Secure Coding mailing list archives

Re: Agile (Scrum) best security practices and experiences?

From: Rohit Sethi <rklists () gmail com>
Date: Thu, 9 Sep 2010 09:53:03 -0400

Agile shops tend to put a premium on lightweight processes that
minimize impact on iteration timelines.

Some of the key differences we've seen work in agile shops rather than
waterfall include:
 * Aversion to documentation
 * Heavy reliance on collaborative tools, such as bug tracking and wikis
 * Implicit design evolution rather than deliberate focus on design
 * Less scrutiny of third party code if it can help get the job done quickly

Implications for secure SDLC include:
 * As with all other types of SDLC, education is a critical
prerequisite to convince stakeholders of the importance of security
 * Despite best intentions, Agile shops will tend to avoid new
security activities if they fail to present enough value or if they
slow down iteration plans. Rather than forcing a security review at
every iteration, define a set of criteria that will force a
deliberate, formal security review (e.g. large changes to front end,
changes to authentication / access control, new modules, major
rewrites, etc.).
 * Most bug tracking tools offer some measure of extensibility.
Leverage bug tracking tools to also track security vulnerabilities  by
creating a special security tag
 * Thorough manual source code review *is possible* and maybe even
feasible for short iterations. This is particularly true for shops
that already perform non-security specific source code review at the
end of each iteration
 * Building security static analysis into continuous integration is a
natural fit
 * Documentation, such as secure coding guidelines / checklists,
should reside in dynamic platforms such as a wiki or web page rather
than static documents that don’t evolve
 * Threat modeling needs to be agile and done in a matter of hours
rather than days. The focus should generally be on important high/risk
use cases rather than attempting to be comprehensive
 * Automated front-end testing tools, such as Selenium, are a great
place to perform fuzzing for common data validation flaws
 * For ISVs in particular, making the case for building  a large
enterprise security library all at once may be a tough sell. Build
security libraries iteratively, just like the main product, focusing
on the least complex / biggest risk reduction controls first


On Wed, Sep 8, 2010 at 8:05 AM, Jari Pirhonen <japi () iki fi> wrote:

8.9.2010 11:37, Martin Gilje Jaatun kirjoitti:


I may have mentioned before on this list that my dream is to do an
in-depth comparative study of "traditional" and "agile" development
organizations to determine which produces the best (i.e., most secure)
code? The first challenge would be to figure out how to compare the
"security level" of two different types of software products...
(Actually, the first challenge is to get funding for this...)


This study would be very interesting. I've asked around if there're any
studies/papers showing that agile actually produces better (or as good)
software than waterfall/iterative methods. I understand that there are many
advantages and many organizations are happy with agile development. It would
be nice see some serious studies, though.

Jari
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________




-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com
twitter: rksethi

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Current thread:

Agile (Scrum) best security practices and experiences? Jari Pirhonen (Sep 07)
- Re: Agile (Scrum) best security practices and experiences? Dave Wichers (Sep 08)
- Message not available
  - Re: Agile (Scrum) best security practices and experiences? Jari Pirhonen (Sep 08)
    - Re: Agile (Scrum) best security practices and experiences? Rohit Sethi (Sep 09)
    - Re: Agile (Scrum) best security practices and experiences? Antti Vähä-Sipilä (Sep 14)