Too much code, too few application security specialists

Agile dominates software development. According to Scott Ambler, a prolific author of books on the subject in addition to being IBM's agile development practice lead, 69 per cent of organizations already use agile in one or more projects. Twenty four per cent of the rest are planning to start in the next year.

Unlike traditional waterfall projects, which progress through a series of horizontal layers until complete, agile projects work in vertical "sprints" to completely implement a small slice of functionality before moving on to the next one.

Agile's lack of formal requirements, architecture, and paperwork makes most in the security field shudder. Is it possible to build something secure without the traditional traceability the security folks like?

The waterfall model is burned deep into the security mindset. In the venerable Orange Book, assurance comes by way of formal models, traceability across lifecycle stages, test plans and test results. The agile brigade considers this top-down approach an "anti-pattern" - they even have a derogatory name for it: Big Design Up Front.

The agilistas might be on to something. From a security point of view, there are certainly problems with the big-design-up-front approach.