps Culture.