GDS reassures developers that agile and security can go hand in hand
Practical ways to build government systems using an Agile approach securely exist - so long as the focus is on making sure security is embedded into development so that everyone can build securely without having to be an expert.
That means a compromise is possible between traditional security approaches and the more open agile way of working, GDS experts have assured the community.
The guidance was recently shared on the GDS website. This is in the form of a summary of an extensive agile and security conference presentation by team member Michael Brunton-Small. (The full speech Brunton-Small delivered is available on YouTube here.)
Among his recommendations, Brunton-Small suggests all risks should be documented in a ‘risk log’ that can be viewed by the project team at any time.
At the same time, systems that are simpler are easier to understand and secure, he advises: “It’s the role of security teams to make it easy for product teams to choose the secure option. For example, security teams can provide libraries for identification or authentication, or patterns on how to configure software.”
There’s also the problem of ‘security debt’. Agile teams need to move fast, speed that sometimes means not immediately addressing a security concern. This leads to a build up of ‘security debt’, he points out, which needs to be paid back in later iterations.
Security teams can address this ‘debt’ by putting stories into the product teams’ development pipeline, or adding acceptance criteria to current development stories, says Brunton-Small - but this requires close collaboration between the product team and security experts, he points out. (Another option would be to have a team entirely focussed on security debt, but this can obstruct the pace of the product team - they may be forced to wait for a security iteration before they make their release.)
Interestingly, Brunton-Small says the rise in DevOps should be welcomed, as this has made operational security much easier.
“We treat infrastructure as code where possible," he says. "This gives us much more agility to quickly react to emerging threats in a security context (and) means we can trace every change to a system and quickly see when and why changes were made.”
“Done well, agile development and operations go hand in hand with secure systems,” he concludes.
“Security teams often rely on speed and transparency and this means involving many members of a development team in the response to threats. Agile is also built on the same principles of collaboration and responding to change; with a change of mindset, there’s no reason why security should be seen as a blocker to agile development.”