Securosis

Research

Secure Agile Development: New Series

Back in 2009 Rich and I wrote a series on Building a Web Application Security program. That monstrous research paper discussed the new security challenges of building web applications, outlining how to incorporate security testing for specific types of web development programs. That research remains relevant today but issues of how to incorporate security into software development organizations – and most acutely into Agile development – remains a constant problem for clients. Knowing what tool to use and where does not address the fundamental issues of culture, goals, and process that make secure code development such a challenge. We have discussed many of the pitfalls of integrating security into Agile processes in the past, but never gone so far as to help security practitioners and CISOs learn to work with development teams. And that is about to change. Today we start a new research series on Secure Agile Development. Embedding security into development processes is hard. Not because developers don’t care about security – the majority of developers we speak with are both interested in security and would like to address security issues. But developers are focused on delivery of code, and spend a good deal of time trying to get better at that core goal. Development processes have undergone several radical evolutionary steps over the last 15 years, with tremendous efforts to deliver code faster and more efficiently. Agile frameworks are the new foundation for code development, with an internal focus on ruthlessly rooting out tools and techniques that don’t fit in Agile development. That means secure development practices, just like every other facet of development, must fit within the Agile framework – not the other way around. Our goal for this research is to help security professionals understand Agile development and the issues developers face, so they can work together better. We will discuss rapid development process evolution, feature prioritization, and how cultural differences create friction between security and development. Speed and agility are essential to both sides; tools and processes that allow security issues to be detected earlier, with faster recovery, are beneficial to both. We will offer advice and approaches on bypassing some of the sticking points, and increasing the effectiveness of security testing. The structure of this series will be as follows: Agile and Agile Trends: We will start by highlighting several key trends in development today, including the evolution of fast-flux development processes. We will offer a very basic definition of Agile development. We will use it to show both why security and development teams don’t easily mesh, and how Agile development gets a bad reputation for security. We will also shed some light on how the cloud and mobile devices add new wrinkles to application security, offering suggestions for how to “skate to where the puck is going”. Working with Development: Next we will discuss how security can work well with development, and how best to insert security into the development process to work more closely with development teams. We will list many of the core friction areas and how to avoid common pitfalls. We will discuss how to share information and expertise – with a particular focus on how external stakeholders can best support development teams within their process, including discussion of information sharing, metrics, and security training. Integrating Security into Agile: After considering how best to work with development, we will take a more process-oriented look at integrating security into Agile development. Agile may lack the neatly delineated architecture, design, QA, and implementation phases of waterfall development; but each of these remains a core development task, and an opportunity to promote secure software development. We will discuss functional security requirements, security in the context of different development phases, use of security stories, threat modeling, and prioritization of security among the sea of development tasks. Tools and Testing in Detail: We have covered the people and process aspects of Agile, so here we will consider some that automate security efforts. Every development team relies heavily on tools to make their job easier. Security testing tools are even more critical because they both make identification of defects easier; and also automate discovery, reporting, and tracking. Few developers are security experts, so we discuss which tools and testing methodologies fit within the various phases of the development process. We will cover unit tests, security regression tests, static and dynamic analysis, pen testing, and vulnerability analysis. We will discuss how these efforts are integrated with Agile management and bug tracking tools to help define what a legitimate security toolchain looks like to cover relevant threats. The New Agile – DevOps in Action: We will close out this series with a glimpse of where development trends are headed. We will offer our perspective on what DevOps is, why it helps, and how automation and software defined security weave security practices tightly into software delivery. We will discuss usage of APIs, as well as policies and scripts to automate continuous integration and continuous testing efforts. Next up: trends in Agile development. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.