Loading ...
Sorry, an error occurred while loading the content.

159167Re: [XP] Agile in Secure Software development

Expand Messages
  • John Roth
    Aug 20, 2014
    • 0 Attachment
      On 8/20/14 9:51 AM, bjoseph866@... [extremeprogramming] wrote:
       

       Hey Guys,

       

      My company is interested in implementing Agile, but we can't seem to figure out how to also incorporate security software development. In essence, we need some best practices on how to incorporate secure software development procedures into Agile.


      Posted by: bjoseph866@...









      Are you talking about security requirements in application software, or software whose main function is some form of security?

      In both cases, I'd suggest automated functional testing. The Agile part is that the functional tests should be defined as part of fleshing out the story, not later, so they're there when the software is being constructed.

      As an example, last year there was a CVE against Python for a potential DOS attack gaming the hash function used in maps so it was linear time instead of log(n). From an application viewpoint, the testing tactic might be to test that only legitimate key-value pairs for the specific transaction are inserted into the map. This isn't something one would expect to fall out of the TDD loop; it needs to be specified.

      Here's a long-form article on unit testing in respect to the go-to-fail and heartbleed bugs. It's not specifically agile, but then agile doesn't prohibit writing other unit tests, it simply discourages doing it after the rest of the software is written. http://martinfowler.com/articles/testing-culture.html

      John Roth
    • Show all 8 messages in this topic