The benefits of agile development have become increasingly clear in recent years, enabling developers and organizations to build and bring products to market more efficiently.
But in the rush to speed up app development, developers often overlooked critical issues like security, according to the research.
A study by the Information Security Forum (ISF) suggests that agile development methods “do not always explicitly consider the need for information security, even though security should be at the forefront.”
Failure to acknowledge security concerns, ISF warned, could present an opportunity for exploitation by threat actors, allowing hackers to target rushed applications with weak security.
said Gunnar Braun, technical manager at Synopsys Software Integrity Group IT Pro that the very nature of agile development practices means that security can often be overlooked – but that doesn’t mean completely ignoring product security.
The popularity of agile development in large enterprises is fading – and developer burnout is a key factor
“A fundamental concept of agile development is to work in small iterations – on one (or a few) features at a time by completing a cycle of writing code, testing and deploying it so that it can be used by an internal or external user for feedback,” he said.
The success of security within this process depends on “whether it’s considered a feature or a property of a feature,” Braun added. If security is treated as a feature, he explained, then it competes with other laggards and is therefore “probably going to lose the race.”
“Let’s take the example of input validation,” he explained. “What is the product owner more likely to prioritize? Input validation or a great user interface improvement requested by a key user?”
Braun noted, however, that in cases where security is part of a feature requirement, it “becomes a property of that feature.”
“Its implementation will not be considered complete until it implements appropriate input validation. Consequently, security becomes integrated with the agile development process,” he explained.
Building security into agile development can be a big challenge
A key challenge to implementing security in an agile development process is that it requires “special knowledge that is often not available” or readily available to the development team, Braun said.
As a result, vital security issues are likely to be excluded from sprints throughout the process. This reinforces the need for a more collaborative relationship between developers and security professionals throughout the development lifecycle.
in 2023 The Global State of DevSecOps the report highlighted “inadequate/ineffective security training” for developers and engineers as one of the leading barriers to successful DevSecOps implementation.
Braun said a strategy that has proven effective in addressing this is the creation of a “safety champion” program.
“Security champions can evolve from existing roles, for example agile coaches or DevOps engineers, and can support multiple agile development teams with security domain knowledge,” he explained.
Braun added that the benefits of this practice were confirmed by findings from Building security in the maturity model report that found that teams with safety champions averaged 25% higher ratings than those without.
Security can be “naturally integrated” within agile development
Braun said he believes agile development presents an opportunity for security to become more intricately woven throughout the software development lifecycle.
However, there are challenges here. Basically, developers need to view security as a “feature property”. Similarly, leaders should embrace the expertise that security practitioners can offer projects.
In creating a more collaborative relationship between developers and security professionals, teams will ultimately become more self-sufficient, and this could help improve efficiency to ensure products get to market faster.
“Agile development is an opportunity to integrate security naturally into the software development process,” he said.
“To achieve this, it’s important to treat security as a feature property, automate security tests in the same way as other tests, and provide security expertise to the development team so that teams are self-sufficient and own every aspect of the development process.”