Over the years, development processes evolved from Waterfall to DevOps – all the way through Agile and Agile with Scrum. Each evolutionary step brought in relevant security checks to the development methodology. Speaking of which, remediating ‘true positives’ post the implementation, as in the Waterfall model, is impractically expensive in terms of both resources and time.
On the other hand, Agile application security refers to a set of techniques defined to address the common drawbacks of the Waterfall model, such as complexity, poor communication, and infrequent validation.
Looking Back at the ‘Waterfall’ Challenges
The Waterfall methodology requires all codes and supporting libraries to be fully built before tests can be conducted. Even a product version update requires complete code testing, infrastructure testing, and application testing (WASA/Penetration testing). Other challenges pertain to:
- Integrating instances of security data and tools with development systems
- Identifying vulnerabilities and communicating the same to development teams holistically
- Cost of multiple assessments
- Time spent on creating design documents, the high-level design (HLD) document, runbook, user knowledge base, and so on; documentation is a time-consuming activity as it needs multiple levels of reviews and approvals.
- Scope changes due to long time-to-market
- Issues like cross-site request forgery (CSRF) that usually occur toward the end of the development cycle (going back to change the relevant codes is extremely difficult)
How Agile Can Simplify, and Improve, Testing
Agile methodology in testing is characterized by task simplicity, quicker turnaround of code sets, continuous feedback, more accurate estimation in each sprint, continuous deployment and integration, and more opportunities for product enhancement.
However, with code modification happening in every sprint, testing security is challenging in agile as well. Hence, it is crucial to know which tests to perform when. Here are four steps that must be followed during CI/CD deployment:
Static analysis: Static analysis enables developers to quickly identify and remediate application security flaws without the need for an extensively complex tool.
Unit test: Unit test frameworks such as JUnit, NUnit, and CUnit can be adapted to verify security test requirements. In the case of security functional tests, these are effective for assessing the functionality of security controls at the software component level such as methods and classes.
Dynamic analysis security testing (DAST): It is an application security methodology for identifying vulnerabilities in web applications while they are running in production.
Regression test: It ensures that previously developed and tested software still performs the same way after it is changed or interfaced with other software. Changes may include software enhancements, configuration changes, and so on.
Agile application security lays more emphasis on people, interaction, working software, customer collaboration, and change rather than on processes, tools, contracts, and plans. Some of the benefits of adopting agile methodology in testing are as follows:
- Helps organizations reduce cost and eliminate waste and error across the entire development cycle
- Allows developers to respond to surging customer expectations and maintain a competitive advantage
- Proven results of real-time vulnerability updates on the status of the source code and applications
- Application-specific testing capability, which reduces the cost and duration of projects
- Adapts to change and enhances quality due to continuous testing
- Rapid delivery of business value and increased ROI
Although much has been said about agile being a people-centric approach to software development, no systematic review of the methodology has been attempted yet. The transformation from traditional project management needs to be moved from the organizational level to the practically ‘agile’ way of working and delivery. That said, in the process of transitioning to the agile testing approach, it is crucial to avoid errors, failures, and setting unrealistically restrictive guidelines. What do you think?