Agile development increases the output of software development projects by using a faster, more iterative engineering process. This pace also allows rapid course correction, which is great for meeting customer requirements quickly, but also makes the process inherently more tolerant of errors.
As we know, hackers thrive on errors, and that means that agile development can be a gold mine for cyberattackers. Adding to the problem are traditional cybersecurity approaches like anti-virus and firewalls and the fact that traditional systems are notoriously tricky to configure correctly, and often present an easy target.
But, there’s no need to despair, says Alex Gounares, the founder and CEO of Polyverse, as agile security makes it possible to achieve both engineering speed/responsiveness and good security.
What is agile security?
Agile security is an approach to building secure software that takes the core principles of agile development, such as repeatable, scalable software development, and meshes them with leading-edge moving target defense cybersecurity technologies.
“There are seven core principles to agile security, but for starters, consider two simple ones: minimalism and repeatability. Minimalism says run only the software you need, and nothing else. Microsoft Windows is, for example, over 20 gigabytes. Is there any single human on the planet that can understand everything that is in those 20 gigabytes? And do you need all of it? Do you really need floppy disk support? Because, if you are running Windows, you still have it! And all that extra bloat becomes with stuff that has to be tested and protected,” he explains.
“Conversely, something like Alpine Linux can be as small as 20 megabytes – literally, a thousand times smaller and a thousand times easier to deploy, understand, test and secure. After all, there’s so many fewer things for attackers to exploit.”
The repeatability principle rests on the idea of automating as many things as possible and being as precise as possible about it: run what you know, and only what you know.
“In the early days of the Internet, updating a major cloud service could take a month or longer. If that update was needed to correct security issues, It was a very long time to wait. With agile development, and agile security, the idea of a ‘push button deployment’ allows for updates to made literally at the click of a button,” he adds.
Implementing agile security
Organizations should start small and adopt the principles of agile security incrementally and iteratively, just as they would for any agile software project.
A polymorphic version of Linux provides binary diversity, can be installed in mere seconds, and doesn’t require other changes. In those few seconds of additional work, one can neutralize over two thirds of all the vulnerabilities out there.
“The move doesn’t mitigate every problem, but it’s probably the highest ROI activity you’ll do all year,” Gounares notes.
Running code analysis tools is also something that can be easily integrated into the engineering pipeline, as some of these tools are even available as plug-ins for popular text editors used by software engineers.
“Admittedly, some of the other recommendations can be much more complicated and time consuming to implement. A shift from Windows to Alpine Linux (to use the example above) may be impractical if your application relies heavily on Windows features,” he acknowledges.
But, the biggest challenge tied to the implementation of agile security is not technology, he says, but people. More specifically, the security compliance bureaucrat.
“The security compliance bureaucrat is the one with the manual checklist of 300 items to do for every release, the one mandating that all internal network traffic be in the clear so that legacy IDS can ‘work’, the one insisting that every server is over 120 GB so that the images are ‘standardized’ (and out of date),” he explains, and insists that these are not hypothetical examples.
“I have personally witnessed each of these sins – this is what happens in the real world. These bureaucrats are not bad people, but simply well intentioned people given a checklist of things do to and told to make sure this checklist gets done. At one point in time there likely was a good reason for the checklist, but in a world of agile security, not only do a lot of those checklists not make sense, many recommendations are actually damaging to an organization.”
Agile security can make life easier for software developers, but the benefits will eventually be felt by the consumers.
“Today our industry imposes a huge burden on our customers to deal with security. As agile security evolves, we will be able to build intrinsically secure systems that just work,” he concludes.