The move to agile development practices poses both challenges and opportunities to security teams -- with the challenges often dominating. But some organizations, such as the Aetna insurance company and the state of Texas, have found ways to make it work.
"We use agile development as the norm," said Jim Routh, CISO at Hartford, Conn.-based Aetna Inc.
What does "agile security" mean? Simply put, it means that security has to become agile, as well, said Routh, and the result has been better security from the ground up.
For example, one of the principles of agile development involves "use cases" -- designing for particular applications of the technology.
For Aetna, the agile security equivalent is "abuse cases."
"We create ways of attacking the application as if we were an adversary," Routh said. "By designing mitigation into the design process using threat modeling, we actually limit the potential of attacking that application and reduce defects, leading to higher quality and higher resiliency."
Another way Aetna embeds security into the software design process early on is to use static analysis tools on code as it is being written.
"When you write a story, and use Microsoft Word, the spell checker tells you if you've misspelled a word," he said.
Developers can make mistakes, as well, which is where static analysis comes in.
"They're using it like a spell checker for development," he said. "They run it on their code, and it gives them context for how to fix vulnerabilities."
Aetna also pre-reviews the open source libraries that developers use.
"We have a tool that allows them to determine the security vulnerabilities in any open source framework," Routh said. "Then we block the high-risk libraries from put into the code."
There are a total of twelve controls that are now part of the development process, and the end result is that the development process actually became more efficient.
"We get a 15 percent gain in productivity because defects are prevented early," he said. "We have the most mature software development program in health care."
Agile security improves morale in Texas
The Lone Star State has also switched to agile development for its Texas.gov online portal, and security had to adapt as well, according to CISO Tim Virtue.
Instead of waiting six months for problems to get fixed in the next development cycle, they now get fixed in two weeks, Virtue told attendees at the CSO50 conference earlier this year.
He has also seen improvements in employee motivation, retention and recruitment. Cycle time for vulnerability management and remediation was cut in half and the time it took to deliver new security services was cut by 90 percent.
Sign up for MIS Asia eNewsletters.