« Agility and Security Like Open Source Software and Profits | Main | Speaking to SA-SPIN about Agile and Secure on June 13th »

October 25, 2006

Comments

Anand Rajagopal

The article is great. I do have a question and would like to know what your thoughts are. The title seems to suggest that Agile developers generally ignore security. This might upset senior developers. Some senior developers and teams might already just write secure code. Also, are there any studies that suggest other development strategies like waterfall take security into account?

Dan Cornell

I believe that developers and development groups in general tend to ignore security. That is not the case for everyone, but if you look across the industry I think that it is fair to say that security is not a primary concern in a lot of organizations.

Hopefully senior developers will have the experience and perspective to integrate security into their designs and code. My concern is that in Agile projects you need to have security applied consistently - it can't just be the responsibility of one or two folks. Everyone has to have a base level of knowledge so code can have shared ownership.

As I mentioned above I think the industry average for secure development is pretty bad, but in Waterfall methodologies it is easier to implement SDL-like, command-and-control security. Because of the reduced documentation in Agile projects and the acceptance of change it can be a challenge to promote a unified vision of the system's security.

The comments to this entry are closed.