Is application security an agile process?

No. Judging by the way it is marketed and sold today, application security is not, by any means, agile.

Can it be? Well, Microsoft says so.  When it comes to security, Microsoft changed a lot in the past decade. The development frameworks they offer have built-in security features nowadays. So, if they say security can be built into an agile development methodology, maybe they know something.

From the old days of development where the waterfall model was the sine qua non, application security developed alongside and followed the same waterfall approach.

Let’s see what are the major interactions between application security and the software development process in a waterfall model approach:

1. Requirements – AppSec defines non-functional requirements aka security requirements. High level risk and threat analysis are also performed during this phase
2. Design – secure architecture analysis and finer grain risk analysis
3. Construction – source code analysis
4. Testing – penetration testing
5. Debugging – follow up on the security defects mitigation process
6. Deployment – retesting if needed
7. Maintenance – regular retesting

The challenges with an agile methodology, if we are to consider the Agile Manifesto, are multiple. Let’s take it one by one:

1. Requirements – In an agile environment, changing the requirements is welcomed. While the high level security requirements are the same, specific requirements based on the functionality of the application are needed. New functionality may open new threats so a threat analysis should be performed. Also, each functional requirement should go through a risk analysis process
2. Design – if the new requirements require a change in the design of the application, a new architecture analysis should be performed to cover the change
3. Construction – things are no different here compared to the waterfall model, however, because sprints are usually very short ( a few weeks or even less) automation is a must.
4. Testing – this is usually one of the major concerns, not only doing a penetration test on the changes, but also assessing the overall security implications
5. Debugging – same as above, however at a much faster pace
6. Deployment – similar
7. Maintenance – in an agile environment, periodic retesting becomes crucial

So, what is there to be done to implement application security in an agile environment?

Here are some things to consider:

• Security training; training the Agile team in respect to information and application security means they are going to take more security conscious decisions
• Have a full time security expert in the agile team
• Implement automation in the source code analysis; use a fully integrated solution with the development environment meaning that whenever a piece of code is saved in the repository, this gets scanned and potential security defects are sent to the bug tracking system for triage
• Implement as much automation as possible in the testing phase; liaise with the QA team and implement security checks during that phase
• Perform the individual regular activities at certain gates in the process (as opposed to each sprint)

It all boils down to the exact configuration of the development environment and the chosen methodology and processes, but application security can and should be mapped on them with very good results.