"Delivering Security In an Agile World: 7 things to remember to ensure the software you're developing is secure"
When delivering software features in an agile way, it’s critical to ensure the software you’re delivering is secure. To understand how this works, think of the Agile SDLC as a shipping company—instead of delivering software, you’re delivering packages. In this detailed metaphor, you’ll gain new perspectives on:
Prioritizing features effectively
Overcoming roadblocks to stay on schedule
Implementing security activities along the way
Examining the anatomy of Agile delivery
Visit https://www.cigital.com/resources/ebooks-and-whitepapers/security-agile-methodology-process/ to download the associated eBook.
1. Delivering Security
In an Agile World
7 things to remember to ensure
the software you’re developing is secure.
2. Imagine you’re running a shipping business…
To explain how to best fit security into your Agile
development process without slowing down the works, let’s
compare it to a shipping service.
So, instead of delivering software, imagine you’re now
delivering packages—really important packages.
4. Each package represents a feature that
someone wants in your software. Some are
very important and must be delivered ASAP.
Others can wait for a future delivery.
6. A driver that delivers packages to the right
addresses, on time, without losing them or
breaking them is like a software development
team that delivers a well-defined set of features
by the pre-determined release date. To keep to
the schedule, change things as you go rather
than back tracking.
8. When selecting what items to deliver each day,
it’s important to remember that the van can only
carry so much stuff at a time. Likewise, Agile
development teams have a notion of “how big
the van is.”
9. A sprint is no more stretchable than
the sides of a delivery van.
11. If someone orders a dozen eggs, but you can
only fit ten in the van, take ten now and two
later. Likewise, if a feature is too big for a sprint,
break it up into several sprints.
12. You can’t deliver half an egg (without
getting really messy). Likewise, there
are limits to how some features can
be broken down.
14. Taking the time to fill the empty space in each
box with packing peanuts is worth the extra
effort. It’ll save you the cost and time it takes to
replace a broken item. Likewise, building
security into your SDLC will reduce the time and
money it takes to implement corrections in
future sprints.
15. The accumulation of replacement
items that need to be delivered is
called “technical debt.”
17. Giving your development team a code scanning
report with 25,000 results is like giving them
a crate of 25,000 golf balls and asking them
to ship each one individually.
It’s absurdly inefficient.
18. Security issues should be packaged
in a way that makes it easier for
developers to deliver.