Feeds

Too much code, too few application security specialists

Time to loosen up

Beginner's guide to SSL certificates

How does this work? The basic idea is that in the planning sprint, the project team works with the security team and the customer to identify key assets and threat agents - like a very high-level threat model. Then the team captures the key risks in "security stakeholder stories" that detail the security interest at stake and the recommended security control. These stories are implemented and tested just like any other stories in agile projects. The outcome is a narrow assurance argument, limited only to the particular story being implemented.

Using test-driven development is excellent for security. By defining a suite of security test cases before development starts, the team is much more likely to include the right controls and use them properly. These tests may not be quite as extensive as a full penetration test by application security experts, but it's certainly a good start.

Over time, organizations will develop a library of threat models, security stakeholder stories, test cases, security controls, and other artifacts that make the process more efficient.

Waterfall dries up

We create several billion lines of new code every year. Its therefore critical that we do more to involve development teams in securing this code. There are simply are not enough application security specialists to handle the new code, never mind the trillions of lines of code already in existence.

Agile can be used to create a well-developed assurance argument complete with test cases proving that the protection is in place. At a minimum, the tight coupling with stakeholder security stories in the agile security approach will get developers more involved with security. Of course, security specialists will still be required to provide guidance and to verify applications for more complex risks.

The application security community has a lot to learn from the agile movement. In a short few years, they have achieved impressive penetration into the software development world. By contrast, only a very few organizations have adopted a "secure" software development methodology. We are in desperate need of new methods for creating security assurance, and agile may hold the key.

Jeff Williams is the founder and CEO of Aspect Security and the volunteer chair of the Open Web Application Security Project. His latest project is the Enterprise Security API, a free and open set of foundational security building blocks for developers.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.