Comsec Consulting Refreshes Approach To Ensure A Secure Agile Software Development Lifecycle (SDLC)

LONDON, UK, 16th September 2008, Comsec Consulting, a leading information security consulting firm, today unveiled its updated approach to ensure a Secure Agile Software Development Lifecycle (SDLC).

Avi Douglen, Comsec’s Senior Application Security Consultant, said, “At Comsec, we have seen a substantial increase in the adoption of Agile software development methodologies.  These promote development of software in small increments, with minimal planning, open collaboration and process adaptability throughout the lifecycle of the project.”

In a recent survey conducted by DrDobbs.com, a well-regarded, professional technology journal, over 65 per cent of respondents within organisations have adopted one or more Agile development techniques and 41 per cent have adopted one or more Agile methodologies.  Agile development methods pose a great challenge to the often time-consuming requirements of security, such as full security audits and design documentation. 

Mr Douglen continues, “Comsec has developed a new approach which takes into account our customers’ methodologies, Agile principles, organisational structure, staff knowledge, current technologies and available documentation.  Comsec’s innovative approach ensures the required level of software security and fully integrates to provide the benefits of Agile development methods and a Secure Software Development Lifecycle.”

Based on its extensive knowledge and experience, Comsec has revealed its Agile Secure Software Development Lifecycle approach which involves a combination of three general activities that ensure information security is involved within the development lifecycle of companies implementing Agile software development methods.

The three general activities are:
•   A small number of security focused sprints, or iterations, based on user security stories and other relevant software security requirements;
•   intense security days at critical phases of the design, construction and testing.  These are a small piece of the regular iterations, and can be carried out in part by security experts who are part of the development team.  Such efforts include lightweight Threat Modeling and focused security testing according to the business context before each major release; and
•   security education for developers, testers, and management, in addition to use of automated tools.

An important aspect of Comsec’s approach is knowledge transfer. As with Agile development itself, this is important because programmers often must make the right decisions themselves, without any supervisory process and minimal quality control. Comsec assists companies in establishing a secure Agile infrastructure and accompanies the process of Agile development methods implementation, whilst integrating security within the short time frames and changing situations organisations are facing.