The core of secure software development with agile methods is the definition of security requirements and their verification. We distinguish the requirements by their scope: First, project-wide requirements are kept as Secure Coding Guidelines and used as a reference for peer reviews within the scope of pull requests as well as a reference point for new project members. Second, a certain amount of tickets needs special security properties. That includes important steps in a user’s workflow such as the login, the registration or resetting forgotten passwords. Those requirements have to be coordinated with the decision-makers and must be defined in the developers’ language.
Ideally, the verification of the requirements happens shortly after the code is completed, e.g. shortly before or after the merge of the feature branch. As a rule of thumb: the project-wide requirements can usually be tested automatically with the help of certain tools, whereas the ticket-based requirements often have to be manually tested.
- architecture and process reviews in the early project phase
- security integration into existing ticket and collaboration workflows
- coordination and definition of security properties on ticket level where appropriate
- planning of manual or (semi-)automated penetration tests, code analyses and security audits and their realisation
- setup of automated security tests and implementation of its technical processes
- support with the adoption of continuous integration and continuous deployment processes