If you’ve followed this blog for any length of time, you know we have talked about the troubles of integrating security testing and secure code development practices into and Agile development process. Security is trying to manage risks to the organization, including risks introduced by new technologies such as code. Development teams try to deliver quality code faster, which means jettisoning things that slow them down. Both want customers to be happy and deliver new products and services, but underlying goals of risk reduction and maximized efficiency do not inherently mesh, causing friction.

This research paper was conceived as a way to help security people understand and better work with development. We explain what development teams are trying to do, how they want to work, and offer pragmatic advice to help mesh the goals of both organizations into a unified process. And on this topic, we really wanted to give back to the community! We’ve included much of what we have learned with secure code development over the last two decades, as well as things we’ve learned from other development teams, CISOs and security vendors, to provide a simple guide on how to promote security in Agile software development teams.


We are also proud to announce that Vercode has licensed this content. It’s not every day that a vendor will back a research paper that does not promote or demystify a product category, but it’s an area we felt security — and developers — could use information on. As this research is geared toward helping CISOs and others build a process, it’s decidedly non-product focused, so we are grateful for Veracode’s help in supporting our efforts to bring this research to you.

As always, if you have questions or comments, please contact us at info at Securosis with the ‘dot com’ extension, or simply comment on the blog.

You can download the paper here