In the Product Security Office, we often get questions from developers across the industry on how to apply EMC’s Security Development Lifecycle to an Agile development model. Software security practices have been traditionally considered as suitable for serial waterfall development methodologies and there has been a lot of debate in the industry on how to bring the best out of these practices to incorporate in today’s more iterative, agile development methodologies that are increasingly popular especially in the new cloud based, big data centric business models.
The Software Assurance Forum for Excellence in Code (SAFECode) recently released a new paper titled, “Practical Security Stories and Security Tasks for Agile Development Environments”. This paper provides software security guidance to Agile practitioners in the form of security focused stories and tasks based on known and established security practices that can easily be integrated into any Agile based development methodology. This is the outcome of a collaboration of SAFECode members and brings forward real world, practical ideas that are being used across some of the world’s largest software vendors when it comes to Agile development.
The paper proposes a simple 1,2,3 approach as follows:
- Incorporate a set of security focused stories with associated security tasks in the backlog. The suggested stories and tasks are based on a set of security best practices SAFECode has identified as part of its previous publication, “Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today” derived from the issues most commonly seen by SAFECode member companies in their environments. These are also mapped to Common Weakness Enumeration (CWE), an industry standard and library of the most common software weaknesses. Using this approach provides an actionable list of security tasks that Agile architects, developers and testers can perform according to their specific roles to ensure that security considerations are addressed throughout the development process
- Incorporate a set of operational security tasks that Agile practitioners should consider conducting on an ongoing basis
- Incorporate a set of advanced security tasks requiring guidance from software security experts
This paper is available for download at www.safecode.org .
EMC along with Adobe, Juniper Networks, Microsoft, Nokia, SAP AG, Siemens AG and Symantec are part of SAFECode which continues its effort to identify and promote best practices for developing and delivering secure and reliable software, hardware and services.