Security Development Lifecycle in Agile Scrum Methodology
Writing by admin on Monday, 26 of July, 2010 at 5:32 am
In the current global economic climate, the pressure is mounting on organizations to deliver a final product with less number of security flaws/vulnerabilities, without affecting the project schedule/release or product functionalities. The advent of social networking sites, blogs, wikis, service oriented architecture, dynamic web contents, and mobile application stores has increased the complexity of security landscape. According to Verizon Business Data Breach Report – April 2009, 90% of websites are vulnerable to attack, while various sources reported that around 60% to 90% of cyber attacks and internet security violations were generated through internet applications.
In addition, organizations also often end up with their projects taking much longer time than estimated and costs exceeding the allotted budget. In a move to tackle these problems, most of the development enterprises are exploring some form of Agile software development methodology (pure or hybrid) for building their applications, as it focuses on customer requirements along with security.
In software product development, Agile methodology is a conceptual framework designed to break the software down into manageable parts that can be delivered earlier to the customer. The aim of any Agile project is to deliver a basic working product as quickly as possible and then to go through the process of continual improvement.
There are various agile methodologies such as, Scrum, Extreme Programming, Adaptive Software Development (ASD), and Dynamic System Development Method (DSDM). The Agile Scrum, which is one of the processes for implementing agile, focuses on delivering the highest business value in the shortest time. In this methodology, product progresses in a series of short delivery cycles (sprints) and requirements are captured as items in a list of ‘product backlog’. Here, a daily Scrum meeting is held where the desired features for each sprint that could extend from 2-4 weeks are determined. This methodology enables inspection of actual working software every two weeks to a month, allowing an organization or a team to decide whether to release it or continue to enhance for another iteration.
The security development lifecycle (SDL) in Agile Scrum methodology tracks metrics, maintains accountability, fixes security issues correctly, while also minimizing the attack surface. The SDL in Agile Scrum can be categorized under three levels of requirements frequency including, Every-Sprint, Bucket, and one-time requirements. The Every-Sprint SDL requirements are essential to security and no software should ever be released without these requirements being met, Bucket requirements are the tasks that must be performed on a regular basis over the lifetime of the project but are not so critical as to be mandated for each sprint, while one-time requirements are once-per-project tasks that need not be repeated once they are completed.
Lastly, a final security review is done at the end of each sprint to check whether all every-sprint requirements have been completed; at least one requirement from each bucket requirement category has been completed; no bucket requirement has gone more than six months without being completed; no one-time requirements have exceeded their grace period deadline; and no security bugs are open that fall above the designated severity threshold. Hence, the SDL in Agile Scrum minimizes the security risk and helps lower the Total Cost of Quality (TCQ) and Total Cost of Ownership (TCO), as well as balance the functionality and security.
Category: Security Testing Services, Software Testing
- Add this post to
- Del.icio.us -
- Meneame -
- Digg
No comments yet.