Agile software development is becoming more prevalent in the digital evolution of today’s world. Culture shift in Agile is meant to help organizations to be more efficient and effective in product development, in order to meet the demands of customer or end-user. Through Agile, teams work collaboratively and provide fast development and delivery of a product.
While the transformation of software development has progressed, the management of information security and risk organization in such environment is not defined and adapted to support such an environment.
Based on SAFe Agile Principles by Scaled Agile, this article will suggest 4 culture shift in IT Security organization may consider in order to adapt to the recent trend of Agile Software development.
Integration of Agile and Security mindset
In line with the principle of a mindset “Apply system thinking and to assume variability & preserve option”, the first transformation that an organization may consider is to involve IT Security as part of the Agile team. Most of the time, IT Security will only involve either before the start of development or after the development is completed. IT Security should be part of the team to provide guidance and determine the security controls to be added for the development iteration.
As IT security cuts across technology and business functions, involving IT Security in synchronization events will provide clarification on security requirements. This will enable the different platform teams to be aligned on security requirement to be implemented at various levels of the solution.
IT Security being part of the Agile team, will also mean that they too need to assume variability. This means that IT security should be aware that the product requirements and risk will change throughout the product development iteration. The dynamic development environment requires IT Security to consider the ever-changing risk landscape and determine the IT controls to be added within a development iteration to mitigate the risk. IT control requirements could be represented as features and user stories for the product, which can be added into the backlog and prioritized based on the exposed risk of the product. The implementation of security controls requires risk-based decision to be made on every iteration, while guided & driven by corporate policy.
Security driven by economic and value
Another key principle of Agile is to organize the deliverables around the value of the product while taking an economic view on the development of the product to achieve the shortest sustainable lead time with the best quality and value. In that perspective, IT Security controls should only be implemented if it is of value to the product. The value of IT security controls can be defined as the effectiveness to mitigate a given threat that has impact to the product if realized. Risk assessment needs to be made to determine the threat and risk that the product is exposed to and determine the IT controls to be put in place to mitigate the expose risk. Beside selecting the IT security controls for the product, prioritization using models such as Weighted Shortest Job First (WSJF) should be adapted and performed on IT security controls to determine the economic value and priority that the controls should be added to the product. Based on the prioritization, IT security controls can be added incrementally in each iteration in relative to product market exposure and added functionality. It is tempting to have all IT Security controls to be added to the
application on first release, however, the controls may not directly provide the economic or risk mitigation benefits of the product.
When taking an economic view on security, IT Security should organize security controls and requirement around the value that customer and societal demands. A paradigm shift in the traditional way in handling security and governance is required, where IT Security should assess the risk mitigation value that the security controls is provided to the products. To assess the value that security control has on the product, one should assess and determine if the security control has any value in protecting the company or customer interest at the point of the iteration. Threat and risk assessment can be performed to determine which controls should be added to an iteration in order to meet the security controls required to support the value and risk exposure of the products.
Security Implementation with Agility
The principle of limiting Work-In-Progress (WIP), reduce batch sizes and manage queue lengths can also be applied to security implementation and controls. Security implementation can be broken down into batch sizes represented as user story for the team to implement for each iteration. A clear user story and objectives will ensure that security implementation can be evaluated objectively in every milestone. With security requirement broken down into batch sizes, security implementation can be scaled accordingly and to be prioritized for each iteration based on risk assessment. Primary security controls could be prioritized first while secondary security controls can be put into the backlog for future iteration. Building of on Security functionality can be done incrementally in a series of short timeboxes, adding value and features to the solution as time progresses. Results in the incremental development of the security functionality could be evaluated, allowing incremental capabilities to be presented and evaluated by stakeholders for constructive feedback.
To support the fast incremental approach of software development, security testing and assurance must be adaptive, fast and not cause impediment to the development process. Security testing and assurance must be able to adapt to the ever-changing and incremental iterations. DevSecOps continuous, secure release culture needs to be embedded into team to improve secure development and operations through enhanced security engineering practices. Security tools such as tools used for Dynamic App Security Testing (DAST) or Static App Security Testing (SAST) are integrated and automated in the development process. With integrated tools, vulnerabilities and security issues can be identified early in the development process, thus allowing the team to plan and work on remediation. Security Penetration testing and security bounty program could be organized to detect security flaws and issues not detected during the fast pace development of the products. With the speed of development, there will be an increase in the reliance of security tools to monitor, detect and defend threats to the application.
Empower Team to make Security Decision
The traditional organization mentality is that cybersecurity is driven by the Security and Compliance team. With this traditional mentality, the organization does not utilize the capability nor the knowledge of the workers at large to drive cybersecurity. Everyone in the organization could be motivated and empowered to make security decisions. To unlock the intrinsic motivation, the organization should first embrace on the core value that security requirements are as important to any features that are added to the product. An organization must see that security provides assurance and confidence to the consumer, thus provide a wider acceptance of the product in the market.With the core value of the importance of security, Teams should be encouraged to explore and make security decisions based on security principles and values. Teams should adopt
innovation to ensure security features and controls are added to enhance the security of the product and continue to strive that their product will not fall victim to attacks.
For the team to make a decision on Security controls and risk, it is important that they are empowered to make security decisions. Empowering the team will require an organization to train everyone in the team in secure coding and the ability to evaluate code and application from an attacker’s perspective. The team should be able to perform security testing and will have the ability to remediate the issue found. With team empowered to make decisions on security, it will cut down the turnaround time needed for application testing.
What is the implication for IT Security?
The evolution of Agile mindset in product development has been gaining popularity in IT organization transformation. Agile has helped organization to bring the best of teams together to collaborate in order to achieve rapid and continuous delivery of product while maintaining customer satisfaction. However, while the transformation of software development has progresses, the management of information security and risk in such environment is not defined and adapted to support such an environment.
With the culture shift in IT Security to align with Agile mindset, there is an opportunity for IT security and Information Risk to better support an organization that has transformed into an Agile culture. With the right mindset and a willingness to shift the way we manage IT Security and risk; we will be able to align with Agile mindset and provide the required support for IT Security and risk in a fast and dynamic software development environment. The adaptation of security practice within the Agile framework, will enable IT security professional to help the development team to manage risk and balance the security requirement in accordance to the threats and demands of the
society. IT security involvement in Agile projects will enable the product to have the right balance of security controls to manage risk.
About the author: Gerald Pang has 17 years experiences in Information Security Management across various Industry working closely with business leaders, with specialization in IT security, GRC and Data Privacy. He is Certified Information Systems Auditor (CISA); Certified Information Security Manager (CISM); Certified Information Systems Security Professional (CISSP); Certified Information Privacy Manager (CIPM) and Certified SAFe® Agilist (SA) with a Master in Information Technology from Queensland University of Technology