Secure Coding During Agile Development?

[alexdeef]

I would like to ask the group for thoughts/experience with secure coding aspects while performing agile development. Within this context, secure coding is a part of software assurance that focuses on secure methods versus quality/performance (which I understand are not mutually exclusive from secure aspects). Typical agile development focuses on achieving a certain number of fully operational capabilities within the defined short development sprint. Secure coding is not necessarily a defined single capability, but rather a set of design/coding principles interwoven throughout development. Adding in agile development "secure coding" capabilities (recursive on previously developed capabilities) would appear to be bolt-on security versus baked-in security. Does the group have any thoughts or advice on this?

[mISHE]

Most approaches to developing secure applications in agile focus on a single foundational aspect: creating security-based user stories. Considering user stories are the drivers for sprint activities, it makes the most sense to include user stories that meet security goals. By adding comprehensive security-based user stories to the backlog, the agile process drives the inclusion of security in each sprint.

For example, in addition to functional user stories in the form of “As a , I want so that ,” it is imperative to include user stories that address security-related roles. They could include user stories such as:

As a hacker, I can input data that is too long and cause unexpected data to be returned
As a hacker, I can send input that terminates a SQL query and adds additional SQL queries to return unauthorized data
As an architect, I want to ensure all output is properly encoded
There are many security-related user stories you could add to each sprint. The OWASP site contains an article about evil user stories, and the software assurance nonprofit SAFECode published a paper detailing many more types of security user stories and tasks. These are both great resources to get you started with adding security-centric user stories.

The most important takeaway is to realize that just by adding security to user stories, you can make a dramatic impact on the security of your software development process in agile.