Symbiosis between agility and security
How can agile work methods and processes be structured in a manner that ensures an adequate level of security without having to forgo the benefits of an agile approach? The Security workstream at Cross-Business-Architecture Lab e.V. answered this question by formulating three proposals that relate to cooperative security governance and transparency, support for security goals by the entire organization, and measures to raise security awareness among all agile teams.
by Dr. Ilir Fetai
One of the tasks of a central governance function is to clearly assign responsibilities in an agile environment as well, and if necessary also define additional roles that are not part of the Scrum playbook. This makes it possible to consistently take into account and implement approaches that are adapted to a company’s specific needs.
The elements of an effective governance function in an agile environment include the following:
- Establishment of the role of a project sponsor who is responsible for projects / project approaches and the final assumption of risks.
- Specification of the responsibilities of the product owner role – e. g. with regard to the prioritization of security requirements and the implementation of associated measures, including security reporting and escalation procedures.
- Specification of the responsibilities of the role of Scrum Master – e. g. in terms of taking into account security measures when planning iterations/sprints, conducting escalation procedures when security problems arise, and planning and managing threat assessments.
- Establishment of the role of a security architect who can support teams with expert knowledge – e. g. when conducting threat assessments or reviews – and also define security requirements for the teams.
- Specification of the responsibilities of the individual developers in teams/projects – e. g. in terms of handling security issues and participating in security-related training and information events.
It is not sufficient to focus solely on developing provisions for such elements, however, as their implementation in the organization and in agile projects also needs to be managed effectively. This in turn requires close cooperation at all levels. A central link in the form of exchange and networking formats for the various communities must therefore be established between agile projects/teams and internal security functions (e. g. the CISO). This will ensure that agile work methods and an agile work environment will be promoted in the various provisions of the governance function as well.
Security in Increments
As is the case with development work, agile projects also need to structure security measures in Increments and implement them during Sprints. However, this also means that security will be transformed from a one-time quality gate into a process whose activities – such as the elimination of weaknesses, the processing of security-relevant User and Abuser Stories, the performance of source code analyses, etc. – need to be repeated in each Sprint.
Of critical importance for security in agile projects is the creation of a general overview accepted by all the parties involved, and the simultaneous assignment of responsibility for secure development to agile teams. This aspect must not be left to a central function, since this would result in a loss of speed on the one hand and a dilution of the agile principle of personal responsibility on the other. The aforementioned general overview must take into account the needs of the governance units and the entire organization – and also the needs of agile projects/teams. The governance units should not be viewed as a type of ivory tower here. Instead, it must be possible for projects and teams to influence the work performed by governance units – for example by having team members work temporarily in such units.
Cross-company data and figures are needed
Organizations that wish to establish standardized approaches and uniform standards need to be able to generate and access cross-company data and figures and define documentation requirements in order to create transparency and thus ensure effective monitoring and control. In an agile context, this can be done, for example, by defining requirements that would then be used as acceptance criteria or as elements of the DoD (Definition of Done). Another possible approach would be to stipulate that Sprint Increments can only use those components that have no known weaknesses with a CVSS score of >3. CVSS stands for Common Vulnerability Scoring System, which is an industry standard for assessing the severity of potential and actual security vulnerabilities in IT systems.
In an agile environment, security is the responsibility of both the teams and the governance function. This means that everyone involved here needs to have extensive security training. Training programs also need to take agile structures into account, however. The content of such training programs therefore needs to be largely company-specific and should be linked to the planned projects, or else be designed in line with their requirements.
It is recommended here that a brief basic training course be offered, followed by more detailed training aligned with participants’ main areas of work. These courses can then be supplemented by further specialized courses that train selected employees to become security experts in their agile projects/teams. Along with the establishment of training curricula, it is also crucial for a company to retain those security experts who have completed the specialized courses. To this end, it is important to ensure that training for further qualification is linked to an employee’s career path in order to create an additional incentive to pursue such qualification.
Security Development Life Cycle
The Security Development Life Cycle (SDLC) has become a standard tool in development projects. Here as well, however, it must be ensured that SDLC elements can interact with agile approaches. If integration is successful, security aspects can be taken into consideration from the very beginning – i.e. security by design. The following special challenges are involved here:
- Applications are developed incrementally. It therefore has to be possible to effectively apply SDLC elements to the development Increments as they occur.
- Agile projects have short development cycles that generally last for only 2-4 weeks. This makes it important to have a tool support feature in SDLC that is designed to completely automate as many activities as possible.
The need to switch over to an incremental work method applies, for example, to the performance of threat assessments. Conducting a threat assessment at a defined point in time is not really an expedient approach in an agile project. Instead, threat assessments should be decided upon incrementally. The first assessments can be done in the first Sprints as soon as an initial (rough) draft of an architecture has been produced. The results of the assessments should be used to define security requirements that must then be met in the Sprints that follow. The continuation and/or refinement of a threat assessment should be organized in a corresponding manner. The use of Abuser Stories has proved to be effective for defining security requirements in agile projects. Security specialists can utilize Abuser Stories to highlight specific security aspects at an early point in time (i. e. during the first Sprint). The resulting information can then be used as a basis for defining requirements. Work with Abuser Stories should be conducted within the framework of training courses for developers in order to ensure that “simple” Abuser Stories can be examined without any need for the participation of specialists.
The consistent use of delivery pipelines that offer continuous integration and continuous deployment (at least up until the testing and acceptance environments) is recommended in order to achieve a high degree of automation. It is also recommended that the degree of automation of security assessments be made as high as is possible and economically feasible, and that AI-based mechanisms be used here (to the extent that they exist).
Four recommendations to conclude
Security specialists on demand– Due to the uncertainties that can impact security planning in an unpredictable manner, agile projects/teams need to have flexible and unbureaucratic access to security expertise. One solution here is offered by security teams that are organized according to agile principles and which help teams/projects with the implementation of secure solutions.
Scalability– If necessary, security teams must be able to scale operations at short notice via framework agreements with external providers.
Networking– Every organizational unit must ensure for itself that its projects/teams are adequately networked and can, for example, represent their own interests in company-wide communities, committees, etc. In this connection, it is important that the units are given the necessary freedom and provided with sufficient funding if necessary. One approach that could be used to establish best practices would be to set up a “Software Security Group” with members from all business units. The members could exchange information that would then be used to define KPIs and reach firm agreements on the activities to be conducted.
Binding provisions– The entire organization should consider introducing binding provisions that make certain measures obligatory. The decision as to which measures should be made obligatory would depend on the organization’s needs and the compliance rules it’s subject to.
Security and agile approaches are not mutually exclusive. The Cross-Business-Architecture Lab e.V. user association, in which major companies and organizations from German-speaking countries cooperate on issues relating to EAM and the digital transformation, therefore recommends that business organizations establish a governance structure that is compatible with agile approaches and also enables them. In addition, central security-relevant services should be established and measures should be taken to ensure the easiest possible access to these services (knowledge and tools) by agile projects/teams. After that, the agile teams themselves must be made more aware of security issues and their importance – and they must commit themselves to taking these security issues into account in their daily activities.
If all components are compatible and can interact with one another, a symbiosis will be established between agility and security. This symbiosis will then permanently increase the level of security in a company’s products, services, and “minds.”
Dr. Ilir Fetai, Workstream Coordinator
How can we ensure that security is also given high priority in an agile environment?