37% of UK companies have reported a data breach incident to the Information Commissioner’s Office (ICO) in the past 12 months. There is a general consensus that security is paramount, however, what is less agreed upon is how to ensure that security is a priority to technical teams. Often in larger organisations, cyber security is seen to be handled by a separate team that will pen test the applications, and be purely responsible for ensuring that the end product is secure when released.
This leads to a separation of responsibility between developers and the cyber security team, and is counterproductive to increased research pointing towards collaboration being key to embed good security practises in organisations. In this blog post, we will explore different ways to embed security into agile development and by doing so increase collaboration between different teams.
Little and often security testing
Often the first point of call when an organisation wants to focus on cyber security is to create a threat model for their product or service. This can be daunting as depending on the product or service there can be lots of complicated and realistic threats which once listed can be seen as almost impossible to protect against. Thus the process can be counterproductive if teams are looking for an exhaustive and complete threat model from the beginning.
Instead of trying to devise a complete picture often development teams have found it useful to create an attack surface analysis in a thought shower session, first focusing on external vulnerabilities such as login pages or API endpoints then in later sessions expanding it to cover other areas. This creates an iterative approach that can pair well with agile delivery, especially if this is done from the beginning. Agile delivery is often described as iterative and incremental. To properly dive into delivering iteratively and incrementally I would recommend reading 3 strategies for transforming legacy applications.
Identifying all the security vulnerabilities nearing the end of the project can be very expensive and lead to big delays in launch dates if they are severe enough. Mitigate this by looking to test little and often, focusing on certain parts of the code base when testing rather than trying to test everything at once.
Collaborate and listen
Siloed teams are a problem not just for security reasons but for many other aspects of software development. Because software teams can often be focused on sophisticated technical attacks that could occur, they miss how a hacker could manipulate the user flow to elevate their privileges allowing them to gain access to secret data. Stakeholders are often the best source of knowledge of how users will interact with their systems and thus can identify the potential ways a hacker could exploit the system.
To bring stakeholders into the discussion, it helps to align security concerns with business objectives. Why would protecting user data be key in ensuring that customers sign up to a site? What added value does this firewall offer to mitigate risk of downtime of the service? Phrasing the question in a specific way is key to ensure everyone can understand why certain tasks need to be completed, and keep security at the forefront of concerns for a software project.
Be proactive, not passive in security testing
The top 10 proactive controls from OWASP offer security techniques that any organisation can implement to embed security into their software development process. One of the key controls is introducing security requirements along with performance and business requirements.
When defining requirements it is about augmenting these with user stories and misuse cases to allow a clearer indication of what the requirements are attempting to do to protect the systems. If we focus on a misuse case we can create a story that focuses on an attacker’s actions:
‘As an attacker, I want to use a dictionary attack to guess passwords of users’
Then from this, a task can be added to block a user from their account after 3 failed attempts of guessing their password, meaning a dictionary attack would be less effective. For a thorough guide on how to write practical security stories, please read Safe Code’s Practical Security Stories.
Another proactive way to embed security into the team’s daily processes is to have static and dynamic code analysis integrated into your CI/CD pipeline looking specifically for security vulnerabilities. However, many security experts do warn that finding security vulnerabilities is difficult and this step should form part of your security strategy rather than being the answer to it. You can also include security functional testing where teams have modified Selenium to perform unauthorised user flow.
When getting ready to go into production it is vital to produce a response plan if there is a security breach. Often breaches catch organisations off guard, especially if it is a zero-day vulnerability. A response plan if a hack occurs can limit the damage radius of the hack. It should include steps such as how to notify affected users and an internal escalation plan to ensure the team can act quickly and effectively.
Breaking down barriers
Most central to a successful strategy in embedding security into agile delivery is communication. Breaking down barriers between different teams is going to allow a more holistic and thorough security strategy to be implemented.
In this blog post, we have skimmed the surface of a manner of security techniques that can be incorporated into your agile delivery. Each software delivery team will have their own set of specific security criteria that they need to fulfil so it is not a one size fits all. However, having discussions and producing actionable items from these discussions can end the barriers between software developers and cyber security teams to bring about a more collaborative way of working, increasing security across the software development cycle.
If you are looking for more ways to transform your team into one equipped to handle any software delivery challenge, you might be interested in reading our ebook, Building High Performance Agile Teams. From recruitment to pair programming, through to letting your teams shape the way they work, this book will give you the tools you need to overcome challenges and adopt agile ways of working.