Building Security In – A Tale of Two Stories!LakshRaghavanPayPalInc.@laraghavan
Introduction
2
• Thispresentationis:– AcasestudyonhowPayPal’sSecureProductLifecycle(SLPC)hadtoadapttoAgilewith
afocusonsecuritystories– Vendorneutral– Descriptive– Forlargeenterprisesgrapplingwithscale/processissues
• ThispresentationisNOT:– SilverBulletTM
– Salespitch– Prescriptive- ifyouimplementthesame,YMMVJ
PayPal’sAgileTransformation
3
• SomeinterestingstatsandfactsaboutourAgileTransformation:– BigBangapproachagainstprevailingwisdom– Wentfromprojectdriventoproductaligned– 400+scrumteamsacrosstheglobe– 500+ChangeChampionsand165Transformationteammembers
• Every“industryexpert”weconsultedtolduswecouldn’ttransformatthisscaleinourdesignatedtimelinebutwedidit!
I LOVE DEADLINES. I LIKE THE WHOOSHING SOUND THEY MAKE AS THEY FLY BY…
- DouglasAdams
4
PayPalSPLC- Overview
5
Objective:
Reducethenumberofvulnerabilitiesinourproductsovertimebybuildingrepeatable/sustainableproactivesecuritypracticesembeddedwithinourPLC.
Customersdemandanddeservebettersecurityandprivacyintheirsoftware. PayPalSecureProductLifecycleisthe processthatallowsPayPaltodevelopandtestproductsto help reducesecuritybugs.
SPLCTransformation
6
– Strategy• Institutionalizerisk-basedthinkingandprocesses• SecurebyDefault– Frameworks,Dev.Tools,etc.• Putourbotstowork
– Execution• People– InternalPDsecuritychampionstohelpdrivefocusandattentionon
softwaresecurity• Process– Integrateseamlesslywithour“agile”wayofdeliveringproducts.• Technology– Secureframeworks,librariesandautomatedtoolsthatenablePDto
shipproductsrapidly*and* securely
Anexerciseintesting(andtrusting)theautomatedprocess
7
• Dynamic/In-ContextSecurityRequirements:SecurityStories• Automatedsecuritycontrolsinthelifecycle• SecureFrameworksandSecurityToolsusedforallprojects&
humaninvolvementforcritical-riskprojects• ThreatModelonlythingsthataren’trun-of-the-millwebor
mobileappsand/ornotbuiltonourstandardizedsecureframeworks
Pre-requisite:SecurityControlsAuto-enabledtoProtectDevelopersbyDefault
8
• Ifwerelyon*every*developerinanenterprisedoingtherightthingfromasecurityperspective*every*timehe/shewritescode,wearedoomedtofail!
• Whereverpossible,securitycontrolsaretobemadeavailableautomaticallyandturnedONbydefault
• Developershavegooutoftheirwaytoturnoffsecuritycontrols• Secure-by-defaultinalllayers– Perimeter– Infrastructure– Framework– Libraries– Dev.Tools– Code/Config
IT IS A MISTAKE TO THINK YOU CAN SOLVE ANY MAJOR PROBLEM JUST WITH POTATOES.
- DouglasAdams
9
SecurityStories
10
HolyGrailforanysoftwaresecurityprofessionalèMakefunctionalandnon-functionalrequirementsequalcitizensInAgileSpeak:MakeUserStoriesandSecurityStoriesequalcitizensBefore: After:
YourFavoriteTaxSoftware!
Theapproach…
11
• Aweb-basedtoolthatseamlesslyplugsintoourQuarterlyReleasePlanning(akaMulti-SprintPlanning)process
• Asimplesurveythatdoeslight-weightthreatmodelling,generatessecuritystories,andplacestheminthebacklogofthescrumteam
• TrackingandreportingfromwithinourAgileLifeCycleManagement(ALM)tool
Whatwereourinitialdesigngoals?
12
• Weshouldgowheretheyareandnotmakethemcomebacktoourtoolonadailybasis• Two-waysyncwithourenterpriseALMtool
• Itshouldn’ttakemorethan15minutesforanyproductdevelopertocompletethesurvey• Don’tslowthemdown!
• Comprehensivegenericbut“actionable”guidanceformosttechnologystacks• Usefulfornon-standardappsandacquisitions
Whatmakesagoodsecuritystory?
13
• Agoodsecuritystoryshouldbe“actionable”bite-sizedchunkthatcanimplementedbyanydeveloper
• ItshouldhaveclearusageguidelinesforyourownsecurityAPIs,frameworks,libraries,etc.
• Whereneeded,itshouldprovidesecurecodesnippets,reusablesecureconfigexamplesforyourcustomframeworks,etc.
• Itshouldspeakdeveloperlingoandnotsecuritylingo!• Itshouldhaveawell-defined“acceptancecriteria”orbetteryetautomateacceptance
withsecuritytests(static/dynamic,etc.)intheCIpipeline• Clearlycalloutevery-sprintvsone-timestories• Inshort,thedevelopersshouldbeabletodoitthemselveswithouthavingtopingthe
securityteamforwell-establishedpatternsandapprovedsecuritycontrols
A LEARNING EXPERIENCE IS ONE OF THOSE THINGS THAT SAYS, “YOU KNOW THAT THING YOU JUST DID? DON'T DO THAT.”
- DouglasAdams
14
Pitfalls,Gotchas,etc.
15
• Don’toverloadyourdeveloperswith100sofsecuritystories• FigureoutyourownTop10(NotOWASPTop10)andfocusonthat
• Don’thardcodeguidancethatcouldpotentiallychangefrequently(e.g.APIs)• Hyperlinkinstead;)
• Prioritizeallsecuritystories– High,Medium,Low• MandateonlyHighprioritystoriestobecompletedinitially• Don’ttrytoboiltheocean- Gettingtheculturegoingismoreimportant
• ExpectsecuritystoriestobemovedaroundinyourALMtool(multiplescrumteamscouldbeworkingonthesameapp!)• Makesuretwo-waysyncdoesn’tbreak
So,whatdoesitlooklike?
16
So,whatdoesitlooklike?
17
Howdowemeasuresuccess?
18
• WideadoptionofthetoolacrossallofourProductDevelopment(PD)organization• Notjustadoptionbutalsoefficacy– aredevelopersalsocompletingthesecuritystoriesoraretheyjustsittinginthe
backlog?
• AutomatedSPLCdashboardthatmakesthesemetricstransparenttoPDleadership• Earlyengagementmeansnoorminimalprojectshitsecurityroadblocksduringlaunch• AquotefromourAndroidApp’sTeamManager:
“Itisgreattoknowthatthepentestdidn’tfindanyblockersanditcanbelargelyattributedtothefactthatwearefollowingSPLC…”
InaNutshell
19
LegacySPLC AgileTransformedSPLC
200+PDF/HTML securitystandardsandprocedures
SecurityStories customizedforthespecificusecase/feature
Manual gatesthroughoutlifecycle Lifecyclerelies onautomatedcontrols
Humaninvolvement forallprojects Lettheframeworksandtoolsdo theheavylifting- humaninvolvementforcriticalriskprojectsonly
Threat Modeleverything Lightweight ThreatModelviaself-servicetoolHumanThreatModelonly whereneeded
I REFUSE TO ANSWER THAT QUESTION ON THE GROUNDS THAT I DON'T KNOW THE ANSWER!
- DouglasAdams
20
Questions?
WE NO LONGER THINK OF CHAIRS AS TECHNOLOGY; WE JUST THINK OF THEM AS CHAIRS. BUT THERE WAS A TIME WHEN WE HADN'T WORKED OUT HOW MANY LEGS CHAIRS SHOULD HAVE, HOW TALL THEY SHOULD BE, AND THEY WOULD OFTEN 'CRASH' WHEN WE TRIED TO USE THEM.
- DouglasAdams
21
Thankyou!
Getmyslidesimmediately
TaketheDevSecOps Surveybit.ly/DevSecOps-2017
Oursponsorsspeakyourlanguage…DevOps.