Integrating Automated Security Testing in the Agile Development Process : Earlier Vulnerability Detection in an Environment with High Security Demands

Abstract: The number of vulnerabilities discovered in software has been growing fast the last few years. At the same time the Agile method has quickly become one of the most popular methods for software development. However, it contains no mention of security, and since security is not traditionally agile it is hard to develop secure software using the Agile method. To make software secure, security testing must be included in the development process. The aim of this thesis is to investigate how and where security can be integrated in the Agile development process when developing web applications. In the thesis some possible approaches for this are presented, one of which is to use a web application security scanner. The crawling and detection abilities of four scanners are compared, on scanner evaluation applications and on applications made by Nordnet.An example implementation of one of those scanners is made in the testing phase of the development process. Finally, a guide is created that explains how to use the implementation. I reach the conclusion that it is possible to integrate security in the Agile development process by using a web application security scanner during testing. This approach requires a minimal effort to set up, is highly automated and it makes the Agile development process secure and more effective.