The word Agile is, sometimes used in a generic manner to denote any kind of “dynamic” or “unstructured” way of working with others. Commonly, this term suggests focused and rapidly iterative software process. Agile methodology is aimed to promote a more efficient, smooth-flowing and collaborative way of working to develop IT programs and computer software.
Today, the Agile method is simply called Agile, in which “A” symbolize its “adherence” and has become widely accepted as an effective approach to project management within software development and testing groups.
As the world is growing rapidly, the demands are also increasing. Today, there is a strong demand for rapid application delivery to manage today’s accelerating application development cycles. There are more applications like internet applications, mobile applications etc. But at the same time, keep an eye on the downside. Building your application very fast should not affect its security.
Today, we are using multiple Agile methodologies. They include Scrum, XP (Extreme Programming) etc. You don’t have to focus on security just because you are using one of the agile methodologies, as SDL (SDL: you can understand in the next paragraph about SDL), for Agile is now included in the Microsoft SDL process guidance. In this, you can find the latest details about the SDL.
SDL is an acronym for Security Development Lifecycle. It is a software development process that helps the developers build more secure software. This also helps in addressing security compliance requirements which can reduce development cost, while developing the software. The key behind SDL is to include Threat Modeling.
What exactly is Threat Modelling?
Threat modelling is a process by which active threats can be identified and prioritized. These are prioritized according to the attacker’s point of view. The purpose of threat modelling is to provide defenders with a systematic investigation of the predictable attacker’s profile. Most likely, this model helps to identify the attack vectors (is a path by which attacker can gain a access to a System), and the assets most desired by an attacker.
“Trust” boundaries are the crux of threat modelling . Trust boundaries draw the demarcation lines between the parts of your application which are vulnerable. A simple example can explain it better. When you want to use an application and try to log in, then it is obvious that client is sending a message to the server. But if the perpetrator targets the application interface, then the entire information goes to that attacker and not to the server. The use of trust boundaries simplifies the identification and classification of threats in threat modeling.
Threat model should be 100 percent complete before moving to the next phase of software development cycle. The activities in the threat model can be done by any member of the project team. That member can be responsible for threat modelling of the entire project or given iteration. Additionally, the team members should have an interest in security so that they can complete the threat model successfully.