Paul Fawcatt posted a great blog in which he listed five security practices in Agile product development. I thought he really hit the nail on the head so I will highlight the five points here:
- Make stakeholders part of the risk assessment
Paul says you should bring the team and stakeholders together, not only at the start of a project, but frequently, to explore what can happen and decide how you can deal with that. You can also document the decisions made in risk sessions in the DoD as criteria which need to be satisfied before software is completed. You can define the ‘Done’ at your team board to ensure that the security is taken into consideration during product development.
- Let stakeholders conduct security tests during the product review
At the product review, which is also called as a demo, the team will present the product and ask for an opinion. Stakeholders will have the opportunity to try the software, which also provides a chance to break the system’s security and try things that intruders or deceptive users would do to see how the system reacts. Then the team and stakeholders can decide what issues will be done to assure that the systems will remain secure.
- Introduce acceptance criteria to agree on how you will check the security of specific user stories
Acceptance criteria will not only formulate the requirements, they will also help to decide how many and what type of security measures are needed. Defining security aspects in advance will help the team to develop software that will meet security demands and to test if they are met before delivery.
- Use Agile retrospectives
Agile retrospectives help teams to review their type of working and continuously improve themselves. In the retrospective, you can uncover major or recurring security problems. It will help you to discover the main causes for security issues, which can be resolved to avoid similar issues in the future. Retrospectives will also help you to define the way the team resolves the security aspects.
- Group to minimize security damage
Paul’s last point is that when security is attacked, a quick and effective reaction is required to resolve the issue and prevent further damage. Grouping is an approach where a team focuses on solving one issue. People from different disciplines will work together to build a common understanding and come up with ways to address the issue, solve it, and put the updated software into operation. The team could involve some of their stakeholders, for example, product or project managers and people from production to be able to act effectively.
Want to learn more about database security and compliance? Download our whitepaper: Security and Compliance: Six Ways to Ensure Your Database Is Not a Vulnerability