Agile – SDLC & Security
Are these three topics in the same blog article an oxymoron? Well having worked in development shops for a long time, including Red Hat Linux, I decided a while back to get my Certified Scrum Master (CSM) certificate. My objective was to learn how the three could live in harmony and how security could be applied to the quickly moving concept of Agile development. What I determined was if done correctly the CI/CD pipeline actually moved more swiftly once security processes were integrated. Finding and remediating security issues later on in production slowed development down to much and often the back log of security issues were overlooked earlier on.
Essentially identifying security and other performance issues early on in the SDLC process is cheaper. When discussed in a threat modeling manner during application architectural planning stages will help create a development culture that is security aware. Application and solutions with proper SAST, DAST, and Pentesting whether integrated into IDE tooling or stand alone solutions can further isolate and minimize affects of security issues so they can be part of the cycle instead of an after thought. Essentially integrating security early on may make the initial process more complicated but in the long run the smoother handling of issues will prove to result in a good ROI.
