Security is important. But not every team has the processes in place to make it happen. Building secure software is a holistic process, requiring a solid top down understanding of the product architecture as well as a deep knowledge of the building blocks. Likewise, responsibility is shared among the team members. The product owner has a responsibility to allocate resources and prioritize security, while the individual developers need to be proactive in being aware of security risks and pitfalls. Moreover, communication from both sides is required for this dynamic to function. If developers are not bringing security concerns to the attention of management, management cannot allocate resources needed to fix the problems. If managers are not prioritizing security, it's likely that developers are going to be distracted by the task at hand, and then security holes can end up deeply embedded and forgotten.
Like most things, the first step is education. Just as developers need to keep up to date with the latest technology, being informed of the latest security best practices needs to be a continual effort. As the threat environment changes, and as code evolves, the developer needs to be able to perceive threats before there is the probability of addressing them. Ensuring that a development team is trained to deal with possible threats is key.
Ways to achieving this are:
- Educate the team by offering online courses in store schema definition language (SSDL) best practices.
- Sign up for security newsletters to keep informed of the latest threats.
- Discuss and share knowledge among the team.
Making Security Agile
Knowledge alone is not enough. Processes are critical in ensuring that the team as a whole meets its security standards. In an Agile software project, an easy way to ensure that security is consistent is by building security checks into the teams sprints:
- When setting acceptance criteria for tickets, add security targets as you would other requirements. If your team lacks such a standard, create one.
- Discuss, plan, and prioritize security stories in planning as you would any other task.
- Introduce security objectives as part of the usual code review procedure. Mentoring can be a great way for senior developers to help junior developers understand the risks as they work with code.
- Incremental code review helps to catch issues early and often. This allows the development team the ability to ask the right questions and not continue to build off of unstable code.
- At the end of the sprint, run static analysis tools to keep a running count of code vulnerabilities and ensure they are decreasing in your sprint retrospective.
- Add security verification tests as you would any other regression or integration test. Run these with your nightly/weekly builds.
Releases and Milestones:
- Regularly perform security vulnerability assessments and attack surface analysis. This is what keeps the product owner informed and involved so he can allocate resources appropriately.
- When performing scalability, stability, or performance testing, teams can also benefit from DoS testing, fuzz testing, and penetration testing. This allows you to measure your success.
Learn More about Agile and Security
In software development, Agile project management has grown in importance and evolved to the point where it is widely respected as a viable alternative approach to projects. Agile has been codified in Scrum), XP (Extreme Programming), and other specific "styles". Below are some additional resources that cover Agile, DevOps, secure coding, and Security tips for Docker.