how to embed security into agile? - infosecbc...how to embed security into agile? vansecsig oct 12,...
TRANSCRIPT
1
HOW TO EMBED SECURITY INTO AGILE?
VanSecSIG
Oct 12, 2018
Momchil Karov
Best Buy Canada
PRESENTED BY: (A.K.A. THE “WHO AM I” SLIDE)
Momchil Karov, MSc., CISSP
Principal Security Architect
Enterprise Risk and Compliance
Best Buy Canada Ltd. (100% owned subsidiary of Best Buy Co., Inc.)
2
3
WHY DO WE NEED IT, WHAT DO WE NEED AND HOW TO
IMPLEMENT IT SUCCESSFULLY?
A SIMPLIFIED APPROACH ALIGNED WITH AGILE’S PHILOSOPHY.
4
WHY CHANGE? REASON #1 – THE ENEMY
Our enemy is already Agile and has been for a long time!
•It’s highly flexible and adapting quickly to change.
•It adopts new skills and technologies extremely fast.
•It’s very focused and determined following its goals.
So why can’t we be like our enemy?
5
TRADITIONAL SECURITY – THE ENFORCEMENT WAY
Enforcing security policies, standards and requirements, usually working in silos has been the traditional way of security for a long time.
This approach creates waste in the business processes, sometimes even bad cross-team relationships.
SECURITY INSIDE WALLS, REASON #2 – TEAMS
6
People
Techno
logy
Proces
ses &
proce
dures
Security surrounded by walls does not allow the flow of knowledge and awareness through the organization and also breeds shadow IT. People are afraid of security to say “No”.
OK, GOT IT, WE HAVE TO CHANGE
7
•A new paradigm shift
•Transformation of culture and mindset.
•Security – responsibility of everyone.
•No more silos.
•Information security as a competitive advantage.
8
REASON #3 – THE CUSTOMER …
OR DURABLE COMPETITIVE ADVANTAGE
A very important concept by the greatest investor of our time – Warren Buffett.
The main question is – for a company with a business based on a technological competitive advantage, can this advantage be durable without a strong information security program to protect it?
Here’s where security interconnects deeply with business and becomes part of the durable competitive advantage!
9
WHAT IS AGILE?
•Common name for a group of iterative and incremental methodologies.
•Specific mindset and style of work, following a set of values and principles, where requirements and solutions can evolve through team collaboration.
• Time-fixed, repeatable and self-adjusting process.
10
REALLY, WHAT IS AGILE?
AGILE
VALUES & PRINCIPLES
DECISIONS
DEVELOP WORKING SOFTWARE
11
WHAT IS AGILE – A PENCIL ANALOGY
Watch the YouTube video “Agile Explained... with a PENCIL!”
https://www.youtube.com/watch?v=k_ndH7B-IS4
12
WATERFALL VS. AGILE
Quality
Time Cost
FunctionalityTime Cost
Quality
Functionality
Waterfall Agile
Fixed
Variable
13
Waterfall methodology - first described back in 1970 by Winston Royce as “something you shouldn’t do" in his article "Managing the development of large software systems”.
HISTORY OF WATERFALL
Winston Walker Royce (August 15, 1929 – June 7, 1995)
FOUR CORE VALUES OF AGILE
OR AGILE MANIFESTO
14
We are uncovering better ways of developing software by doing it and helping others do it.Through this work we have come to value:
1. Individual interactions over processes and tools.2.Working software over comprehensive documentation.3.Customer collaboration over contract negotiations.4.Responding to change over following a plan.
That is, while there is value in the items on the right, we value the items on the left more.
15
12 PRINCIPLES OF AGILE
1. Satisfy the customer.
2. Welcome change.
3. Deliver frequently.
4. Work together.
5. Trust, support & motivate.
6. Face-to-face communication.
16
7. Working software.
8. Sustainable development.
9. Continuous attention to technical excellence.
10. Simplicity is essential.
11. Self-organized teams.
12. Reflect and adjust.
12 PRINCIPLES OF AGILE
17
KEY FACTS ABOUT AGILE
• It’s driven by reality and customer requirements.
• It’s focused on end user/customer, i.e. the business.
• It’s based on free communication and open collaboration.
• It takes reward/risk into account.
• It’s characterized with timely and rapid delivery of results.
• It’s highly adaptable to change, using course corrections natively.
• It relies on discipline and focus.
18
THE SCRUM METHODOLOGY
Sprint planning
Sprint review & retrospect
19Product Owner
MAIN ROLES IN A PRODUCT STREAM
Scrum Master
Team Members
Business Users
WHAT IS A USER STORY?
20
As a < type of user >, I want < some function>, so that < some benefit >
Example: As a web site user, I want to be able to login, so I can access my personalized dashboard.
21
EFFECTIVE COLLABORATION IS PARAMOUNT
•Open collaborative environment.
•Teams engage and share ideas easily and without constrains.
•No more working in silos.
•Everyone as a team is responsible for the success as well as the failure.
22
Improve efficiency.
Better use of resources.
Empower the human talent.
Don’t reinvent the wheel.
AUTOMATION EVERYWHERE
Popular automation tools:
SOLUTIONS THAT MATTER
23
How to make sure security becomes integral part of Agile?
Key paradigm shift: Security – responsibility of EVERYONE!
24
SECURITY CHAMPIONS PROGRAM
•A key strategy to address security in the Agile environment.
•Adopted successfully by many organizations.
•Creates strong bond between Security and Agile teams.
25
INDUSTRY TRENDS
“By 2021, 35% of enterprises will implement a security
champions program, up from less than 10% in 2017”
Gartner
26
MAIN OBJECTIVES
• Develop Working and Secure Code.
• Manage Security Risk for Agile.
• Do everything the Agile way.
27
OWASP DEFINITION
• Security Champions are active members of a team that may help to make decisions about when to engage the Security Team
• Act as the "voice" of security for the given product or team
• Assist in the triage of security bugs for their team or area
28
SECURITY CHAMPION’S ROLE
• Act as a security ambassador in their product streams.
• Communicate CoP (Community of Practice) decisions andknowledge back to the teams.
• Assess security impact and risk at the high level.
• Make decisions about engaging Security.
• Develop “evil stories” for their team’s sprints.
• Review and approve usage of third party libraries.
• Have these responsibilities in their PA goals.
29
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM?
Communicate – simplify the security concepts for the Agile teams and don’t reinvent the wheel, but utilize the full potential of popular Agile tools, such as Confluence/Jira.
Step 1
30
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM?
Step 2
Collaborate – make it easy for the Agile teams to engage security, again, by utilizing the full potential of the widely used Agile tools.
31
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM?
Step 3
Coach – training and coaching is the key to achieve competence across the board and build trust. Coaching of security knowledge must follow the Agile values and principles in a complete sync.
32
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM?
Step 4
Trust – build strong team relationship, based on mutual trust. It should come naturally as a result of executing successfully the above steps from 1 to 3.
33
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM?
Step 5
Deputize – delegate responsibilities, based on the strong foundation of trust.
34
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM?
Step 6
Quantify – build statistics using easy to implement metrics in order to measure the progress and to provide adjustments that further improve the overall process.
SOME PRACTICAL TASKS
35
• Organize continuous training sessions, preferably bi-weekly.
• Constantly improve the resources for Security Champions:
• By creating ‘Secure Coding Cheat sheet’.
• By offering online training resources for continuous self-training (ex. Hacksplaining.com).
• By constantly updating the ‘Secure Code’ Confluencepage, following the industry.
• Possibly provide a tool for each team to create and use Evil-Stories within each sprint – i.e. Microsoft Threat Modeling Tool.
36
•An innovative idea by the OWASP team.
•Simplifies the threat modeling process forAgile and makes it easier to understand.
•Provides an Agile-friendly method ofincluding security requirements in eachsprint cycle.
•Can be easily embedded in the processfor each Agile sprint in the backlog assecurity task to “fight evil”.
THE CONCEPT OF “EVIL STORIES”
37
EXAMPLE OF A SECURITY STORY
Security Story Backlog Tasks SAFECode
Fundamental
Practices
CWE-ID
As a(n) architect/developer, I want to
ensure AND as QA, I want to verify that
cross-site request forgery attacks are
prevented.
* Use one of the many available
libraries and
frameworks that takes CSRF into
account.
* Defend against cross-site
scripting Story.
* Do not use HTTP GET for any
method that effects a change in
system state.
* Use Anti-Cross
Site Scripting
(XSS) Libraries
* Validate
Input
and Output
to Mitigate
Common
Vulnerabilities
* Use Logging
and
Tracing
CWE-
352
38
HELPFUL TOOLS
Microsoft Threat Modeling Tool 2016 (free to download)
SAFECode
Practical Security Stories and
Security Tasks
for Agile Development
Environments
(34 pages PDF document)
Enterprise Tools
Education and training
https://www.hacksplaining.com/
39
FOCUS ON COACHING
The Agile Security process is focused on iterative and self-adjusting coaching and general awareness initiativestowards the goal of making security everyone’sresponsibility.
40
Evil stories To-Do: “Fight Evil”Security stories
Code Analysis
Secure Increment
Definition of “Done”Acceptance Criteria
• Evil stories are created foreach sprint and are brokendown to “fight evil” securitystories and to-do tasks &components whichrepresent the securityrequirements.
• Static code scans areperformed in each sprintcycle.
• Secure increments arereleased to production inan automated fashion.
SCRUM WITH EMBEDDED SECURITY
41
DO WE HAVE TO CHANGE AGILE?
Not really. It’s all about interpretation of the “working andvaluable software” phrase from customer’s perspective.
Working and valuable also means SECURE!
But even if you add “secure” to Agile’s values and principles, itstill doesn’t change its philosophy!
42
Closing remarks
Security must be Agile and Agile adopts security naturally!
Change is inevitable – embrace it!
Everyone benefits from it!
QUESTIONS?
43
“The important thing is not to stop questioning.
Curiosity has its own reason for existing.”
Albert Einstein
THANK YOU!
44