agile secure development
DESCRIPTION
How to make the agile team work with security requirements? To get secure coding practices into agile development is often hard work. A security functional requirement might be included in the sprint, but to get secure testing, secure architecture and feedback of security incidents working is not an easy talk for many agile teams. In my role as Scrum Master and security consultant I have developed a recipe of 7 steps that I will present to you. Where we will talk about agile secure development, agile threat modelling, agile security testing and agile workflows with security. Many of the steps can be made without costly tools, and I will present open source alternatives for all steps. This to make a test easier and to get a lower startup of your teams security process.TRANSCRIPT
SARAJEVO, 27.10.2014
Agile Secure Development
Petter Sandholdt
- How to make the agile team work with security requirements
Who am I?
Petter Sandholdt - Senior Developer
- Senior Security Consultant
- Java, C, C++, C#, Cocoa, Erlang,
PHP, Pike, Ruby, Cobol, Fortran, Lisp
- Security in R&D for last 6 years
... in agile teams the last 5 years
Easy targets
Verizon Enterprise’s 2013 Data Breach Investigations Report
● 47,000 reported security incidents,
● 621 confirmed data security breaches
● companies of all sizes.
http://www.verizonenterprise.com/DBIR/2013/
78% of successful security intrusions were
simple to pull off
What do Dev and SO think?
http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy
Developers Security Officers
Security of applications is not
addressed
There is no build security in
process SSDLC
Application had a security breach
during the past 2 years
Did not receive software and
application security training
Application meets security
regulations
70% 50%
80% 64%
68% 47%
50% 50%
15% 12%
Agile application ≠ Secure?
Agile moto:
● Do what’s in the sprint
XP moto:
● Never do more that what’s required
TDD moto:
● Code until its green
Agile application = Secure?
REQS CODE
Agile application = Secure?
CODEREQS
NOT TESTED
When is an application secure?
● Requires hard-to-guess passwords?
● Has input validation?
● Has up-to-date and hardened 3rd-party
libraries?
● The one that fulfills the security
requirements of the application
How can the POs know about
security?
POs are OWNERS in that role decide what
is important for this application.
● Deployability (Architects or Operations)
● Performance (Architects,Testers & DBA)
● How to code it (Developers)
Secure Software Development
Life Cycles
● Microsoft SDL
● Adobe SPLC
● CLASP
● Cigital Touchpoints
Secure Coding in 5 minutes
1.Take Responsibility
2.Never trust data
3.Create a threat model
4.Keep yourself updated
5.Make a fuzz
6.Stay proud of your code
7.Use the best tools
http://bit.ly/1dZ6fwA
Recipe that works!
1.Architecture Overview
2.Have threat modelling sessions
3.Review all new requirements/stories
4.Fix your tools to help you
5.Add YOUR activities to sprint
1. Architecture overview
1. Architecture overview
Image from: http://msdn.microsoft.com/en-us/library/ff649779.aspx
Data-Flow-Diagrams are great
Agile???
WTF!
More artifacts!
Not on my watch!
- Helps collaboration
- Find discrepancies
- Creates ONE terminology
2. Threat Modeling session
● First session
○ Brainstorming
● Following sessions
○ Discussions around
added entities
2. Threat Modeling session
Threat Property we want
Spoofing Authentication
Tampering Integrity
Repudiation Non-repudiation
Information Disclosure Confidenciality
Denial of Service Authentification
Elevation of Privilege Authorization
Threat Modeling session
Elevation of Privilege (EoP) Card Game
3. Backlog Review
Look at the backlog from a
security perspective
Security Expert (from team)
and PO
Create checklist to facilitate
3. Checklist Example
● How will this new functionality be
accessed?
● Can this affect “protected identites”?
● New entites in theatmodel require adding a
new theatmodel session
● New role of users needs new validations on
each resource
● Validations needed to be updated if
property changes
4. Fix your tools to help you
● Continuous Integration
● Static code analyzers
● Dynamic code analyzers
● Penetration tests tools
4 Continuous Integration
● Find compile errors in configuration
● Automate robustness testing
○ Unit
○ Integration
○ System
○ Fuzz
4 Analyze the code
● Evaluate state of code checked in
○ Complexity
○ Rule breaking
● Tools
○ SonarQube
○ Coverity
○ Fortify
5. Add activities to sprints
● Update high level diagram
● Keep updated
● Fuzz-testing
Buckets
● Verification
○ Fuzz
○ Data-flow
● Design
○ Cryptology
○ Privacy
● Planning
○ Privacy tests
○ Internal symbols
Recipe that works!
1.Architecture Overview
2.Have threat modelling sessions
3.Review all new requirements/stories
4.Fix your tools to help you
5.Add YOUR activities to sprint
Thank You