empowering secure agile teamssislab.no/secse/presentations/tsl - secure agile... · • security is...
TRANSCRIPT
![Page 1: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/1.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
http://secse.org/ Oxford, June 4 2019Frank Aakvik [email protected]
Security and Privacy Officer, Telenor Software Lab
Empowering Secure Agile Teams
1
![Page 2: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/2.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
Telenor Software Lab
2
• ...• ...• ...• ...
Client Team (8 ppl.)• Client logic• Web, Native Mobile, Legacy
Backend Team (4 ppl.)• Business logic• Client endpoints (proxy)• Authentication/Authorisation
Solutions Engineering (9 ppl.)• Quality Assurance/Test• Continuous Integration• Facilities Management• Security/Privacy
Operations (4 ppl.)• Remote/Local Storage• Remote/Local Hosting• Local Infrastructure
TSL
Marketing (2 ppl.)• Product Strategies• A/B Testing• Customer communications
![Page 3: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/3.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
Work Environment
3
![Page 4: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/4.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
Roles
4
Developer
QAPO
CI Engineer
Security/Privacy
Designer
![Page 5: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/5.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
Security Processes in Agile
5
1. Situation / Challenges
2. Implications / Consequences
3. Solution / Plan of Approach
![Page 6: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/6.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
Challenges
6
Situation / Observation Implication / Consequences
• Need for continuously reviewing the design• Cannot wait for an open time slot with specialists
• Difficult to verify adequate security-/privacy coverage• Difficult to communicate need for a security focus• Difficult to place responsibility for sufficient control
• Security/Privacy (features) should be “owned” by the PO?
• E.g. technical complexity frightens PO from addressing-> assumptions are made on coverage
• Wait until someone else fixes the problem
• Continuous Delivery/Continuous Deployment
• Lacking documentation on security-/privacy requirements (specific for the business)
• Agile manifesto “dictates” (feature) ownership (PO)
• Security features are difficult to understand
• Security is “outside our control”/Not my job
![Page 7: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/7.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
Security Requirements
7
• Control (confidentiality, integrity)• Availability• Privacy (Authorisation)
• Governance○ Confidentiality/Sourcing
• Data Regulation Authorities (National/International)○ GDPR
• Coding guidelines• Test methods• Data classification
End User Req.Company Req.
Laws and Regulations
Best Practices
• Incident reports• Static Analysis• Dynamic Analysis/Testing
Lessons Learned
![Page 8: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/8.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61 8
Performers/Stakeholders
Product Team
Developers
Test/QA
Security Team
v. 0.9.1a
Lessons Learned!!
![Page 9: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/9.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
Threat Modelling
9
Conclusion: Allows the developers to discover threat earlier!
Security Champions
SPOOFING
TAMPERING
REPUDIATION
INFORMATIONDISCLOSURE
DENIAL OFSERVICE
ELEVATION OFPRIVILEGE
STRIDE
• Provide for security awareness/competency• Implements security/privacy by design• Data flow perspective (relevancy)
![Page 10: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/10.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
Risk Assessment and Mitigation Planning
10
Triggered on incidents
Triggered by (static) security requirements
• Doesn’t necessarily have to be a relevant risk at the time• Requirements may change as security awareness matures
• Relies on bad stuff happening -> #notonmywatch• Only discovered when bad stuff happens!!
![Page 11: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/11.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
Tracking changes
11
![Page 12: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline](https://reader030.vdocuments.site/reader030/viewer/2022041003/5ea5df26ff6aab7a11478e5e/html5/thumbnails/12.jpg)
Position Helpline15,42
Position Helpline
15,42
Position Auxiliary line8,32
Position Auxiliary line5,33
Position Auxiliary line6,61
2019 OKRs
12
Objective : Spread security awareness (identify and report).
KR: Complete a security "hackathon"KR: Number of identified incidents that are actual threats = 100%KR: Register relevant security tests for all managed modules
Objective: Integrate security management into development process
KR: Compete 1 threat modelling workshop with all Security ChampionsKR: Introduce static code analysis for all managed repositoriesKR: Create tests for all identified threat scenariosKR: Complete risk assessment and mitigation planning with all employees