“A number of SAFECode members recognized the natural tension between the dynamic nature of Agile development methodologies and more formalized processes for secure software development. After working on various ways we could better insert the most important elements of the security process into a standard Agile development process, we came up with this relatively simple approach of presenting security-focused stories with associated security tasks, alongside operational security tasks and those that most often require the support of a security expert,” said Vishal Asthana, a lead author of the paper and Senior Principle Software Engineer, Product Security Group, Symantec Corp. “A small group of us have been piloting the approach within our own teams and have seen enough early value that we felt it would be beneficial to share the approach with the broader community.”
In an Agile development process, necessary changes are incorporated in a dynamic fashion. Cycles/sprints are very short, usually no more than two to four weeks, making it extremely difficult for software development teams to comply with long lists of security assurance tasks. This paper addresses this challenge by translating secure development practices into a language and format that Agile practitioners can more readily act upon as part of a standard Agile methodology. To further simplify things, the recommended security tasks are broken down by roles, including architects, developers and testers, and separately lists the tasks that most often require specialized skills from security experts.
As with SAFECode’s other work, both the security flaws and secure development practices outlined within the paper are derived from an analysis of the real-world experiences of SAFECode members. Further, in an effort to provide additional information for those interested in learning more about either the security weakness or recommended security practices, SAFECode has included Common Weakness Enumeration (CWE) references. The security-focused stories reflect the practices detailed in SAFECode’s paper, “Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today,” in a form that is consumable by Agile practitioners.
“SAFECode has dedicated significant resources to evaluating and improving the secure development process based on the experiences of its members in real-world implementations,” said Stacy Simpson, policy and communications director, SAFECode. “Though presented in a list format, this paper is an extension of our commitment to our process-based approach. Our goal is to present key elements of that process in a way that can be more readily acted upon by Agile practitioners. We hope that this paper will be useful to organizations that use, or plan to use, Agile methods and wish to incorporate security or enhance existing security tasks in their development process.”
“Practical Security Stories and Security Tasks for Agile Development Environments” is available for free download at www.safecode.org.
SAFECode encourages comments and contributions on this paper as well as its other publications. To contribute, please contact [email protected]
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG, Siemens AG and Symantec Corp.
Membership in SAFECode is open to commercial technology providers with significant global business activity in hardware, software and/or services and that have demonstrated a commitment and dedicated resources to software assurance.
For more information, please visit www.safecode.org.