Software Assurance in The Agile Software Development Lifecycle

CSIAC_Journal_V5N2_web_opt 1

Posted: July 13, 2017 | By: Bradley Lanford

Continuous Integration

No matter the framework chosen for the implementation of Agile the engine that makes a team successful is the continuous integration environment. This is the infrastructure which allows all team members to work on and deliver code to a single development stream. Agile emphasizes early delivery of working code. For systems engineers the continuous integration environment serves as a means to ensure all code is properly scanned, reviewed, and tested prior to delivery. This includes origin analysis of libraries and functions, unit test, code reviews, and static code analysis. Smaller incremental delivery allows code to be scanned quickly and with little impact on performance. Once delivered, the single repository is ideal for regression testing, static analysis of the full codebase, and dynamic analysis of deployed software. In addition to the process, IDEs used for continuous integration can provide instant feedback on adherence to coding standards and best practice as well as configuration management of vulnerabilities that is accessible by all team members.

Continuous Delivery and DevOps

Continuous delivery is the process in which code that has been delivered to the development stream is automatically built, tested, and prepared for release. Although it is not vital to Agile development it has been adopted in most instantiations. Automation is an important practice in securing a system, as it ensures a repeatable and consistent process that does not introduce vulnerabilities into the system. Through continuous delivery engineers, can automate software assurance tool usage into the build process and provide feedback to developers based on test results. Another important element of continuous delivery is the infrastructure required to support release to multiple environments. Once the build and release process is automated, new code can be released to test pre-production, or production environments allowing regression testing, code analysis, red teaming, and penetration testing to start immediately. Additionally having the flexibility in infrastructure allows for operational monitoring prior to release to production.

A concept that has grown from the movement to Agile is DevOps. DevOps is in many ways similar to Agile but with a focus on delivering and evolving products at a high velocity. Continuous deployment is key in realizing this objective and many times programs merge development and operations teams to streamline deployment. In this case many of the roles of the operations team are realized using code such as infrastructure, policy, and monitoring. Infrastructure as code allows development teams to provision and manage infrastructure instead of manual configuration. This can provide environments for more thorough security testing or a location to deploy known malware to test applications. Infrastructure as code also adds security because it can be tracked, validated, and reconfigured automatically, flagging non-compliant resources.  Agile and DevOps methodologies both focus on optimizing the process to allow faster delivery to the user, the end result is a well-defined process that can be used to build in assurance practices to maintain a high security posture [5].


  1. Agile Manifesto. 2001. “Manifesto for Agile Software Development” retrieved from on March 31, 2017
  2. Hagen, Christian; Sorenson, Jeff 2013. “Delivering Military Software Affordably,” Defense AT&L, Mar-Apr 2013
  3. GAO 2012 “Effective Practices and Federal Challenges in Applying Agile Methods”
  4. GAO-12-681: Published: Jul 27, 2012. Publicly Released: Jul 27, 2012.
  5. Jarzombek, Joe. 2012. “Software Assurance: Enabling Security and Resilience throughout the Software Lifecycle”
  6. Amazon Web Services. 2016. “What is DevOps?” retrieved from on March 31, 2017

Want to find out more about this topic?

Request a FREE Technical Inquiry!