Today, SAFECode released “Practical Security Stories and Security Tasks for Agile Development Environments.” This new paper presents security flaws and secure development practices in an actionable format for Agile software development.
Today’s guest blogger, Vishal Asthana, Senior Principle Software Engineer, Product Security Group, Symantec, was a lead author of the paper. Vishal discusses practical security stories and associated security tasks for Agile development environments.
In the Agile development world, cycles/sprints are very short, usually no more than two to four weeks, and for this reason software development teams find it difficult (if not impossible) to comply with a long list of security assurance tasks. More often than not, they either skip these tasks altogether or choose a subset based on their “this-should-be-good-enough-for-this-sprint” perception.
All the authors (including myself) observed this to be an ongoing problem faced by Agile development teams in our respective organizations without a “usable” solution in place. A formal SAFECode project on the topic presented a common platform to discuss and merge our ideas. The one-year collaboration has resulted in this “practice” paper, which solves the problem. It does so by presenting “practical” lists of security-focused stories and security tasks which Agile teams OR those following non-Agile methods but interoperating with Agile environments OR those planning to move to Agile can readily consume “as is” during their planning phase alongside their user stories and tasks.
The “threat landscape” for the security-focused stories was developed based on the most common issues SAFECode members are seeing in their own environments. In addition, the CWE/SANS Top 25 Most Dangerous Development Errors list (plus the 16 weaknesses on the cusp list) and the OWASP Top 10 list were consulted for this section to ensure completeness of coverage. A list of unique “security-focused stories” was derived from this threat landscape, followed by associated common security tasks for the stories.
The paper consists of three sections briefly described below:
1) Section 1 provides an overview of a sample Agile methodology and a set of security tasks that may be beneficial.
2) Section 2 consists of two sub-sections:
a) Section 2a consists of 36 security-focused stories with associated security tasks.
b) Section 2b consists of a set of 17 operational security tasks that Agile practitioners should consider conducting on an ongoing basis. These have been further classified as Required or Recommended for new or existing code, or for the software development team in general.
3) Section 3 consists of 12 advanced security tasks that typically require guidance from software security experts (in-house or consultants) for the first few iterations or on an ongoing manner. These tasks relate more to the competencies of the team members and their way of working.
Pilot runs are already in-progress in our respective Agile teams and the results have been quite encouraging thus far. A follow-up paper will probably be worked upon after we have sufficient data from our respective organizations to collate and present.
Further, we do intend on periodically reviewing and updating the security-focused stories and security tasks in this paper based on the experiences of our members and the feedback from the industry and other experts.