Steven says that this is a much more effective approach than coming in, talking to developers about security, run a pen testing tool, point out vulnerabilities, and leaving.
"If you go back six months later, the developers are still forgetting about security and implementing vulnerable code," he said. "If you want to help developers code securely, you have to be with them."
Thycotic bakes in security
Washington, D.C.-based Thycotic Software Ltd. bakes security into the agile development process with a security training process, but also embeds security staffers when needed.
"We have a security architect on staff who helps us with security processes about encryption," said Thycotic CEO Jonathan Cogley. "We have a hardware security model, and doing encryption in hardware is pretty complex. He was involved in a lot of the work from the beginning and followed it from conception all the way to delivery to customers."
Cogley suggests that companies looking to make the switch to agile do it one small step at a time.
"It's one of the biggest things where people go wrong," he said.
For example, if a company is starting with a waterfall development team, then the first step might be to change the release cycle from six months to one month.
"The idea is that you can always unpeel the change and reverse it quickly," he said. "When you make a lot of changes, it's hard to see where things went wrong and reverse them effectively."
Sign up for CIO Asia eNewsletters.