Agile software development has becoming more prevalent in the digital evolution of today’s world. While the transformation of software development has progresses, the management of information security and risk in such environment is not defined and adapted to support such an environment.
One concept is the SAFe Lean-Agile Principles by Scaled Agile, which consist of ten fundamental concepts of Agile and Lean product development. Information security community may consider adapting the ten principles for IT Security, in response to the evolution of software development in an Agile environment.
The first principle of SAFe Lean-Agile is “Taking an Economic View”. Economic consideration takes into account the demand and needs of the markets, and when we determine IT security from an economic view, we should be evaluating IT security controls based on the demands and needs of the markets. An economic view could derive from the expectation from consumer and regulatory authority. This will help to prioritize IT security controls.
The second principle is around “Apply System Thinking”. IT security should be part of the development team as by doing this, security decision and risk consideration can be made early during the development process. IT security will be able to provide guidance to security controls, while the risk team could help to guide and advise the team to manage the risk if a control is unable to be added within an iteration.
The third principle is to “Assume Variability; preserve options”. A mindset to assume variability and preserve this option will require one to embrace security flexibility and chances, while engaged in dynamic decision-making. From an IT security perspective, this means that implementation of security controls needs to be flexible, whilst guided and driven by corporate policy to provide the beacon regardless of variability. Security policy need to provide clear direction while providing the flexibility on the implementation of security controls.
To support the fast increment approach of software development, the fourth principle is to “Build incrementally with fast, integrated learning cycles”. As a security approach should be adaptive, fast and not cause impediment to the development process, security testing and assurance should be adaptable to the ever-changing and incremental iterations. This can be done by utilizing integrated and automated security tools used for discovery of security issues.
The fifth principle is to have “Base milestones on objective evaluation of work systems”. Throughout the development of a product, IT security and controls should be implemented incrementally with periodic milestones to evaluate the product. For information security, it is necessary that security requirements are clear so that they will provide the objective for the evaluation of the security requirements on each milestone.
Next is to “Visualize and limit WIP, reduce batch sizes, and manage queue lengths.” This requires batch size be kept small, and queue length kept short. Security controls and requirements will need to be broken down into batch sizes of work items for teams to prioritized, develop and implement.
The seventh principle is to “Apply cadence, synchronize with cross domain planning”. Regular cadence and synchronization should also be applied for security implementation and controls. With regular cadence, key primary security controls can be prioritized, while secondary security controls can be added in backlog.
As security policy and controls cut across technology and business functions, synchronization events enable cross domain team to align security requirement and implementation on various level of the solution.
The eighth principle is to “Unlock the intrinsic motivation of knowledge workers”. To unlock the intrinsic motivation, workers should be encouraged to explore and make security decision based on company principles and values. Organizations should recognize that security requirements are important, as it gives assurance to customers who quicken product acceptance within the market. The team should be motivated and continue to strive that their product will not fall victim to mistakes and attackers.
The penultimate principle is “Decentralized decision-making”. In order for the team to make decision on security controls and risk, it is important that developers are empowered and responsible to make security decision. Development team members should be given the empowerment to determine how the policy and controls can be met and which iteration will it be implemented.
Developers should be trained to evaluate the code and the application from an attacker’s perspective, so that they would be able to make the decision on the product security.
The tenth and final principle is to “Organize around Value”. Security controls and requirement should be organized around the value that customer and society demands. A paradigm shift is required to organized security controls and requirement around the value of the controls have for the customer and organization.
Assessments need to be performed to determine which controls to be implemented in order to support the value and risk exposure of the products.
In conclusion, there is opportunity for IT security and information risk to be embedded into the agile framework. With the right mindset and a willingness to change in practice, security and risk can be managed within a fast and dynamic software development environment.
The adaptation of security practice within an agile framework will enable the IT security professional to help the development team to managed risk and balance the security requirement in accordance to the threats and demands of the society.