Download - Agile Secure Development
![Page 1: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/1.jpg)
SARAJEVO, 27.10.2014
Agile Secure Development
Petter Sandholdt
- How to make the agile team work with security requirements
![Page 2: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/2.jpg)
Who am I?
Petter Sandholdt - Senior Developer
- Senior Security Consultant
- Java, C, C++, C#, Cocoa, Erlang,
PHP, Pike, Ruby, Cobol, Fortran, Lisp
- Security in R&D for last 6 years
... in agile teams the last 5 years
![Page 3: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/3.jpg)
Easy targets
Verizon Enterprise’s 2013 Data Breach Investigations Report
● 47,000 reported security incidents,
● 621 confirmed data security breaches
● companies of all sizes.
http://www.verizonenterprise.com/DBIR/2013/
78% of successful security intrusions were
simple to pull off
![Page 4: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/4.jpg)
What do Dev and SO think?
http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy
Developers Security Officers
Security of applications is not
addressed
There is no build security in
process SSDLC
Application had a security breach
during the past 2 years
Did not receive software and
application security training
Application meets security
regulations
70% 50%
80% 64%
68% 47%
50% 50%
15% 12%
![Page 5: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/5.jpg)
Agile application ≠ Secure?
Agile moto:
● Do what’s in the sprint
XP moto:
● Never do more that what’s required
TDD moto:
● Code until its green
![Page 6: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/6.jpg)
Agile application = Secure?
REQS CODE
![Page 7: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/7.jpg)
Agile application = Secure?
CODEREQS
NOT TESTED
![Page 8: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/8.jpg)
When is an application secure?
● Requires hard-to-guess passwords?
● Has input validation?
● Has up-to-date and hardened 3rd-party
libraries?
● The one that fulfills the security
requirements of the application
![Page 9: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/9.jpg)
How can the POs know about
security?
POs are OWNERS in that role decide what
is important for this application.
● Deployability (Architects or Operations)
● Performance (Architects,Testers & DBA)
● How to code it (Developers)
![Page 10: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/10.jpg)
Secure Software Development
Life Cycles
● Microsoft SDL
● Adobe SPLC
● CLASP
● Cigital Touchpoints
![Page 11: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/11.jpg)
Secure Coding in 5 minutes
1.Take Responsibility
2.Never trust data
3.Create a threat model
4.Keep yourself updated
5.Make a fuzz
6.Stay proud of your code
7.Use the best tools
http://bit.ly/1dZ6fwA
![Page 12: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/12.jpg)
Recipe that works!
1.Architecture Overview
2.Have threat modelling sessions
3.Review all new requirements/stories
4.Fix your tools to help you
5.Add YOUR activities to sprint
![Page 13: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/13.jpg)
1. Architecture overview
![Page 14: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/14.jpg)
1. Architecture overview
Image from: http://msdn.microsoft.com/en-us/library/ff649779.aspx
![Page 15: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/15.jpg)
Data-Flow-Diagrams are great
![Page 16: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/16.jpg)
Agile???
WTF!
More artifacts!
Not on my watch!
- Helps collaboration
- Find discrepancies
- Creates ONE terminology
![Page 17: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/17.jpg)
2. Threat Modeling session
● First session
○ Brainstorming
● Following sessions
○ Discussions around
added entities
![Page 18: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/18.jpg)
2. Threat Modeling session
Threat Property we want
Spoofing Authentication
Tampering Integrity
Repudiation Non-repudiation
Information Disclosure Confidenciality
Denial of Service Authentification
Elevation of Privilege Authorization
![Page 19: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/19.jpg)
Threat Modeling session
Elevation of Privilege (EoP) Card Game
![Page 20: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/20.jpg)
3. Backlog Review
Look at the backlog from a
security perspective
Security Expert (from team)
and PO
Create checklist to facilitate
![Page 21: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/21.jpg)
3. Checklist Example
● How will this new functionality be
accessed?
● Can this affect “protected identites”?
● New entites in theatmodel require adding a
new theatmodel session
● New role of users needs new validations on
each resource
● Validations needed to be updated if
property changes
![Page 22: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/22.jpg)
4. Fix your tools to help you
● Continuous Integration
● Static code analyzers
● Dynamic code analyzers
● Penetration tests tools
![Page 23: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/23.jpg)
4 Continuous Integration
● Find compile errors in configuration
● Automate robustness testing
○ Unit
○ Integration
○ System
○ Fuzz
![Page 24: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/24.jpg)
4 Analyze the code
● Evaluate state of code checked in
○ Complexity
○ Rule breaking
● Tools
○ SonarQube
○ Coverity
○ Fortify
![Page 25: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/25.jpg)
5. Add activities to sprints
● Update high level diagram
● Keep updated
● Fuzz-testing
![Page 26: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/26.jpg)
Buckets
● Verification
○ Fuzz
○ Data-flow
● Design
○ Cryptology
○ Privacy
● Planning
○ Privacy tests
○ Internal symbols
![Page 27: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/27.jpg)
Recipe that works!
1.Architecture Overview
2.Have threat modelling sessions
3.Review all new requirements/stories
4.Fix your tools to help you
5.Add YOUR activities to sprint
![Page 29: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/29.jpg)
![Page 30: Agile Secure Development](https://reader033.vdocuments.site/reader033/viewer/2022051412/5494265aac7959292e8b4ae0/html5/thumbnails/30.jpg)
Thank You