Is agile's inattention to security to blame for software vulnerabilities?

Organizations across the globe are rapidly adopting agile frameworks for managing and implementing software systems. Agile frameworks like the Scaled Agile Framework (SAFe), Scrum, Kanban and many others are popular, with industry reports indicating more than 70% of organizations are now using agile approaches for managing projects. However, daily headlines point to cybersecurity breaches, website vulnerabilities and data loss issues. Do the agile frameworks commonly used by industry share some blame for the lack of security in systems?

A quick search on the SAFe website does not show even a single reference to the word “security” in the core tenets and principles of systems design and implementation. Further, reviewing the roles and responsibilities of key positions associated with agile development like product managers and product owners likewise does not return a single reference to security as a core responsibility. In an age where accountability for cybersecurity is increasingly a boardroom issue, it is important that security not be considered a non-functional requirement without adequate management oversight. The need for security in digital systems must be a core tenet, and key personnel should be held accountable for ensuring those requirements flow through the agile systems development lifecycle.

This issue is especially important for the federal government, which spends over $90 billion on IT. The President's Management Agenda and the Centers of Excellence drive modernization using artificial intelligence, big data and cloud services to improve efficiency and customer experiences. Given that innovative technology solutions come from industry, it is critical that we harden the supply chain and make sure we raise the bar for software and system security.

Numerous interviews with digital systems developers and managers from non-profits, health care and financial services companies demonstrate that security is an afterthought and continues to be a bolted-on feature. Industry by and large still does not consider security a core design principle. Key personnel responsible for product management such as product managers, product owners and architects do not have adequate training or accountability for building secure systems. Nor do they consider security is a core responsibility. Most believe that security is the responsibility of the “security team” and can be solved by simply hiring a chief information security officer.  They often create a separate security organization headed by a CISO who has neither the mandate nor the resources to drive deeper organizational transformation. This current approach is highly reactive, designed to resolve issues based on scans conducted by external security teams instead of being proactive and baking security requirements into the design itself.

Persistent security issues with commercial software and systems become readily evident when companies apply for authority to operate from the Federal Risk and Authorization Management Program. Simple requirements like multifactor authentication, strong password rules, data encryption at rest and in motion are often lacking in commercial systems. This requires expensive remediation and compensatory controls delaying the ATO process.

What if requirements based on globally accepted best security standards like the National Institute of Standards and Technology SP 800-53 or ISO 27001 were a core tenet of systems development and product owners had an obligation to incorporate them? Wouldn’t we get more secure systems as a result? As former DOD CIO Terry Halvorsen said many years ago, it is not a matter of industry developing special requirements for DOD but instead for government and industry together to raise the national bar and have some common security standards.

The goal of this piece is not pick on a specific framework or methodology but to help raise awareness and drive evolutionary transformation toward secure digital systems. Agile frameworks have been hugely successful in helping deliver software systems faster while meeting customer requirements with superior results over traditional waterfall methodologies.

There is hope on the horizon.

During a panel discussion at the recent Trend Micro Directions 2019 conference, a speaker from Vonage described how the security team got greater cooperation from the product owner when the application team hired an application security engineer. This helped streamline communications between the product owner and the security team to help ensure that security issues were acknowledged and addressed. This example is telling. Security cannot be a bolt-on feature that is sole responsibility of the security group. Security culture must be baked into the core systems design and development process, and the only sustainable way to drive security awareness is to assign responsibility and accountability at the beginning of the development lifecycle. This can be done by hardening commonly used systems development frameworks. Key personnel associated with systems development such as product owners and product managers must have a line item in their job description to “deliver a secure system.”

The government relies heavily on commercial software systems, cloud services and new solutions like AI, big data and robotic process automation among others to improve citizen services. Many of these new systems will be developed with agile methodologies, and all will require strong security features. Perhaps it is time that government, nonprofits and industry organizations help agile framework developers refine and evolve their playbooks to incorporate security best practices.