How do you balance speed and quality in agile SDLC without compromising security?

Software development life cycle (SDLC) is a process that guides the creation and maintenance of software applications. It involves various stages, such as planning, analysis, design, implementation, testing, deployment, and maintenance. Each stage has its own challenges and opportunities for ensuring security and ethics in coding. In this article, you will learn some best practices and tips for coding securely and ethically in SDLC, especially in agile environments.

1 Understand the security and ethical requirements

Before you start coding, you need to understand the security and ethical requirements of your project. These may include legal, regulatory, contractual, or organizational standards and policies that you have to comply with. You also need to consider the potential risks and impacts of your code on the users, the data, the environment, and the society. You can use tools and frameworks, such as threat modeling, risk assessment, and ethical impact assessment, to identify and prioritize the security and ethical issues that you need to address in your code.

Add your perspective

Cherian Thomas

Cyber & Corporate Security Leader | CISSP | Engineering | GRC | Risk | Privacy | CMMC | Advisor | Mentor
Report contribution
Before even writing one line of code - SDLC starts with requirements an then architecture & design. So security needs to be embedded from the start including secure architecture, secure design. Architecture & design proposals need to a section called out to outline Prevention & Detection mechanisms - Eg. Logging, Alerting.

Like
Nicole Jackson
Report contribution
Agreed. Furthermore, at the root of the need for speed is the organization's commitment to ensuring it also has a security mindset. This isn't just the role of engineers and architects, it's the entire organization recognizing that as a whole, the majority of products that touch the market have inherent risk and the org needs to be committed to risk mitigation. That includes product, project, quality assurance, and those driving the direction.

Like
Chris Sundberg

Cyber-Physical Security and Compliance
Report contribution
Top-level management commitment is key to a strong SDLC, this is written in a few industry standards and frameworks (ISO/SAE 21434, NIST SP800-218). It needs to be acknowledged from the top down in the organization.

Like
Ivan De Los Santos

Cybersecurity and Operational Risk Leader | Product & Platform Security | Artificial Intelligence | Lean Management | Governance, Risk and Compliance (GRC) | Program Management
Report contribution
Tell me how you are going to measure me and I will show you how I will behave. If engineering leaders need to be held accountable for managing the risk posture of the software their teams write.

Like

2 Follow the secure coding principles and practices

Once you have the security and ethical requirements, you need to follow secure coding principles and practices to prevent, detect, and fix vulnerabilities and bugs in your code. This includes minimizing the attack surface, validating input and output, implementing the least privilege principle, encrypting and protecting data, using secure libraries and frameworks, and testing and reviewing your code. Automated and manual tools, such as static and dynamic analysis, code review, and penetration testing, can help you find and fix errors and flaws in your code. Additionally, you should adhere to data protection laws and regulations.

Add your perspective

Hari Hara Chandan Ganesan

Director of Software Engineering | Zones
Report contribution
One more dimension to think about is the infrastructure on which the code will be deployed. Secured code & secured infrastructure are two main pillars of security.

Like
Cherian Thomas

Cyber & Corporate Security Leader | CISSP | Engineering | GRC | Risk | Privacy | CMMC | Advisor | Mentor
Report contribution
Security at scale can achieved much more efficiently through automation. Invest into building automation in all the areas mentioned above. and then have a well defined risk-based methodology to know when the automation would need to alert & allow Vs alert & block.

Like

3 Adopt the agile security and ethics mindset

If you are working in an agile SDLC, you need to adopt an agile security and ethics mindset, which means integrating security and ethics into every stage and iteration of your development process. This can be done by applying security and ethical requirements as user stories and acceptance criteria in your backlog and sprint planning, incorporating security and ethical testing and review into your CI/CD pipeline, collaborating and communicating with your team and stakeholders about the security and ethical aspects and challenges of your code, and learning and improving from the feedback and lessons learned from security and ethical incidents and audits.

Add your perspective

Cherian Thomas

Cyber & Corporate Security Leader | CISSP | Engineering | GRC | Risk | Privacy | CMMC | Advisor | Mentor
Report contribution
Adding security as an acceptance criteria alongside quality and at the user stories level, needs to be well thought out before rolling it out across the whole product backlog. When introducing it initially, it will slow down the release process, but will reap benefits in the medium to long term. There needs to be a balance so its not onerous on the development velocity and at the same time it doesn't become a low value-add checkbox task.

Like

4 Follow the code of conduct and ethics

Finally, you need to follow the code of conduct and ethics that applies to your profession and organization. This code of conduct and ethics defines the values, principles, and responsibilities that you have as a software developer and a member of the society. It also provides guidance and resources for resolving ethical dilemmas and conflicts that you may face in your coding practice. You can refer to the code of conduct and ethics of your professional association, such as the ACM, IEEE, or IET, or your employer, client, or project.

Add your perspective

NARAYANAN PALANI 👁️🗨️

Platform Engineering Lead | AWS ,Azure ,Google Cloud Certified Architect | Cloud Solutions Expert | Driving Innovation in Retail, Commercial & Investment Banking | CI/CD | DevOps | Cloud Transformation
Report contribution
👉Both OWASP and SANS25 are best industry examples to tell on what are the latest industry security vulnerabilities. 👉It is highly recommended to follow code best practices to avoid security issues but not all the issues can be discover-able hence scanning code in frequent CI methods are highly recommended!

Like

How do you balance speed and quality in agile SDLC without compromising security?

1

2

3

4

1 Understand the security and ethical requirements

2 Follow the secure coding principles and practices

3 Adopt the agile security and ethics mindset

4 Follow the code of conduct and ethics

Software Development Life Cycle (SDLC)

Rate this article

Thanks for your feedback

More articles on Software Development Life Cycle (SDLC)

More relevant reading