application security in an agile world - agile singapore 2016
TRANSCRIPT
✤ Let’s start with what it is not:
• Firewalls, secure network protocols,
• Antivirus and Phishing attacks
• Intrusion Detection
• SoCs, ...
What is AppSec?
✤ Application Security is:
• A quality aspect of your application
• And contributes to the business success the same way UX Design, Usability and Performance do.
• In other words, is my application used the way it is intended to.
What is AppSec?
✤ Security was traditionally in the hands of Network folks
• Suddenly, they become responsible for applications...
• ... And applied the same audit-like principals.
Why AppSec == Pain?
✤ Things slowly evolved
• From performing “Penetration Tests” once a year
• To doing a Pentest for every release (a few times a year)
Pentest to the rescue
Great, we all love Pentests, right?
0
20
40
60
80
100
120
140
2005 2010 2015 2020
The frequency of releases over time
Releases per app per year
Towards CD
From Waterfall
The frequency increased
1-4Weeks
24 hours
Develop
Test
Design
Plan
Output
Shippable Increment
Product Backlog Sprint Backlog
Let’s look at SCRUM
Start with understanding the process
✤ No more pdf/doc/xls!
✤ Security uses the same language as the dev team.
✤ Security as part of existing environments/workflows.
✤ Security work is completed in-cycle.
✤ Not all apps have the same security requirements.
Some general hygiene
0x
5x
10x
15x
20x
25x
30x
35x
Requirements/Design Coding Integration Testing Acceptance Testing Production
Relative Cost to fix, based on time of detection
Penetration Testing
Source: NIST
Relative Cost
1-4Weeks
24 hours
Develop
Test
Design
Plan
Output
Shippable Increment
Product Backlog Sprint Backlog
Secure SCRUM
Security Training
Security Requirements
Security Activities
Threat Modelling
Design Review
Pairing
Manual Security Tests
Automatic Security Tests
Security Feature Demo Security Retrospective
Security Acceptance Criteria
✤ Functional security requirement are related to:- Authentication & Access Control- Data Integrity- Wrong password lockouts
✤ Non-functional requirements are related to:- Password policies- Characteristics of audit logs- Backups
Functional vs Non-Functional
• It all starts with the backlog & security is a part of this:
• 1. As an anonymous user I want to see the entire book selection, ...
• 2. As a logged-in user I want to see my entire purchase history, ...
• 3. As a customer I want to ensure my privacy when using a public wifi , ...
(Security) Requirements
- User Story and it’s acceptance criteria is unrelated to security
- User Story and it’s acceptance criteria is security sensitive [tagged]
- “One-off” (Security) User story [tagged]
v Architecture & Design Review & Threat Modelling Think like a hacker
v Design Guidelines are invaluable. Use existing design patterns
v Helps to reducing the ongoing amount of work
Secure by Design
✤ Assorted Secure Coding Guidelines in the repo
✤ Pairing for more complex stories
✤ Pull requests for security relevant stories are reviewed - Code reviews are important (especially for increased speed).
Secure Coding
✤ Code coverage is key aspect of quality100% is just the beginning
✤ Security related acceptance criteria makes a differenceBoth for manual and automated tests
✤ The more that is automated the better
Security Unit Tests
✤ Continue demonstrating the new attributes/features and their impact on users
✤ What were the security considerations for this new feature
✤ In the retrospective share those lessons learned
Sprint Review & Retro
0
20
40
60
80
100
120
Jan March May July September November% Remaining Security work % App Robustness, Security Skills
Security Debt Burndown
VulnerabilityRepository
• Security Unit Tests
• SAST• SCA
• DAST• IAST• VA
• Security as Code• RASP• NG WAF
• Red Team• GOPT• Actual Attackers
• Sec Requirements• Design Review• Threat Modelling
AppSec Pipeline
✤ Start with embedding your friendly AppSec guy
✤ Transfer knowledge, find a security champion
✤ Step back and advise
✤ Iterate continuously– don’t go for big bang
✤ Keep adding automation
✤ Churn out awesome (& secure) releases at the speed of DevOps
From Zero to Hero
References
• https://www.infoq.com/presentations/Facebook-Moving-Fast-at-Scale• Jeff Williams: 2013 Appsec USA: https://www.youtube.com/watch?v=cIvOth0fxmI&t=377• http://blog.diniscruz.com• https://www.owasp.org/index.php/OWASP_AppSec_Pipeline• http://www.slideshare.net/SeniorStoryteller/amy-demartine-7-habits-of-rugged-devops