The importance of security stories
July 6 , 2010Agile techniques and methods have been in use at Locaweb for a while now, and recently two of our development leaders, Alexandre Freire da Silva and Leandro da Silva, attended the 11th International Conference on Agile Software Development XP 2010 in Trondheim, Norway. Upon returning, they wrote the posted the following (very interesting) article to our corporate blog in Brazil. I’ll try to be as faithful as possible to the original in my translation.
A very interesting theme we saw at XP 2010 was the importance of having security stories in the application development backlog. This theme is commonly neglected by developers and product owners.
What kind of story is this?
Security stories are stories written by ill-intended users trying to find security holes in the system that’s being developed. Of course, the ill-intended users are just make-believe; they’re actually developers and product owners with good intentions, trying to find security flaws so that they can be addressed.
These stories are extremely important, since we never want to put vulnerable systems into production, exposing our company and clients to harm. Therefore, they need to be validated in the QA process – preferably through automated testing -, just like regular user stories.
How should you write them?
Basically, the idea is to write one or more security stories based on a regular user story, when applicable.
Usually, a user story goes something like this:“I, as a bank client, would like to log into the bank’s internet banking application in order to check my account balance.”
Great. What then would a security story based on this user story be like? It might go a little something like this:
“I, as an ill-intentioned user, would like to scan the browser history in search of internet banking application login URLs in order to obtain username and password data from previous users.”
This would make developers check whether user authentication data is being sent to the server via the HTTP GET or POST methods.
It’s a trivial example, but the motivation is clear, right?
Oh, and a nice tip: Try to write these stories on different-colored post-its from the user stories.
Ok, but what should you do after you write them?
We follow through with the regular story implementation process as usual, writing automated tests and whatnot. They’re stories like any other, from a design-code-test point-of-view, but with the purpose of eliminating vulnerabilities in the system being developed.
Conclusion
If you still didn’t care much about this subject, we hope this post will help you change your mind, because neglecting security may have terrible consequences.
by Leandro da Silva and Alexandre Freire da Silva
Tags: agile, agile techniques, leandro da silva, norway, security, software development, stories, Web Development, xp