"Delivering Security In an Agile World: 7 things to remember to ensure the software you're developing is secure" When delivering software features in an agile way, it’s critical to ensure the software you’re delivering is secure. To understand how this works, think of the Agile SDLC as a shipping company—instead of delivering software, you’re delivering packages. In this detailed metaphor, you’ll gain new perspectives on: Prioritizing features effectively Overcoming roadblocks to stay on schedule Implementing security activities along the way Examining the anatomy of Agile delivery Visit https://www.cigital.com/resources/ebooks-and-whitepapers/security-agile-methodology-process/ to download the associated eBook.

1. Delivering Security
In an Agile World
7 things to remember to ensure
the software you’re developing is secure.

2. Imagine you’re running a shipping business…
To explain how to best fit security into your Agile
development process without slowing down the works, let’s
compare it to a shipping service.
So, instead of delivering software, imagine you’re now
delivering packages—really important packages.

3. Get your priorities straight.

4. Each package represents a feature that
someone wants in your software. Some are
very important and must be delivered ASAP.
Others can wait for a future delivery.

5. Keep on keepin’ on.

6. A driver that delivers packages to the right
addresses, on time, without losing them or
breaking them is like a software development
team that delivers a well-defined set of features
by the pre-determined release date. To keep to
the schedule, change things as you go rather
than back tracking.

7. Don’t cram the van, man.

8. When selecting what items to deliver each day,
it’s important to remember that the van can only
carry so much stuff at a time. Likewise, Agile
development teams have a notion of “how big
the van is.”

9. A sprint is no more stretchable than
the sides of a delivery van.

10. If all your eggs don’t fit in one
basket…

11. If someone orders a dozen eggs, but you can
only fit ten in the van, take ten now and two
later. Likewise, if a feature is too big for a sprint,
break it up into several sprints.

12. You can’t deliver half an egg (without
getting really messy). Likewise, there
are limits to how some features can
be broken down.

13. Handle with care.

14. Taking the time to fill the empty space in each
box with packing peanuts is worth the extra
effort. It’ll save you the cost and time it takes to
replace a broken item. Likewise, building
security into your SDLC will reduce the time and
money it takes to implement corrections in
future sprints.

15. The accumulation of replacement
items that need to be delivered is
called “technical debt.”

16. When life give you golf balls…

17. Giving your development team a code scanning
report with 25,000 results is like giving them
a crate of 25,000 golf balls and asking them
to ship each one individually.
It’s absurdly inefficient.

18. Security issues should be packaged
in a way that makes it easier for
developers to deliver.

19. Put the pedal to the metal.

20. Here are 3 tips to help you
deliver security successfully in an
Agile world.

21. Security needs to meet the developers
where they work.
1

22. Provide security assessment results in a format
that is consumable by the development team.

23. Agile software development methods work.
2

24. If you put security on your development team’s
list of goals, then they will build things that get
them to security.

25. The goal is to create secure software.
3

26. There is no need to make security artifacts for
the sake of making security artifacts.

27. Ready to get moving?
FIND OUT HOW