London, United Kingdom, May 10, 2012 --(PR.com
)-- Traditionally, software developers would create applications or programs in a linear fashion. A group would first plan the entire application. It would then send it to another group who would design the application. A third group of developers would then write the source code or commands to run the application. A final group of testers would make sure the application was good to go.
Today, software developers are increasingly creating applications in a non-linear manner. One team of developers is planning, designing, developing, and testing the different components of an application, one right after the other, allowing companies to release software in a phased manner. But is this increasingly growing style of development secure?
“If it’s done correctly—applying the Agile development processes—it is secure,” Gotham Digital Science or GDS Director Matt Bartoldus said. “In fact Agile development can facilitate better security through continuous security testing.”
Bartoldus spoke about Agile during a presentation titled “Are Agile and Secure Development Mutually Exclusive?” at CRESTCon 2012. Based in London, the main goal of the Council of Registered Ethical Security Testers or CREST, the sponsor of this conference, is to represent the information security testing industry and assure the competency of its members through a series of assessments.
With offices in New York and London, GDS is an international security services company specializing in application and network infrastructure security, and information security risk management. Its clients include some of the largest financial services institutions and software development companies in the world. GDS is a member of CREST and its security testers possess CREST and CHECK certifications. The latter allows holders to perform security testing for the U.K. government.
When following the Agile software development methodology, Bartoldus said developers run tasks concurrently. Agile allows developers to work faster and to make changes throughout the process rather than at the end. This should help protect clients from incurring in unexpected and possibly significant development costs.
Agile security practices, Bartoldus said, involve a series of activities to ensure security controls are built into applications. One Agile security practice would be defining what security controls need to be built into the application. Another would be testing its source code for potential vulnerabilities or weaknesses in the application that would make it susceptible to attack.
Bartoldus said he spoke about Agile at CRESTCon 2012 to share with his colleagues in the security testing industry how GDS consultants talk about security integration with clients. Clients believe security practices are different when adopting Agile, he said, adding that they’re not.
“We perform the same security activities,” he said. “The outcome is the same.”
The work of GDS goes beyond security testing. The company has security project managers that work within the whole application lifecycle. They do not only test but also do technical remediation. Staff developers can write secure code as well as fix existing code to make it secure.
“We’re not afraid of source code,” Bartoldus said. “We’ve been doing secure source code analysis for more than eight years—well before the emergence of security source code analyzing tools and programs.”
GDS discovered the work CREST does through conversations with clients. Bartoldus said the company supports the organization’s technical certification process as a way to standardize the qualifications of its staff. In fact GDS is aligning staff training with CREST certification.
CREST conferences allow GDS consultants to share their experiences with their peers. The company, Bartoldus said, likes to be in the forefront—to provide thought leadership—and CREST provides a platform to do that. He said CREST conferences also allow individuals outside of the industry to get a common understanding about ethical security testing and consulting.
Through corporate audits, individual assessments, and other activities, President Ian Glover said CREST representatives identify skilled, competent, and knowledgeable testers companies can rely on. They keep registered ethical security testers at the top of their game through ongoing assessments and the community informed through conferences and working groups.
“The idea is to enhance overall knowledge by sharing information,” Glover said.
CRESTCon 2012 introduced the latest tools and techniques used in the fight against cybercrime. Participants included leading penetration testers, intrusion analysis and reverse engineering specialists, as well as senior information security academics, executives, and government officials. Among the topics discussed were cutting-edge ethical security testing and network forensics, as well as emerging technologies and business threats.