Agile Security Testing Process

The introduction of Agile software development lifecycles has revolutionized how applications and software are developed. Simultaneously, the discussions around incorporating security in the agile development process have been well supported by DevOps and DevSecOps. Time plays a critical role in the agile development process, and hence, security testing activities shall be cohesively integrated into the development process so that they do not increase the time-to-market (TTM) of an application.

Generally, security testing activities are performed for two purposes –

• To test the security requirements related to confidentiality, integrity, availability, authorization, authentication, and nonrepudiation, and 
• To test the software or application to validate how much it can withstand during a cyber attack. 

When the phrase “agile testing” is used, it means that the developers immediately integrate changes into the main system, they continuously test all changes and update test cases so that they are capable of running a regression test at any time to verify that their additions have not broken down the existing functionalities. Here, the developers face an uphill task while incorporating security testing in their agile development processes due to a lack of practical guidelines as well as empirical studies based on real-life projects. Alternatively, in other words, considering that the concept of agile security testing is in its nascent stages, we need a more systematic approach. 
At the same time, it cannot be denied that security remains an under-addressed issue by agile development teams across the globe. Lack of knowledge by agile teams, high dependency on penetration testers, ignoring security in static testing, etc. are some of the practices that further worsen the situation. 

Figure 1: Incorporating Security and Development

Four Quadrants of Agile Testing

Figure 2: Four Quadrants of Agile Testing

Each quadrant in Figure 2 reflects a different reason for testing. Traditionally, testing is involved late in the development process, and that too, only to detect failures, not to prevent them. The developers focus excessively on the quarters on the right–hand side, i.e., they criticize the product, but they do not play a supportive role in the creation and guidance of the product. In agile testing, the involvement of testers is not only limited to the identification of failures but also extends to preventing the failures, and hence, automation is an excellent enabler for agile testing. There have been some initiatives like Microsoft’s framework which is integrated into Microsoft Software Development Lifecycle for Agile. 
It is often assumed that the developers have some familiarity with secure coding, but this assumption may not always hold true. As we have seen while working with our clients, the confidence of developers in their application’s resiliency against cyber attacks is substantially low. Hence, there is an increasing demand for better use of standards and guidelines for secure coding and testing practices like the OWASP Top 10.  

Certain excerpts in this blog post have been taken from

• Crispin, L., Gregory, J.: Agile Testing: A Practical Guide for Testers and Agile Teams. Addison-Wesley Professional, Boston (2009) 
• Cruzes D.S., Felderer M., Oyetoyan T.D., Gander M., Pekaric I. (2017) How is Security Testing Done in Agile Teams? A Cross-Case Analysis of Four Software Teams. In: Baumeister H., Lichter H., Riebisch M. (eds) Agile Processes in Software Engineering and Extreme Programming. XP 2017. Lecture Notes in Business Information Processing, vol 283. Springer, Cham 
• Felderer, M., Büchler, M., Johns, M., Brucker, A.D., Breu, R., Pretschner, A.: Chapter one-security testing: a survey. Adv. Comput. 101, 1–51 (2016)