White Paper

Cyber Security in Agile Development

Today, the cyber security strategies of many companies and entities are multi-faceted, which may include a wide variety of different elements in their IT environment, such as applications, data, identities, devices, and / or infrastructure.

In the past, a much larger amount of in-depth documentation was typically relied upon prior to moving forward with a security solution. Now, however, given the much more rapid pace at which business is moving, it is required that technology used in the cyber security environment be more agile in order to keep up with more rapidly-evolving needs.

Regardless of the industry, everything now essentially generates data. According to Cisco, big data is in fact doubling the digital universe roughly every two years. Therefore, today’s dynamic computing environment creates numerous new attack vectors – some that can take weeks or months (or even longer) to discover. This, coupled with changing business models and higher complexity, requires much more agile security solutions.

Likewise, an area of key concern for technology companies is that of ensuring that security is keeping pace with the speed of software, and that security gaps are quickly being addressed. One way that this can be accomplished is by moving to agile workflows.

Challenges Faced with Security Compliance

Today, some of the more “traditional” approaches to software security assurance – such as those that rely on gates – can be viewed as friction in terms of modern engineering practices. Some examples of this include the following:

  • Manual Security Assessments – Typically, white box code or black box security assessments will last anywhere from just a few days to several weeks. This is generally dependent upon the complexity and the size of the application. But with application development sprint cycles being shrunk now to mere days, the scheduling of code reviews and engagement of security teams can be quite challenging, as can performing timely reviews. This, in turn, can be counterproductive for the needs of business and engineering teams as faster-paced release cycles are now essential.
  • Security Compliance / Attestation Processes – While a security attestation process with lengthy questionnaires may appear to be complete, they can also oftentimes have little (or no) impact on the security of a system that is being engineered.

With this in mind, when taking a deeper look at the more traditional software security practices that require manual review – particularly given the demands of today’s modern engineering – there are some key requirements that come to mind. These include intelligent automation and continuous assurance.

For instance, although automation can be a key component of a security solution, it can also be difficult to get right. In addition, just simply running such tools is typically not enough in terms of performing the necessary actions. Added to this is the fact that tool fatigue is oftentimes experienced, especially if there are too many tools running concurrently.

With regard to continuous assurance, defining a security assurance level of software may have been sufficient in the past – particularly if a software application went through changes infrequently during production.

However, given today’s more continuous releases, such point-in-time assessments no longer work as well. Therefore, in order to maintain security applications, security teams of the present time are often required to be the provider of continuous assurance services, which can range from network, host, and application security.

Recently, agile development is making its way into many projects, as this approach can help with achieving more desired results, such as customer engagement, improved quality, and improved customer satisfaction overall. In addition, agile supports can also improve flexibility and transparency, along with the quality of a project.

Taking a Closer Look at Agile Software Development

Agile software development is defined as being “an approach to software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams and their customer(s) / end user(s).”

Initially the term agile (oftentimes written as Agile), was popularized, at least in this particular context, by the Manifesto for Agile Software Development. Here, the values and the principals that are espoused in this manifesto were derived from – and underpin – a wide range of software development, which include Kanban and SCRUM.

The Agile Manifesto

Most anyone who has looked into agile software development is at least somewhat familiar with the Manifesto for Agile Software Development (often referred to simply as the Agile Manifesto).

Originally written in 2001 by 17 software industry experts – inclusive of individuals from Extreme Programming, SCRUM, DSDM, Adaptive Software Development, Crystal, Feature-Driven Development, Pragmatic Programming, and others that were sympathetic to the need for an alternative to document-driven development processes – the piece was initially titled, Agile ‘Software Development’ Manifesto.

The key premises of the Agile Manifesto, which exude the primary values behind it, are:

  • Individuals and interactions over processes and tools. Here, while self-organization and motivation are clearly important – as well as various interactions such as pair programming and co-location – it is actually considered to be better to have a good team of who collaborate and communicate well, as versus having a team of experts that each operate in isolation.
  • Working software over comprehensive documentation. In the area of software, it is much more useful to have working software, as versus only presenting documents to clients in meetings. Likewise, it is also preferable to comment inline with the code and to keep the external documentation light, rather than relying upon heavier documentation, as doing so will not only require a great deal of effort, but these documents can oftentimes become outdated rather quickly (in turn, oftentimes rendering them useless for moving forward).
  • Customer collaboration over contract negotiation. In this area, it is important to keep in mind that it is typically not possible to fully collect all of the necessary requirements at the onset of the software development cycle. With that in mind, it is considered better to directly involve the customer and their end users in the process – or at the very least a proxy for them – so that the detailed requirements may be elaborated more progressively, as well as adapted, based upon the corresponding feedback that is received.
  • Responding to change over following a plan. With regard to change(s), agile software development methods are focused on quickly responding to necessary change, as well as to continuous development.

Given that, the 12 Principles that re presented within the Agile Manifesto include the following – with a higher priority placed on items 1 through 6:

1) To satisfy the customer through early and continuous delivery of valuable software.

2) To welcome changing requirement, even late in development. Agile processes harness change for the customer’s competitive advantage.

3) To deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.

4) To have business people and developers work together daily throughout the project.

5) To build projects around motivated individuals. Here, participants should ideally be provided with the environment and support they need, and stakeholders should also trust them to get the job done.

6) To move forward with the most efficient and effective method of conveying information to and within a development team, which is face-to-face conversation.

While the initial six components comprise a higher value, the additional six are also highly important, including the concepts that:

7) Working software is the primary measure of progress.

8) Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.

9) Continuous attention to technical excellence and good design enhances agility.

10) Simplicity – the art of maximizing the amount of work not done – is essential.

11) The best architectures, requirements, and designs emerge from self-organizing teams.

12) At regular intervals, the team should reflect on how to become more effective, then tune and adjust its behavior accordingly.

Trends in Today’s Agile Development

Throughout the years, agile development has undergone some significant updates, while at the same time working towards a similar goal – which stresses doing and showing, rather than keying in on only documenting.

Although the Agile Manifesto has been described by many as a “historical” document – something that communicates enduring ideas, and is a product of its time – the reality is that the core ideas that are stressed in this document do not change. This is the case across the board, including in the arena of cyber security.

Today, most agile development methods stress breaking product development down into smaller increments. These are meant to minimize the amount of up-front planning and design that are required. These “iterations,” (or sprints, as they are often referred), are short time frames that will generally run from one to four weeks in total.

Each of these iterations involves a cross-functional team that will work in all functions, with a primary goal of coming up with a working software. Each member of the team will generally possess a different functional expertise, yet all will work together towards the team’s common goal.

These functions will typically include the following:

  • Planning – The planning stage of the process generally relates to the use of schedules, such as Gantt charts, in order to both plan and report the project’s ongoing progress.
  • Analysis – In the area of software engineering, analysis will typically encompass the tasks that go into determining the needs and / or conditions that are necessary for meeting a new or altered product. Such tasks may include analyzing, documenting, validating, and / or managing software and / or system requirements.
  • Design – In the software development arena, design is defined as the “process by which an agent creates a specification of a software artifact, intended to accomplish goals, using a set of primitive components and subject to constraints.”
  • Coding / Programming – Here, based on the original formulation of a computing problem, a number of activities may be undertaken in order to execute a computer program. Such activities may encompass analysis, development of understanding, generation of algorithms, verification of requirements of algorithms – including their correctness and resources consumption, and implementation of such algorithms in a target programming language.
  • Unit Testing – Unit testing refers to a method in which individual units of source code are tested in order to determine whether or not they are fit for use.
  • Acceptance Testing – In the final function, acceptance testing, a test is conducted in order to decipher whether the requirements of a contract or specification have been met.

At the end of an iteration, a working product can then be demonstrated to the involved stakeholders. This, versus documentation alone, can provide the stakeholder(s) with a much clearer picture of the capabilities of the software. In addition, such demonstrations can also help with minimizing overall risk, and in turn, can allow the product to more quickly adapt to any changes that may be necessary.

In order to maintain a focus on quality, specific tools and / or techniques may be utilized, such as continuous integration, pair programming, automated unit testing, design patterns, test-driven development, code refactoring, domain-driven design, and / or other related techniques.

Moving Forward with Agile Development in Cyber Security Services

Having a sound knowledge management process is one of the primary components of any effective cyber security solution. While application security has been traditionally viewed as the practice of protecting the application code, today this is considered to be a very limited view. Agile development can provide a solution though.

It is important to keep in mind, however, that the Agile “movement” is not anti-methodology, but rather a movement with a key goal of restoring balance between planning, documenting, and actually doing.

In terms of agile development and cyber security, this technology can provide a number of key benefits, including more simplified policy implementation, as well as reduced complexity and overall security enhancement.

Therefore, in the face of new and ongoing pressures such as those that are necessary to attain and maintain security, engineering teams are moving towards a transformation to agile development in order to better deliver the cyber security solutions that their customers require.