owasp lascon 2015 - agile security, the fails noboty told you about
TRANSCRIPT
![Page 1: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/1.jpg)
![Page 2: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/2.jpg)
The Storyteller
Daniel Liber - R&D Security Leader• Security program management• Product security SDLC
~10 years of experience• Research, consulting, PT, engineering
CyberArk: Privileged Account Security
![Page 3: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/3.jpg)
…A Quote
“Success is stumbling from failure to failure with no loss of enthusiasm.”
(Winston Churchill)
![Page 4: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/4.jpg)
Chapters
• Agile, a reminder• Integrating traditional security with Agile• Hidden risks in the process• Collaboration and delegation of security
tasks• Increasing visibility and efficiency
And so, our story begins…
![Page 5: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/5.jpg)
Let’s Talk Agile.
Individuals and interactions overprocesses and tools
Working software overcomprehensive documentation
Customer collaboration overcontract negotiation
Responding to change overfollowing a plan
![Page 6: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/6.jpg)
Let’s Talk Agile.
Scrum
Sprints
Backlog
ProductOwner
Grooming
Stories
Meetings
![Page 7: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/7.jpg)
Let’s Talk Agile.
Spring Backlog SprintProduct Backlog Deliverables
![Page 8: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/8.jpg)
Let’s Talk Agile.
Kanban
Incremental
Cycle Time
Just in Time
WIP
Boards
Visibility
![Page 9: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/9.jpg)
Let’s Talk Agile.
![Page 10: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/10.jpg)
++SDL;
Reflecting on Agile:
“Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.”
![Page 11: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/11.jpg)
++SDL;
Microsoft SDL framework
![Page 12: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/12.jpg)
++SDL;
Agile Security (Bryan Sullivan, 2010 @ BH)
![Page 13: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/13.jpg)
++SDL;
Agile Security (Bryan Sullivan, 2010 @ BH)
Sprint
• Essential
Performed every sprint
Bucket
• Importanton a regular basis but can be spread across multiple sprints
One time
• Foundational
once at the start of every new Agile project
![Page 14: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/14.jpg)
++SDL;
Reflecting on Agile:
“The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.”
Meetings, meetings everywhere!
![Page 15: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/15.jpg)
++SDL;
Sprint of 2 weeksOverlooking 4 teamsParticipating in every daily Daily is 15 minutes
10 days X 4 teams X 15 min. = 10 hours ~ 1 day= 10% of your sprint time
![Page 16: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/16.jpg)
++SDL;
Security ChampionsTeam’s “security bouncer”
• Security friendly• Eyes and ears on meetings• Potential for security team
![Page 17: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/17.jpg)
++SDL;
Examples for security tasks on each sprint:
![Page 18: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/18.jpg)
++SDL;
Reflecting on Agile:
“Welcome changing requirements, even late in development.”
Threat modeling not only for new features, but also for CHANGED features
![Page 19: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/19.jpg)
++SDL;
Threat Modeling:
• Attack / software / asset centric?• Assets• Actors• Entry points• Flow Not as lightweight as expected for sprint security task
![Page 20: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/20.jpg)
++SDL;
Short, Easy, Threat Modeling..?
![Page 21: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/21.jpg)
++SDL;
Coordinating with Product OwnerEmperor of the backlog
• Product’s roadmap• Features with high security
attention• Setting security sprints (bucket
security tasks)• Cut-off for most important threats
![Page 22: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/22.jpg)
++SDL;
From Threats to Bug Bars
List of relevant threats Translating to impactCreating thresholds
Bucket: “Create Security Bug Bars”
![Page 23: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/23.jpg)
The Team
Reflecting on Agile:
“The best architectures, requirements, and designsemerge from self-organizing teams.”
Teams contain different positions, responsibilities, practices and quite versatile
![Page 24: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/24.jpg)
The Team
Security + Agile = Fail (Adrian Lane, 2010)
![Page 25: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/25.jpg)
The Team
Team Leader Developer / Architect
QA
System Analyst The Security Guy
![Page 26: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/26.jpg)
The Team
Must security training become complicated?
Start training by position, not by team
![Page 27: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/27.jpg)
The TeamTraining Name Developer Architects Functional
AnalystSecurity Team
QA TeamLeaders
PM
Basic Security Training
Yes Yes Yes Yes Yes Yes (notest)
Optional
Security Analysis
Optional Optional Yes Yes Opt. Opt. Optional
Secure Design Optional Yes Optional Yes Opt. Opt. Optional
Secure Development
Yes Yes Optional Yes Opt. Yes (notest)
Optional
Security Testing
Optional Optional Optional Yes Yes Opt. Optional
Adv. Security Testing
Optional Optional Optional Yes Opt. Opt. Optional
Risk Management
Optional Optional Optional Yes Opt. Yes (no test)
Yes (no test)
![Page 28: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/28.jpg)
Visibility
Reflecting on Agile:
“Build projects around motivated individuals.Give them the environment and support they need, and trust them to get the job done.”
How to surround with security?
![Page 29: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/29.jpg)
Visibility
Board Shenanigans
Where are the security activities?
![Page 30: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/30.jpg)
Visibility
Security as a shadowIt will follow you anyways
• Coupling lanes with security lanes• Design += Design Review• Development += CR / Static Analysis• QA += Penetration Testing / Fuzzing
• Add security cards (race conditions)
![Page 31: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/31.jpg)
Visibility
![Page 32: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/32.jpg)
Visibility
![Page 33: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/33.jpg)
Security Flow
Reflecting on Agile:
“Business people and Developers must work together Daily throughout the project.”
![Page 34: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/34.jpg)
Security Flow
Fixing Security Bugs:
Meetings with PM, Dev team, security, etc.
![Page 35: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/35.jpg)
Security Flow
Agree on a bug fixing schemeFocus on work, not negotiation
• Time based (SLA) – Challenging!• Quota based (WIP)• Size based (Story Points)
Across all products (needs prioritization) Per product
![Page 36: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/36.jpg)
Measuring Security
Reflecting on Agile:
“Working software is the primary measure of progress.”
Ok, but how do I measure security?
![Page 37: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/37.jpg)
Measuring Security
Agile differs from Waterfall in:• Building a big picture from small iterations• Collecting evidence of simultaneous
activities• Vague control points
• Sprint?• Group of sprints?• Version release?
![Page 38: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/38.jpg)
Measuring Security
Mastering Security in Agile (Ericsson, 2012)
![Page 39: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/39.jpg)
Measuring Security
Fight Agile with Agile:
• Security cards: velocity, cycle time, etc.• Grooming evaluation:
• Card gets a ‘security level’ score• Score means level of security attention• Card is done collect evidence
• Automation, automation, automation
![Page 40: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/40.jpg)
Questions?
(A reminder)
• Agile and security integration has hidden risks
• Taking measures before the risks turn to reality will prevent possible fails
• Use use Agile good sides to practice security, get rid of the bad ones
• Look for the
![Page 41: OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About](https://reader036.vdocuments.net/reader036/viewer/2022062600/58a6a1921a28ab0a7a8b468d/html5/thumbnails/41.jpg)