Nikolay Sturm's Blog

Musings about Development and Operations

Thoughts About Security and Agile Development

| Comments

When attending a security training for developers last week, I was astonished to find a security professional without programming background as our trainer. He mostly talked in waterfallish terms, just as I had done a decade ago when I was more interested in IT security than the physics I studied at university. So I began wondering about the role of security in agile development.

Security on the product level

As agile developers, we optimize our code for flexibility, so we can change it easily at any point in time. In this world, security at the product level is nothing more than a feature to add whenever it makes sense. It becomes a matter of continuous risk management, which feature prioritisation is anyways.

We might start a new product without any security whatsoever, because who needs security when we have no clue how to solve our business logic problems in the first place? However, with each feature our risk profile changes and we have to reassess our situation. We better implement that login functionality before we go into public beta, but maybe it’s still ok to run without any encryption. Once we launch the product, we better protect our servers with TLS and encrypt sensitive data in the database.

Security on the code level

The story changes, however, when it comes to our daily coding practice. I consider security another code quality like good design or freedom from defects. Just as we use practices like TDD or Continuous Integration, we should use secure coding practices like input validation and output encoding. These practices need to be embedded in our daily practice. We have to make ourselves aware of the trust boundaries where we need to apply them.

What secure coding practices do you use? Let us know in the comments!