Tilmann Haak’s presentation at this week’s TF-CSIRT/FIRST meeting was on incorporating security requirements into software development processes using agile methods, but his key points seem relevant to any style of software or system development:
- Make sure security features are treated as first-class user requirement, of equal status with the functional requirements provided by others. We’ve all experienced products where security was clearly added afterwards; in agile if it doesn’t offer value to the customer then it won’t get added at all. So be prepared to explain the value that security brings to the customer.
- Do that in terms the developers are used to working with. In agile that often means user stories, so alongside Tilmann’s “As a user I would like to buy candy from the machine” you need to place my “As a thief I would like to take the money that others have put in the machine”.
- Provide developers with the tools they need to implement your requirements in their systems. Don’t just say “encrypt passwords in transmission and storage” – show them the libraries and implementation guidance that will enable them to do it right. Badly implemented security really is a waste of time, delivering no value to the customer.