by Ivan De Los Santos

Organizations of all sizes are adopting agile software techniques in order to better cope with changing requirements and the need to deliver value fast. In agile, software increments are pushed to production every two to three weeks. How is cybersecurity adapting to such a pace? Are organizations forgoing vulnerability assessments, code reviews, penetration testing, etc. in the pursuit of faster code delivery? But first, what is Agile Software Development?

According to the Agile Alliance, “Agile is the ability to create and respond to change in order to succeed in an uncertain and turbulent environment” (Agile Alliance, 2018). The cornerstone of this concept lies in the Agile Manifesto and its 12 principles.

Agile Manifesto

“We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:

Individuals and interactions over processes and tools

Working software over comprehensive documentation

Customer collaboration over contract negotiation

Responding to change over following a plan

“While there is value in the items on the right, we value the items of the left more.”

 

12 Principles of Agile Software Development

1.    Our highest priority is to satisfy the customer through early and continuous delivery of valuable software. 7. Working software is the primary measure of progress.
2.    Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage. 8. Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.
3.    Deliver software frequently from a couple of weeks to a couple of months, with a preference to the shorter timescale. 9. Continuing attention to technical excellence and good design enhances agility.
4.    Business people and developers must work together daily throughout the project. 10. Simplicity – the art of maximizing the amount of work not done – is essential.
5.    Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done. 11. The best architecture, requirements, and design emerge from self-organizing teams.
6.    The most efficient and effective method of conveying information to and within a development team is a face-to-face conversation. 12. At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.

 

This framework to develop software has been adopted by thousands of organizations around the world. Terms such as Scrum, extreme programming, pair programming, Lean, Kanban, and many others have become household names in many organizations. These approaches to software development have changed the way organizations are structured, which have given more autonomy to developers. Of all the agile methodologies currently available, Scrum is the most popular and widely adopted.

 “Scrum is a framework which people can use to address complex and adaptive problems while productively and creatively delivering products of the highest possible value” (Schwaber & Sutherland, 2017).

“Scrum is founded on the empirical process control theory or empiricism. Empiricism asserts that knowledge comes from experience and making decisions based on what is known. Scrum employs an iterative, incremental approach to optimize predictability and control risk” (Schwaber & Sutherland, 2017). This is clearly a tool that can be leveraged by cybersecurity professionals to help address complexity. Moreover, Scrum is being used by the software community to rapidly adapt to changes without compromising value.

Could this also mean, that a high-value product is also a secure product?

A product or service’s value is derived from the benefits it provides to its users. However, once a product or service is found to be insecure or untrustworthy, its value can diminish rapidly. A product or service whose availability, confidentiality, and/or integrity is in doubt has a high probability of losing its perceived value. In Scrum, code is developed and can be introduced into production as frequent as every two weeks. At such a rapid pace, when and how do we conduct code reviews, static and dynamic scanning, vulnerability assessments, and pen testing? Moreover, requirements can change in the blink of an eye. As information security professionals, we are always adapting to the changing threat landscape.

A Scrum team is comprised of three roles:

  1. Product Owner
  2. Scrum Master
  3. Development Team

The Product Owner: Represents the business and is responsible for maximizing the value of the product. Prioritizes and negotiates the work to be done with the development team. Moreover, it is a single person that is accountable for the product.

The Scrum Master: Responsible for helping the team understand Scrum theory, practices, rules, and values. The scrum master is not the manager of the team. He or she is a servant leader whose main objective is to help the team grow and mature their skill set while following the Scrum framework. This is a new role in most organizations.

The Development Team: Is comprised of individuals that will do the work. This group is empowered to organize and manage their own work. The team will negotiate with the product owner as to what can be done in each iteration or sprint.

In order to deliver value through the Scrum framework, a team needs to understand and conduct several scrum events:

  1. The Sprint: A period of one month or less, where the team creates a potentially releasable increment of the product. This does not mean that after each spring, the product should be deployed into production, but that it could be without any more development. Mature Scrum teams can release software into production after every sprint.
  2. Sprint Planning: A period of no longer than eight hours for a one-month sprint; shorter duration for a shorter sprint. In this event, the team plans what they can deliver in the next sprint and how they will achieve the work. This is the event where the security professional could add the most value to the process. Here he or she can help the team by making sure they are incorporating security into all the user stories.
  3. Daily Scrum: A 15-minute event for the development team. It is held daily, and only members of the team are allowed to speak. During this event, team members answer the following questions:
  4. What did I do yesterday that helped our team meet our sprint goal?
  5. What would I do today to help our team meet the sprint goal?
  6. What impediments, if any, would prevent the team from meeting our sprint goal?

The security professional could be an observer at this event in order to learn what work is being done and by whom.

  1. Sprint Review: An event that is held at the end of the sprint. The goal is to inspect the work that was done in the sprint. Stakeholders are shown the work that the team completed as part of the sprint.

 

  1. Sprint Retrospective: In this event, the scrum team evaluates and creates a plan for improvement that will be part of the next sprint. Security professionals should be part of this event since it could help them identify better ways in which they can support the team.

Security practitioners must adapt or risk being left behind. We must help development teams do their work securely, we accomplish this by becoming a trusted partner in this journey. In the second part of this series will cover how development and operations could become one, DevOps.

References

Agile Alliance. (2018, 03 12). Agile Alliance . Retrieved from Agile Alliance: https://www.agilealliance.org/agile101/

Schwaber, K., & Sutherland, J. (2017). Scrum.org. Retrieved from Scrum.org: https://www.scrumguides.org/scrum-guide.html

About the Author

Ivan De Los Santos is a Professional Scrum Master (PSM I) & Product Owner (PSPO I). He is also a cybersecurity professional with over eight years of experience. Ivan holds the CISSP, CCSP, CISA, CEH and CNDA, and several other IT related certifications. He earned a B.S. in Business and MIS and an M.S. in Cybersecurity. Ivan teaches undergraduate level courses in relational database modeling and database security. He has worked in the defense and financial services sector. Prior to working in the IT field, Ivan served in the U.S. Active Army and Air Force Reserves.