Perhaps the greatest challenge in Agile development methods is producing secure code in a Sprint. Microsoft developed the Security Development Lifecycle with a waterfall development methodology in mind.
So what do you do in a SCRUM environment? One solution might be to take all the SDL requirements and put them into the product backlog, then pull them into the active queue (aka the sprint backlog, if you’re using Scrum) just like any other user story. Another approach is to complete the entire SDL in every iteration. Every iteration would provide secured functionality after the SDL requirements have been completed. However, a whole new challenge would emerge. How does complete all that SDL work in a short sprint of 2 weeks to a month?
Microsoft has been working on the problem and completed an internal beta of the new methodology earlier this month. SDL for Agile Development Methodologies.
In brief, SDL-Agile breaks the SDL into three categories of requirements
- Every-Sprint requirements, the requirements so important that they must be completed every iteration;
- One-Time requirements, the requirements that only have to be completed once per project no matter how long it runs;
Bucket requirements, the requirements that still need to be completed regularly but are not so important that they need to be completed every sprint.
To download and read the complete SDL-Agile guidance click here.
Additional reading: Agile Manifesto
Subscribe in a reader