SAFECode guides agile developers in security

By Suzanne Kattau

July 23, 2012 — The Software Assurance Forum for Excellence in Code (SAFECode) last week released “Practical Security Stories and Security Tasks for Agile Development Environments,” a paper that guides agile software developers in secure software development practices.

This new paper provides security-focused stories and security tasks that can easily be integrated into agile-based development environments. The guidance in the paper is not intended to replace security experts, but rather seeks to add a level of self-service for agile developers.

“Because the tasks are translated in a format that agile team members are familiar with, the role of the security expert can take a backseat during development,” Reeny Sondhi, director of product security assurance of the product security office at EMC and one of the authors of the paper, told SD Times in an interview.

Reeny Sondhi

“Rather than waiting to the very end for some security expert to come do security, this is an attempt to try and bake security in throughout the development life cycle by the developers themselves.”

“Now we are actually putting something on the backlog that a team can come at at the beginning of a sprint—and hopefully most of the sprints—and remove that from the backlog, make sure it gets into what’s called the definition of ‘done’ at the end of the sprint, and then be aware of that and reuse it as necessary during the course of the many sprints,” said Izar Tarandach, principal security engineer of product security at EMC, and one of the authors of the paper. “We are adding basically guidance, assurance and actual tasks that agile developers can perform and keep in mind in a setting that’s familiar to them and one they like to relate to, which are stories and backlog tasks.”

The paper is the outcome of a collaboration of SAFECode members working to simplify the process for addressing security assurance tasks as part of an agile development methodology. SAFECode members that contributed to the paper include Adobe, EMC, Juniper Networks, Microsoft, Nokia, SAP, Siemens and Symantec. SAFECode is an industry-led non-profit organization whose mission is to increase trust in technology products by advancing software assurance methods.

Related Search Term(s): agile, SAFECode, security

Share this link: http://sdt.bz/36820

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Cigital Develops Ready-to-Use Tools for Securing the Smart Grid Cigital Inc. announced the release of the Guide to Developing a Cyber Security and Risk Mitigation Plan.

From the Editors: Best practices for software security Security is a top-down process; DevOps isn’t just driven by vendors

Finding the right tool for the agile job Experts emphasize that tools should bolster the agile process above all else

Cigital Develops Ready-to-Use Tools for Securing the Smart Grid
Cigital Inc. announced the release of the Guide to Developing a Cyber Security and Risk Mitigation Plan Read More...