• United States



Agile Software Development

Aug 13, 20073 mins
CareersData and Information SecurityIT Leadership

Agile software development is a conceptual framework for undertaking software engineering projects that embraces and promotes evolutionary change throughout the entire life-cycle of the project. What it does not do is incorporate information security risk into the process. It is another way to keep costs down in the development process but created by those without any inkling of what it means to include security in any process whether iterative or waterfall-like.

Agile methods emphasize real-time communication, preferably face-to-face, over written documents. Ergo, very little consideration given to documenting critical transactions, compliance issues, access management, roles, etc.

Most agile teams are located in a bullpen and include all the people necessary to finish software but not to write proper software free of vulnerabilities.

 At a minimum, this includes programmers and their “customers” (customers are the people who define the product; they may be product managers, business analysts, or actual customers). The bullpen may also include testers, interaction designers, technical writers, and managers (but no mention of anyone with a security bent).

Agile methods also emphasize working software as the primary measure of progress. Combined with the preference for face-to-face communication, agile methods produce very little written documentation relative to other methods.

What else does it not do:

                lack of structure and necessary documentation

                only works with senior-level developers

                incorporates insufficient software design

                lack of information security concerns relative to people, process and technology

There is even an agile manifesto (proletarians unite):

                Customer satisfaction by rapid, continuous delivery of useful software

                Working software is delivered frequently (weeks rather than months)

                Working software is the principal measure of progress

                Even late changes in requirements are welcomed

                Close, daily, cooperation between business people and developers

                Face-to-face conversation is the best form of communication

                Projects are built around motivated individuals, who should be trusted

                Continuous attention to technical excellence and good design


                Self-organizing teams

                Regular adaptation to changing circumstances

All these things are great from one perspective but you must include security. Pushing software out the door quickly and efficiently may save short-term dollars, but the built-in vulnerabilities will kill you in the long run.

The concepts are fine but lacking. If you hear of agile methods in your environment, muscle your way in or the sheer speed of their efforts (and the fact they will see infosec as a governor on the throttle) will produce multiple iterations that are moved to production before you can get involved!  And most per Murphy’s law will be Internet facing, financially significant iterations.