Constant pressure from executives to deliver results faster at lower costs has made Agile to very popular the last years. Even the Australian Prime Minister recommends to use Agile methodology in government projects. But is Agile really so good? Or is there maybe a hidden catch?
The answer of course depends on who is being asked those questions. If you ask any random chosen person from the security industry you will very likely hear – “Agile and security don’t work together”. Here is why:
- Lack of design
- Lack of security architecture
- Constant and frequent changes
- Security is considered and implemented as a last thing
- No security owners within agile squads
Since every Agile project is different you could face one or all issues at once. Taking into considerations the above points, they may (and very often simply do) lead to a security cataclysm. The definition of the security cataclysm is very wide – from a security breach, through revoking the certification for the whole company (i.e. PCI-DSS), up to compromising a government agency. The belief that Agile and security cannot work together is so strong that it’s hard to find security experts who are willing to take the challenge and make it happen. Fortunately, there are a few things that we can do and may change that perception.
The first measure is to assign a security consultant to all agile squads. Let him/her attend all the stand ups, planning & grooming session, retrospection meetings, and be responsible for security. This should allow him or her to address any security or compliance issues before they are implemented, in other words this is a preventive activity. The maximum successful ratio is one consultant per four agile squads.
Read the full article here: