Linked by Thom Holwerda on Mon 8th Aug 2005 13:45 UTC, submitted by cankles
General Development Agile development methodologies might be the new fad in software design, but how much emphasis is there on secure code? Australian .NET developer and consultant at Readify, Rocky Heckman, reveals some concerns of agile development methodologies.
Permalink for comment 15664
To read all comments associated with this story, please click here.
RE: pulled info out of where?
by timkar on Mon 8th Aug 2005 20:27 UTC
timkar
Member since:
2005-07-13

>His assertions seem to be based on the list of Agile
>Principles. Here it is, summarized:
>
>1) Do as little work as possible.
>2) Code in teams.
>3) Deliver early and often.

>It doesn't say anything about security or code
>inspections.

First, true, it also doesn't say in there that a customer has to be able to use the software or that the developer must show up wearing pants to work. My point is, there's a lot in this grievously-condensed list of principles (and it is, at best, grievously-condensed). Security is a requirement that is easily expressed in business requirements, be they in the form of state diagrams, requirements documents or user stories.

Second, a statement to lump all agile methodologies together and pass down a ruling on their collective impact on security should go down in history as one of the great blanket statements of all times. Nothing could be more fundamentally flawed and lacking in understanding of the variety and nature of various agile methodologies.

Third, this list does not begin to sum up the principles and values of THE MOST agile methodology.

Fourth (and I think this is one of the most misunderstood concepts behind ANY methodology), no methodology should be taken out the box and applied wholesale without considerable consideration examining its principles and the methodological requirements of your product. Any and all methodologies should be tooled and tailored to fit a teams needs and if that includes a security review facet, so be it.

This article either expresses the authors ignorance or real development or is FUD.

Reply Score: 1