Faster application development can improve security

More than 80% of organisations across the EMEA region have switched to agile software development methodologies, research has shown.

More than 80% of organisations across the EMEA region have switched to agile software development methodologies, research has shown.

Quicker time to market is the obvious reason for this trend, as highlighted by preliminary findings of a study by Forrester Research, but other benefits include better security.

The main driver is faster application development as limited functionality is added through a series of short cycles that go through the whole development lifecycle.

This also gives organisations the flexibility to change requirements on the fly to adapt the software quickly to changing business conditions and requirements.

The quality of code is improved because each component goes though an intensive specification, design, coding and testing process before moving on to the next phase or iteration.

Communication and co-ordination

Unlike traditional sequential or waterfall programming methods, agile programming involves systems analysts, developers and quality assurance teams throughout the process.

This demands a much higher level of communication and co-ordination between these formerly separate teams, says Jonathan Rende, vice-president and general manager, business technology optimisation applications at HP.

Most organisations moving to this methodology find managing the cross-team interactions the most challenging, making it essential to have supporting IT systems in place, but the benefits are great, he says.

One of the biggest benefits, beyond a 10% to 20% reduction in development time, is confidence that the software you deliver will do what it is supposed to do, says Rende.

This quality gain is not confined to function and performance, as HP has found in the four years since switching to an agile methodology at its three main software development centres in the US, Israel and the Czech Republic, he says.

Because coding takes place in multiple, shorter bursts that go through the whole software development lifecycle, security is frequently tested, enabling developers to eliminate vulnerabilities early on in the development process.

"This early detection can dramatically reduce the cost and risk associated with the release of applications," says Rende.

Hybrid approach

But frequent testing at every stage of development is possible at scale only by automating processes, says Ed Hill, EMEA application security solutions lead for HP. "Continual scanning for vulnerabilities means you are able to cut out risk related to human error," he says.

But a hybrid approach that combines static and dynamic code testing is more efficient because it eliminates false positives to highlight only serious flaws, says Hill.

Static source code analysis checks for any syntactical and logic errors, while dynamic testing analyses how the running software deals with a range of simulated standard hacking attacks.

BT Global Services has standardised on this combined approach for its application testing service that uses Hybrid Security Analysis 2.0 software by HP and Fortify Software.

This approach is not confined to companies using agile methodologies, says Hill.

Regular, automated hybrid testing can also be used with more traditional waterfall application development models, he says.

According to Hill, although this approach is agile in nature, whatever methodology companies are using, they can apply regular, automated, hybrid testing to ensure higher levels of security.

Read more on Software development tools