rvlsoft - Fotolia

Manage Learn to apply best practices and optimize your operations.

Security in Agile product development: What not to do

In Agile product development, user stories may not be enough to ensure application security. Here are tips for dealing with security more effectively.

More and more organizations are adopting Agile for developing and maintaining their software systems. An Agile requirement management approach is mostly based on developing features. Teams using Agile often find that using user stories for defining specific security features for a product is not sufficient for developing secure products. To meet security requirements you may need additional mechanisms and practices.

Here are some suggestions for dealing with security in Agile product development:

  • Stay focused on security with the definition of done (DoD).
  • Validate meeting your security demands with acceptance criteria.
  • Have stakeholders hack security in the product review.
  • Adapt your security approach using retrospectives.
  • Resolve security issues with swarming.

My opinion is that risk sessions to explore vulnerability and security still serve a purpose when doing Agile product development. You have to bring the team and stakeholders together, not only at the start of a project, but frequently, to explore what can happen and decide how you can deal with that. My suggestion is to document the decisions made in risk sessions in the DoD as criteria which need to be satisfied before software is delivered. Put the DoD on your team board to ensure that everybody stays focused on security during product development.

You can use acceptance criteria to agree on how you will validate the security of specific user stories. Acceptance criteria not only support clarifying the requirements, they also help to discuss and decide how much and which kind of security measures are needed. Defining the criteria up front helps the team to develop software that will meet security demands and to test if they are met before delivery.

In the product review, or demo as it is sometimes called, teams will show their products and ask for feedback. Stakeholders get a chance to play with the software, which also provides opportunities to break the system's security and try things that criminals or dishonest users would do to see how the system reacts. Then the team stakeholder can decide together what needs to be done to assure that the systems will remain secure.

Agile retrospectives help teams reflect on their way of working and continuously improve themselves. In a retrospective, you can explore major or recurring security problems by using a "Five Whys" exercise. It helps you to find the root causes for security issues, which can be addressed to prevent similar problems in the future. Retrospectives can also help you to fine tune how the team deals with security issues. Teams can adapt their way of working when something changes in their environment which increases the risk that a security problem can happen.

When security is breached, quick and effective actions are needed to solve the issue and prevent further damage. Swarming is an approach where a team focuses on solving one issue. People from different disciplines will work together to build a shared understanding and come up with ways to address the issue, solve it, and put the updated software into operation. Teams may need to involve some of their stakeholders, for instance product managers, program or project managers and people from operations, to be able to act quickly and effectively.

The speed and effectiveness with which security issues can be identified, analyzed and solved is important. An Agile way of working, for instance with Scrum or Kanban, can help teams deal with security by developing and delivering effective solutions quickly. My expectation is that DevOps will take this even further because the practice shortens the loops at the front end and back end of the Agile product development cycle. Issues that are detected by or reported to operations can be handled fast when development and operations people work together intensively.

Next Steps

Improving Agile security

How to fend off hackers

Balancing agility and security

Next generation agile 

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How have you improved application security during Agile product development?

Great article! I would add that one way to improve security is keep building in 20% time for learning how to write better more robust code, and how code can be vulnerable.  Devs get better at security the more they have to deal with it, so rather than bolting it on later, layer it into the learning process of your big milestones.  You might find it gives you more benefits, and sooner.
In "Agile Testing" book the authors say it even more direct: all "-ilities" - security, usability, performance, etc. must be built in from the ground up. Otherwise, one can't call it shippable.

@Ben - I like your suggestions to track the security concerns and have something I'd call a "risks journal". Many things are learned in retrospect.