How to Achieve More 'Agile' Application Security
Application security has become a critical component of all software development efforts. It includes all measures taken throughout the software development lifecycle to prevent programming flaws from being exploited. The flaws that creep in during the requirements, design, development, deployment, upgrades, or maintenance stages of applications become the basis of cyber attacks.
Lack of security built into applications coupled with poor programming techniques are routinely exploited by hackers and has helped contribute to massive monetary losses attributed to data breaches and theft of intellectual property. That is why security must be an integral part of the application development methodology and the Agile process is no exception.
The Agile process is said to have been born back in November 2001. This approach to software development has been gaining ground in recent years. The Agile process is focused on iterative discovery and development that aligns development with customer needs and company goals. That said, I have found that the basic characteristics of Agile tend to push security off till after the business functionality has been built. I have found that many times security is not included in the initial release of functionality, thus making Agile security bolted on rather than built in.
In the examination of application security issues, I tend to group them into two categories -- business logic flaws and technical vulnerabilities. It has been recognized that security must be built into applications rather than bolted on at the end. This presents a challenge when using the Agile methodology. It also has caused great debate about the suitability of Agile for applications that involve sensitive security information or applications that could provide a covert pathway (aka backdoor) into other systems.
I like many believe the Agile processes are unsuitable for security-sensitive software applications. This is primarily due to the lightweight, informal, build-as-you-go nature of Agile processes. Security must be built in, not bolted on; therefore, it must be integrated throughout the Agile process.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
agile development
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
