DEVOPS APPSEC CONFLICT - 2

The agile development methods are actually the combination of the tiny iterations of the Waterfall model. In every iteration, all processes in the waterfall model are operated. Therefore, all of the security tests have to be completed in the timeline of a sprint. If we take into account the static analysis test phase and the bug closure times, we can easily understand that vulnerability tests must be done in the course of software development.

This issue can be solved by a developer who knows about security weaknesses. By reviewing the code regularly, a software developer can warn his/her colleagues to watch out the flaws that are located in their code. But this time-consuming job needs extra resource and passion in the team. In a small team that becomes an ignorable task to continue the secure SDLC process.

If you scan the whole project with a static analyzer, you can see some results that are out of the sprint scope. So, if we can analyze the code while developing it, wouldn't be wonderful to fix them before a sprint retrospective meetings? No one will complain about vulnerability fix time, no one will argue with a specialist from the information security team :)

That is a new perspective for the agile security, the product variety of these kinds of applications are not ready for all of the platforms. As AttackFlow, we developed the C# version of this development friendly tool, soon we will release it for the Java IDE's. Next time I will mention about developer security scorecard generation methods...