CyberUK may seem like ancient history now but I hope we gave you lots to think about. Here I share what I took away from the Securing Agile Delivery Track, and talk about what’s going to happen next.
What did we learn?
Title may have been a bit of a spoiler… but the overriding theme of the day was collaboration. Engagement on security issues by everyone in a delivery team is essential to get that baked-in security goodness.
When thinking about incorporating security into agile delivery, as technologists we tend to leap straight to the technical solutions. Whether that's a scanning tool or a specific control, none of these things automatically generate a suitable secure product (and those that prove useful in one situation will not necessarily suit another). By going back to the basic principles of agile as described in the agile manifesto, we can see that agile has the potential to improve security, and build resilience by enabling us to recover faster after an incident.
A slide from Dan North’s talk, our opening session of the track, with his tweaked version of the 12 agile principles, updated for today’s pace of development.
The agile manifesto doesn’t say anything about specific technology. Good communication and engagement is central to making anything work in an agile manner and security is no different.
Agile is all about the people
The agile principles take advantage of the way humans learn most effectively; through peer-to-peer interactions. Even a small number of trusted people who care about security issues in an organisation can spark interest in colleagues by osmosis. To conclude our panel discussion of the track, our speakers were asked what was the one most important thing we can do to embed security in agile. Graham from Microsoft summed it all up with his answer: build a culture of understanding and allow people to see the effects of their decisions.
Embrace collective responsibility
People closer to the problem are more likely to make the right decisions. If the people with most knowledge of your product are not the same people as those with security experience, then breaking down the boundaries between them should be the priority. By encouraging a culture where people are confident to raise dissenting opinions and ask questions, you'll improve your team's decision making and increase innovation. Research tells us that the collective intelligence of a group has much more to do with the strength of connections between members, than the sum of individual intelligence.
True collaboration, working in partnership in pursuit of a common goal, is much more than just communication. For collaboration it's important to avoid the 'diffusion of responsibility' trap we can fall into when more than one person is responsible for something. This issue occurs when regarding security as something different, or separate, to what people are already doing, and differences in language exacerbate this problem. By calling it 'security' instead of the thing people are trying to achieve (for example 'session management', 'correct encryption', or just ‘doing things properly’), we are making it sound like it's somebody else’s problem.
No developer wants to write bad code. Evidence suggests most developers are genuinely interested in learning about the security implications of their work, but it will never happen if it’s not explicitly encouraged within the team and by leadership. A developer’s job is to solve problems and security is one of the biggest challenges around – let’s get everyone on board!
Revel in shared purpose
Security must have a purpose. You have to know exactly what you’re trying to protect, and how this contributes to the business objectives. If everyone in a team shares this common understanding and feels like they are all on the same side, working towards the same end goal, then there will be no lack of motivation to take security seriously. The common purpose will give your team a sense of unity and identity, and a better appreciation of how everyone's unique contributions are important to the whole. Teams that trust each other make better products.
Agile can make you stronger
These days most of our problems are in the complex space – there are too many unknown unknowns to be able to predict every threat. This is exactly the kind of problem that agile is designed for. Taking an agile approach to delivery can enable faster recovery from any security incident. On a technical level, the opportunities to introduce checks into deployment pipelines can prevent simple issues getting through and free up security expertise time to work on the harder problems. Most importantly, the principle of constantly thinking about your users is enshrined in all agile approaches, and as we all know, if security doesn't work for people, it doesn't work.
However, there is always an agile ceiling. A team can only be as agile as others they engage with, so keep pushing that ceiling up. Collaboration doesn’t happen by chance.
When done well security isn’t seen as a blocker to delivery. The only real blocker is not having everyone involved in delivery fully embracing the agile principles. Just calling yourself agile for the sake of being agile is potentially the worst of all worlds!
The Sociotechnical Security Group is currently undertaking grounded theory research into how agile teams incorporate security, working with industry and government partners. Contact us if you are interested in taking part in our research interviews, and look out for future blogs and guidance based on our findings.
You may also be interested in the NCSC's upcoming Secure Software Development guidance that was introduced during the track. In the meantime, why don't you challenge your team to think about the way you interact with others? How could you up your collaboration game? Feel free to share your ideas below.
Sociotechnical Security Researcher