Wakefield, Ma. – July 17, 2012 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released “Practical Security Stories and Security Tasks for Agile Development Environments.” This new paper provides practical software security guidance to Agile practitioners in the form of security-focused stories and security tasks they can easily integrate into their Agile-based development environments. The paper is the outcome of a collaboration of SAFECode members working to simplify the process for addressing security assurance tasks as part of an Agile development methodology.
“A number of SAFECode members recognized the natural tension between the dynamic nature of Agile development methodologies and more formalized processes for secure software development. After working on various ways we could better insert the most important elements of the security process into a standard Agile development process, we came up with this relatively simple approach of presenting security-focused stories with associated security tasks, alongside operational security tasks and those that most often require the support of a security expert,” said Vishal Asthana, a lead author of the paper and Senior Principle Software Engineer, Product Security Group, Symantec Corp. “A small group of us have been piloting the approach within our own teams and have seen enough early value that we felt it would be beneficial to share the approach with the broader community.”
In an Agile development process, necessary changes are incorporated in a dynamic fashion. Cycles/sprints are very short, usually no more than two to four weeks, making it extremely difficult for software development teams to comply with long lists of security assurance tasks. This paper addresses this challenge by translating secure development practices into a language and format that Agile practitioners can more readily act upon as part of a standard Agile methodology. To further simplify things, the recommended security tasks are broken down by roles, including architects, developers and testers, and separately lists the tasks that most often require specialized skills from security experts.
- How the World’s Biggest Agile Software Development Project Went Wrong (devx.com)
- How to Survive a Transition to Agile (devx.com)
- Agile exploratory software testing: Why IT inefficiency pays off (searchdatacenter.techtarget.com)
- The AppSec How-to: 10 Steps to Secure Agile Development (checkmarx.com)
- Reining in the Agile Development Chaos (programmableweb.com)