Security Testing in an Agile World: An Interview with Jeff Payne


Jeffrey Payne sat down with Noel Wurst to discuss a range of topics, including advice for teams that are attempting agile for the first time, the importance of clear communication between teams, and the ways that security testing has changed alongside modern technology.

Noel : Do you think that teams that attempt an agile project for the first time fail to understand how difficult and intense agile can be? How can those teams better understand the breadth of what they're about to undertake?

Jeff : Yes. Teams often underestimate the amount of effort it will take. The first mistake many teams make is trying to “do agile,” i.e., follow a prescriptive set of tasks and activities, instead of “becoming agile.” Being agile is all about following the principles of agile, irrespective of the particular methods and tools that are used. This is one of the reasons why my Agile Fundamentals training course focuses a lot of attention on the principles of agile up front. There’s nothing wrong with choosing a particular flavor of agile to begin your journey, but you will not be successful unless you tune and customize the approach you follow to your culture, people, market, and organizational structure over time.

The first step in understanding the breadth of what a team is about to undertake with agile is to understand that the entire organization must change for agile to be successful. This doesn’t mean that a particular software development team cannot embrace agile while those around you do not, but that to get the full benefits of agile, everyone in the organization that touches the software must change at least some of their behaviors.

Noel: With communication between developers, testers, management, and the customer being so vital to the success of an agile project, what strategies would you recommend just in the area of communication, alone?

Jeff: First, I’m a big advocate of daily Scrum meetings. There are so many reasons why holding a brief standup every day is a good idea:

1. It forces everyone on the team to think about what they are doing on a regular basis and make incremental progress toward a goal

2. It drives issues, concerns, risks to the surface quickly so they can be addressed early before they become showstoppers

3. It holds team members accountable to each other which drives teams to meet their commitments and estimates

4. It’s a very visible way for management to see the progress that is being made on a frequent basis

The key to an effective daily Scrum is to make sure each team member focuses on their accomplishments instead of just their activities. Use these meetings to track what was DONE, not worked on.

Second, use pairing to keep things fresh and transfer knowledge between team members. While pair programming is certainly one useful way of doing this, pair up a developer with a tester at the start of each new User Story. The developer can teach the tester a lot about what the design and code do, which helps the tester build better tests. The tester can teach the developer a lot about how to write good unit and acceptance tests so the code that’s produced is of a higher quality.

Noel: One of your upcoming sessions is titled "Security Testing for Test Professionals." Everyone knows that security is important, but where are some areas concerning security that people, testers especially, may overlook, and therefore pose a threat to their project?

Jeff : Input validation. Many, many types of attacks leverage the fact that developers do not do an effective job of validating the integrity of the inputs their programs/interfaces accept. Too often input buffers can be overflowed, executable commands can be sent to a database, or inadequate authentication mechanisms are used to assure the person logging in is legitimate. Just

About the author

Upcoming Events

Oct 15
Nov 05
Nov 14
Jun 03