"We're fixing problems before they become problems," he said. "That gives us more time to deal with innovation and other things out there."
Denim tests early and often
San Antonio-based security consulting firm The Denim Group switched away from traditional waterfall development eight years ago and today uses both "abuse cases" and automated testing tools as part of its agile security process.
Denim uses automated dynamic testing and automated static testing to find common vulnerabilities such as SQL injections.
"But business logic flaws, problems with authentication or authorization are hard or impossible to test for using automation," he said. "You hope to avoid introducing those types of vulnerabilities by doing threat modeling for an application."
This is where "abuse cases" come in, he said. "When building apiece of functionality, brainstorm for some time about how an application could be abused."
Another technique that Denim has found to be helpful for some organizations, especially with Web and mobile applications, is to focus manual testing on those features that changed most significantly during the previous development cycle.
"It's not as good as full testing," he said.
But sometimes there are budgetary or time constraints about how much testing can be done.
"By looking at what has changed since the last release, that can help organizations get most value for their budget," he said.
Moving to an agile model can make some traditional security professionals nervous, he said, especially those with a command-and-control view of the process.
"There's a perception among security people that developers don't care about security," he said.
But agile offers security employees the opportunity to become resources early on in the development process, instead of coming in afterwards and looking for mistakes.
"Which is still an important thing to do. but you don't want your development team to have all the interactions with the security team be negative," he said. "That creates a pretty toxic environment."
Cigital tears down the wall
For Dulles, Vir.-based Cigital, moving to agile development helped break down the cultural divide between the development and the security teams that exists in traditional waterfall development.
"It's us versus them," said Cigital CTO John Steven. "You've built something, you throw it over the wall, someone tests it, and says, 'You did these things wrong.' If they offer any guidance, its usually tautologically -- you didn't do this or that."
In agile development, the security operation can lend a security architect to the development team.
"He can say, 'I notice you're trying to query the database. One way to do that safely is this.' You break down the us versus them model," said Steven. "At Cigital, we think that benefit is so powerful."
Sign up for Computerworld eNewsletters.