Agile development is known for well-paced development cadences with short, quick sprints. These fast bursts are typically focused on ensuring something of value (functioning code) gets done in a short amount of time, allowing for new features and functionality to be available in the product on a regular basis. As opposed to the traditional, slower forms of software development, with releases methodically planned and executed over many months or even years, Agile keeps the focus on speed, user feedback, and iterative refinement.
Security is often perceived as slamming on the brakes, or saying “no.” These delays are typically focused on ensuring a vulnerability or risk does not get introduced into the product, introducing potential attack vectors downstream. Unfortunately, Agile development has been used as an excuse to bypass these types of controls. Now, this is obviously not a good strategy, but it raises a critical question: how can developers strike a balance between quick Agile-focused development and a secure product?
The good news is, it can be done, and in fact Agile development and data security can work very well together and complement each other. Here are a few considerations if you have this goal in mind:
- Security should be included as early as possible, as far upstream as the first user story
- Sprint planning needs to include security stories as well as those focused on feature usage
- Security should be included “continuously” in development, testing, and deployment
- The pipeline should have security built into it
In most organizations, the software development and data security teams are siloed and organizationally separate. Instead, security should be fully represented throughout the development and sprint processes. The security industry is constantly changing, so security user stories will need to be modified over time. Therefore, constant collaborative interaction between the two groups is a paramount requirement.
As the importance of agility and fast go-to-market strategies increase, the ability to comply with a variety of different industry standards, data security regulations, and privacy laws becomes consistently more difficult. With this in mind, keeping track of sensitive data (where it resides and where it traverses) and what data security controls should apply when and where becomes critical. Tracking these issues and keeping developers properly aware and trained to manage all this is surely a difficult challenge in today’s Agile and modern development world, but organizations must meet the challenge with the right processes and tools.
Most organizations that have learned to manage and successfully integrate Agile development with the complete spectrum of data security and addressed all their sensitive data needs have done so either by creating an internal tool to do so, or better yet leveraging a market-leading third-party tool to simplify this process. If you are in the process of working through these challenges at your organization, comforte can help to clarify these challenges specifically within your environment and help you find the balance between rapid Agile development with an appropriately secure approach that will then help your organization succeed.