- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation
- Responding to change over following a plan
Cigital offers four principles to help address inefficiencies that too often slow application security. They intent that these four principles will “guide and inspire us to build secure software in an agile way.”
- Rely on developers and testers more than security specialists.
- Secure while we work more than after we’re done.
- Implement features securely more than adding on security features.
- Mitigate risks more than fix bugs.
I assume that Citigal built their list in the Agile Manifesto model, as an expression of their valuing the items on the right — just not as much as they value the items on the left. Not only do these principles align with and extend the original Agile Manifesto, it seems like they may also help information and software security organizations scale their efforts. None of us has all the resources we need. Sensitive use of the “Cigital four” listed above may help us build capacity…
These seem like an excellent resource for those leading secure software efforts as well as for architects, designers, product owners — anyone attempting to influence software quality while managing software induced risks to appropriate levels.
The Agile Manifesto: http://agilemanifesto.org/
Cigital’s 4 Principals: https://www.cigital.com/resources/ebooks-and-whitepapers/agile-security-manifesto-principles/
There is no single “Agile” way: https://en.wikipedia.org/wiki/Agile_software_development#Agile_methods