Agile software development is a conceptual framework for undertaking software engineering projects that embraces and promotes evolutionary change throughout the entire life-cycle of the project. What it does not do is incorporate information security risk into the process. It is another way to keep costs down in the development process but created by those without any inkling of what it means to include security in any process whether iterative or waterfall-like.Agile methods emphasize real-time communication, preferably face-to-face, over written documents. Ergo, very little consideration given to documenting critical transactions, compliance issues, access management, roles, etc.Most agile teams are located in a bullpen and include all the people necessary to finish software but not to write proper software free of vulnerabilities. At a minimum, this includes programmers and their “customers” (customers are the people who define the product; they may be product managers, business analysts, or actual customers). The bullpen may also include testers, interaction designers, technical writers, and managers (but no mention of anyone with a security bent). Agile methods also emphasize working software as the primary measure of progress. Combined with the preference for face-to-face communication, agile methods produce very little written documentation relative to other methods. What else does it not do: lack of structure and necessary documentation only works with senior-level developers incorporates insufficient software design lack of information security concerns relative to people, process and technologyThere is even an agile manifesto (proletarians unite): Customer satisfaction by rapid, continuous delivery of useful software Working software is delivered frequently (weeks rather than months) Working software is the principal measure of progress Even late changes in requirements are welcomed Close, daily, cooperation between business people and developers Face-to-face conversation is the best form of communication Projects are built around motivated individuals, who should be trusted Continuous attention to technical excellence and good design Simplicity Self-organizing teams Regular adaptation to changing circumstances All these things are great from one perspective but you must include security. Pushing software out the door quickly and efficiently may save short-term dollars, but the built-in vulnerabilities will kill you in the long run. The concepts are fine but lacking. If you hear of agile methods in your environment, muscle your way in or the sheer speed of their efforts (and the fact they will see infosec as a governor on the throttle) will produce multiple iterations that are moved to production before you can get involved! And most per Murphy’s law will be Internet facing, financially significant iterations. Related content opinion The Sandbox - RSA Conference 2014 - San Francisco By Jeff Bardin Feb 24, 2014 3 mins Technology Industry IT Leadership opinion NY Times Story on Snowden Way Off the Mark Snowden story worthless - Basic IT protocols ignored - By Jeff Bardin Jul 05, 2013 2 mins Data and Information Security Network Security opinion Maskirovka – Tactical, Operational, Strategic Deception "The Op is in Motion" By Jeff Bardin Apr 29, 2013 4 mins Physical Security IT Leadership opinion Is this gun smoking? Certified Unethical Training http://attrition.org/errata/charlatan/ec-council/eccouncil_emails.html By Jeff Bardin Mar 15, 2013 14 mins Social Engineering IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe