Agile Security

Security first

Do the penetration testers always leave things to the last minute? This can cost you dearly. Applications that aren’t secure open doors to potential hackers, which puts your corporate data and reputation at risk.

Because applications and systems are becoming increasingly complex, you should play it safe when it comes to your agile software development. Here, too, protecting your applications is important to us. This is why Agile Security, our agile development offering, covers the entire software life cycle (secure SDLC) – from planning to development and implementation.

You get an all-round package that truly puts your mind at rest. In other words, we’ll take care of ensuring that you can develop and use your applications in an agile, secure manner. In the cloud as well as on-site.

What makes for a good piece of software? Performance combined with security. However, unfortunately, our experience shows this: All too often, companies compromise on security. And where do you stand?

As of the coming into force of the EU General Data Protection Regulation (EU GDPR) in May 2018, security is a topic that everyone needs to take seriously. This is due to Article 25 of the GDPR.

It demands that the protection of personal data be taken into account even at the development stage by means of “appropriate organizational and technical measures” such as pseudonymization. The guidelines of ISO Standard 27034 on IT application security also take this tone. However, the reality is usually a different matter. Many companies work in accordance with the principle of adding in security during the test phase or simply carry out a penetration test before productive use. But that’s nowhere near enough to ensure the holistic security of your applications. For this reason, security needs to be taken into account in the requirements phase, and must be made into a fixed part of the software architecture, development, testing, and operation.

From a technical security point of view, the software architect needs to lay the foundation stone. The architect provides developers with the “big picture” and supplies important information as to how the modules interconnect and which security aspects need to be taken into account for the various modules.

Recent surveys tell us this: There’s an average of one security expert for every 100 developers. This is worrying, since software cycles are getting shorter and shorter, and software is delivered by the minute. One thing’s clear: The security model often used in the past of adding in security measures during the test phase can no longer work.

We’ve chosen a different approach right from the start. We give the aspect of security an important role. And we train developers to be security champions. This places security at the heart of the agile development team – and turns DevOps into Secure DevOps (DevSecOps).

Security champions have the following methods at hand:

• Anchoring security awareness in the team
• Threat Modeling
• Supporting security requirements (AbUser stories)
• Carrying out security code reviews together with the developer
• SAST (Static Application Security Testing)
• DAST (Dynamic Application Security Testing)
• Web Application Security (OWASP Top Ten)
• Monitoring/metrics for security problems (dashboards)
• Real-time intrusion detection (automatic recognition of attack patterns and implementation of countermeasures)
• Project evaluation using security maturity models (e.g. OpenSAMM)
• Training further security champions

The implementation of security aspects is an additional investment. But it’s an investment that pays off. After all, the loss of sensitive data can be very costly indeed. In extreme circumstances, it might put the survival of your company at risk. Consider this, too: If you have to consistently build security into your project later on, that means building security into the entire SDLC (software development life cycle). This brings new challenges that require a new architecture – with new modules and systems.