Secure agile software development an oxymoron?

By Michelle Davidson, Site Editor, SearchSoftwareQuality.com 25 Oct 2006 | SearchSoftwareQuality.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

SEATTLE -- Can you be agile and secure?

That's the dilemma agile software developers face as they build flexible, responsive applications. But it is possible, according to Dan Cornell, principal at the Denim Group. Some compromises just need to be made.

Organizations are being pulled in two directions, Cornell told attendees of the 2006 AppSec Seattle conference. On one side you have the agile forces where developers are more responsive to business concerns, the frequency of stable releases is increased, and the time it takes to deploy new features is decreased.

On the other side you have the security forces that call for a more aggressive regulatory environment, an increased need for security and traditional top-down, document-centric approaches.

We didn't invent new security things to be done, but made [exisisting techniques] fit into the agile development life cycle. Dan Cornell Principal, Denim Group

"Unfortunately it puts the two forces opposite each other," Cornell said. "There are going to be trade-offs that need to be made."

The challenge is to take the good things out of the Security Development Lifecycle, such as threat modeling and application testing, and add them to the agile method, he said.

Injecting security
Start with the project setup, Cornell said. When considering education and training for developers, testers and users, include security. Then following your user stories, use case development and architecture decisions, agree on threat modeling standards for the project -- STRIDE priorities or DREAD ratings.

When you move into the release planning phase, as you do your user stories and use cases include concerns, Cornell said. Consider inputs for threat modeling, security testing scenarios and determine the qualitative "risk budget."

"Developers and customers need to agree at the outset what is expected," Cornell added. "Keep the customer involved in making risk trade-offs."

Agile software development and application security Agile methods bring improved software quality, but challenges remain Agile software development: Proving the benefits  Application security shouldn't involve duct tape, Band-Aids or bubble gum

As you finalize architecture and development guidelines, include security in your common coding standards. During this phase you should also conduct initial threat modeling and create a designer's security checklist, he said.

In addition to the traditional project roles of product manager, program manager, architect, developer and tester, Cornell said it's important to designate someone as the security adviser. That person will keep track of what was determined through threat modeling.

Planning, executing and closing an iteration
Security also comes into play during the iteration planning phase, which is usually one to four weeks. At the iteration planning meeting where user stories are broken down into development tasks and developers estimate their own tasks, you need to also document the attack surface or story level.

Cornell said you should also model the threats alongside the user story documentation. This is important in documentation-light processes. "Your code will tell you what decision was made, and threat models will tell you why decisions were made," he said. "It's crucial for 'refactoring' in the face of changing security priorities."

As you execute an iteration, you have daily stand-up meetings but you should also have continuous integration, making use of code scanning tools and security testing tools.

You should also adhere to common coding standards and security guidelines, Cornell said. "You should always be enforcing security standards, as they're crucial for communal code ownership," he said.

When closing an iteration, run automated customer acceptance tests but make sure to include negative testing for identified threats. You should also conduct a security code review, as something may have happened informally during pair programming, Cornell said.

During the final phase of stabilizing a release, you want to make one last push for security and test for defects and vulnerabilities. Prioritize vulnerabilities with client input based on agreed-upon STRIDE and DREAD standards. You also want to include traditional penetration testing.

Threat modeling techniques STRIDE -- An acronym for the spectrum of security threats your application may face. The following six threat categories can help you identify vulnerabilities and potential attack vectors in your own applications:   * Spoofing identity   * Tampering with data   * Repudiation   * Information disclosure   * Denial of service   * Elevation of privilege DREAD -- An acronym that defines five key attributes used to measure each vulnerability:    * Damage potential      * Reproducibility    * Exploitability    * Affected users    * Discoverability

"A penetration test is a confirmation that you've completed your security goals," Cornell said.

Trade-offs
The biggest compromises made are that feature-focus iterations remove some "top-down" control and that more documentation is required than in a pure agile development.

"What you've added to the agile process is trustworthiness," Cornell said. "We didn't invent new security things to be done, but made them fit into the agile development life cycle."

In a world where applications are increasingly under attack, the challenge is to figure out what to do differently, he added.

"Security is not something typically taken into account from people talking about and writing about agile development," Cornell said. "What we need to do is bring back some of the security things."

Tags: Building security into the SDLC (Software development life cycle),  Agile software development,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science' Agile software development Agility and automation mark new application development and QA tools Free tools for Agile testers How to deal with iteration issues in Agile Flexibility and teamwork proven traits of Agile team maturity How to stop developer vs. tester, quality-killing blame game Using Agile, scaling back helps software projects in recession How to improve software user acceptance testing practices How testers can handle switching to Agile's short iterations Testers debate differences between waterfall, Agile test automation Tasktop brings task management into the application lifecycle

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary acceptance test  (SearchSoftwareQuality.com) iteration  (SearchSoftwareQuality.com) planning board  (SearchSoftwareQuality.com) planning game  (SearchSoftwareQuality.com) release  (SearchSoftwareQuality.com) release plan  (SearchSoftwareQuality.com) spike  (SearchSoftwareQuality.com) stand-up  (SearchSoftwareQuality.com) story  (SearchSoftwareQuality.com) timebox  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary