Is there an implied security promise in Agile methods?
• Yes, perhaps – but it depends • When an Agile method requires stringent automated testing that happens often, that is probably a good thing for security • Agile methods that aim to minimise quality debt also help security as far as security can be seen as being analogous (or a subset of) quality (or if you start talking about security debt) (See: http://en.wikipedia.org/wiki/Technical_debt) • Lean processes make it faster to be reactive when faced with vulnerabilities (lean processes can react faster to external issues) • Simple processes may be easier to follow than complex ones – therefore there may be more time to spend time on actual issues and less on process • Add security into Definition of Done for Scrum teams – then it will become a criteria that will be automatically assessed after every Scrum sprint • If security is thought in every sprint, in the end this results in more hours spent on security than in normal processes where there could be just a single security analysis
