Feeds

Too much code, too few application security specialists

Time to loosen up

Intelligent flash storage arrays

How does this work? The basic idea is that in the planning sprint, the project team works with the security team and the customer to identify key assets and threat agents - like a very high-level threat model. Then the team captures the key risks in "security stakeholder stories" that detail the security interest at stake and the recommended security control. These stories are implemented and tested just like any other stories in agile projects. The outcome is a narrow assurance argument, limited only to the particular story being implemented.

Using test-driven development is excellent for security. By defining a suite of security test cases before development starts, the team is much more likely to include the right controls and use them properly. These tests may not be quite as extensive as a full penetration test by application security experts, but it's certainly a good start.

Over time, organizations will develop a library of threat models, security stakeholder stories, test cases, security controls, and other artifacts that make the process more efficient.

Waterfall dries up

We create several billion lines of new code every year. Its therefore critical that we do more to involve development teams in securing this code. There are simply are not enough application security specialists to handle the new code, never mind the trillions of lines of code already in existence.

Agile can be used to create a well-developed assurance argument complete with test cases proving that the protection is in place. At a minimum, the tight coupling with stakeholder security stories in the agile security approach will get developers more involved with security. Of course, security specialists will still be required to provide guidance and to verify applications for more complex risks.

The application security community has a lot to learn from the agile movement. In a short few years, they have achieved impressive penetration into the software development world. By contrast, only a very few organizations have adopted a "secure" software development methodology. We are in desperate need of new methods for creating security assurance, and agile may hold the key.

Jeff Williams is the founder and CEO of Aspect Security and the volunteer chair of the Open Web Application Security Project. His latest project is the Enterprise Security API, a free and open set of foundational security building blocks for developers.

Secure remote control for conventional and virtual desktops

More from The Register

next story
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.