Security plug-in for agile software development

by David Ochel

Be it IT operations or software development, security efforts (in particular, those that go beyond common-sense, baseline protection measures) should focus on addressing concrete risks. This ensures that effort is concentrated in the areas that are most vulnerable, and provides better cost control than just applying random measures in random areas. However, this requires a more or less formal risk assessment — something that is not often seen in commercial software development, and even less so in agile development environments.

This year's May/June issue of the IEEE Security & Privacy magazine contains an article on Protection Poker, a method developed at North Carolina State University to aid agile software development teams in considering security risks for the features they integrate.

The basic idea is to give development teams an effective tool to discuss and evaluate the security risk of software changes in their iteration planning meetings. The teams discuss potential for misuse and threat scenarios, and vote on the severity of risk introduced by a feature (or change) as compared to other features. The results include increased awareness for potential security issues throughout the entire team, as well as identification of high-risk items that should be subject to additional assurance activities (such as code reviews or additional testing).

The paper goes on to describe a case study conducted with a Red Hat IT maintenance team, and ends with the encouragement for other "industrial teams" to contact the authors for additional material and information.