During a short conversation with our new Chief Security Officer he explained:
If we can certify that we have a secure software development life-cycle we stand to increase our overall revenue with clients from 10-20%.
Wow, actually utilizing our methodology as a competitive advantage. Typically if I mention methodology to anyone on the business side and many on the IT side they sort of shake their head no, never heard of XP or RUP. Indirectly it has a big impact on our ability to deliver and maintain applications, but it’s far from a direct revenue generator.
Over the next year we’ll be looking at adopting some practices, getting some training, and further integrating our QA and development teams. Many of the Agile practices we’re adopting parallel with established practices for improving application security. Thus unit, integration, and acceptance tests and their automation mean you can actually certify that you’re software is reasonably secure at least for what you’re testing for. Automated builds and code reviews mean no issues lay undiscovered for long. This also means QA will probably have to get involved at the coding and scripting level rather than their current pure UI testing and automated scripting against that UI.
Scrum and its 30 day Sprints allow us to inspect and adapt quickly instead of approaching security as an after thought that we find out when a security firm busts and application with a penetration test. And adding things like abuse use cases to our requirements make it clear how we can verify we’re ‘done-done’ with some particular feature.
If you take a non-paranoid approach to implementing better security you can actually stand up at a company meeting and explain how your software process improvement project delivered 100 million for the company. Not bad.