SlideShare a Scribd company logo

Are Agile And Secure Development Mutually Exclusive?

Source Conference
Source Conference

SOURCE Barcelona 2011 - Matt Bartoldus

Technology
1 of 34
Download to read offline
Matt Bartoldus matt@gdssecurity.com Are Agile and Secure Development Mutually Exclusive? Source Barcelona November 2011 ©2011 Gotham Digital Science, Ltd
Introduction o Me o Who Are You? – Assessment (Penetration Tester; Security Auditors) – Developer – IT Architect – Management – Academia – Consultant (2 or more above) – Here because someone told you that you now have to do security 2
Agenda  ‘Traditional’ Project Method  Agile Project Method  Agile Conditions and Culture  Project Managers and Objectives  QA and Agile Testing  Frameworks and Agile  Security in Agile Development  Waterfall vs Agile  Real World Examples  Are Agile and Secure Development Mutually Exclusive? 3
‘Traditional’ Project Method  Tasks are completed in a stage by stage manner - linear;  Each stage assigned to a different team  Requires a significant part of the project to be planned up front;  Once a phase is complete, it is assumed that it will not be revisited;  Lays out the steps for development teams;  Stresses the importance of requirements 4
‘Traditional’ Waterfall i.e. PRINCE2 5
Manifesto for Agile Software Development Signatories in 2001 (following a decade of Agile methodology practices): We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan That is, while there is value in the items on the right, we value the items on the left more Source: www.agilemanifesto.org 6
Agile Method  Working in cycles i.e. a week, a month, etc;  Project priorities are re-evaluated and at the end of each cycle;  Aims to cut down the big picture into puzzle size bits, fitting them together when the time is right;  Agile methods benefit small teams with constantly changing requirements, rather more than larger projects. 7
Agile Method 8
Conditions for Agile  Project value is clear  Customer actively participates throughout the project  Customer, designers, and developers are located together  Incremental feature-driven development is possible (focus on one feature at a time) 9
Culture of Organisation and How It Affects Agile Unhelpful characteristics Helpful characteristics  Top-Down  Holistic  Command and Control  Systems thinking  Hierarchical  Delegated  Micromanaged  Macromanaged 10
Not my job 11
PM - Define Security Objectives  Understand current threats and risks – As well as control objectives and controls  Know security drivers  Understand Resources (skills needed)  Have defined requirements  Have a Plan 12
PM - Align with IT Objectives Handover – Ensure security objectives for  Who will own the project the project align with those of solution? IT and the organisation as a – Accountability whole.  How will it be supported? • Beyond the project – Maintenance • Quality • Compliance  Responsible for security and • Availability compliance to policy? • KPIs – Security Operations and Monitoring – Compliance 13
PM - Align with IT  Embed Security skills within IT – Development = secure code skills – Architecture = security technology and architecture skills – Communications (Networks) = network and infrastructure security skills – Support = security training and awareness, security operations and monitoring – Quality = security testers, auditors  Develop working relationships with IT management and help them understand security objectives aligned with theirs. 14
PM Objective - Quality  What is Quality? – Subjective – Depends on context ISO 9001 Six Sigma "Degree to which a set of inherent "Number of defects characteristics fulfills per million requirements." opportunities." Quality Assurance Quality Control • Prevention of defects • Detection of defects 15
The role for QA  Traditional – Testing performed at end of waterfall process – Document centric: specifications and test plans – Developer-QA interaction: throw over wall  Agile – Testing activity at all stages of the development lifecycle – Face to face interactions matter more than documents • Testers talk to developers – QA is essential for a complete Agile process (by-passing the QA team is high risk) 16
Agile Testing  Requirements documents give way to stories tied with User Acceptance Tests  Specifications give way to prototypes, mock ups, examples – but some documents are necessary  QA and testers are part of Agile team, interact with developers, end users, and customer 17
How much automated testing? Ideal Typical UI (end-to-end) UI Service Service Unit Unit  UI: What is meant here is testing the whole application through the UI layer – becomes difficult to tell where the problem is 18
Security within a Generic Waterfall Project Secure Development Lifecycle Initiate Plan Design Develop Test Release Development Process High Level Functional Requirements Business End to End Pre / Post Build QA Requirements Design Production Non-Functional Requirements Penetration Testing Secure Development Threat Modelling Source High Level Abuse Cases Code Security Metrics and Reporting Risk Assessment Review Security Requirements Review Checklist Review - Checklist Review Security Code – Infosec Criteria Architecture Review Risk Assessment, Metrics and Reporting Supporting Processes Training and Education (Awareness, Process, Technical) Project Close Down Project Governance and Change Management Defect Management Documents Supporting Development Corporate Acceptance Infosec Standards Standards and Infosec Policies Criteria Guidelines 19 1 9
Agile Lifecycle: what happens before first Sprint Project Setup: . Requirements gathering, Team, infrastructure … Project Idea: Project Sprint 0: Sprint 1 Sprint 2 Sprint N Inception: Is this 1st worthwhile? Issues, risks, architecture Sprint or Iteration opportunities, iteration Is this marketing, feasible? High view green/red light design 20
Benefits of a Framework Approach  Primary Benefit – A way to link the inherent threats and risks of applications and underlying infrastructure to those facing the organisation as a whole. That’s business speak for ‘get all of the super techies and business types on the same page’ 21
Microsoft Security Development Lifecycle  Software development processes designed to improve the security of the software – Reaction to negative security reputation in early 2000’s – Three core concepts—education, continuous process improvement, and accountability. 22
Software Assurance Security Model o An OWASP Project o Open framework to help organizations formulate and implement a strategy for software security. 23
Microsoft SDL for Agile  Security practices – Every-Sprint practices: Essential security practices that should be performed in every release. • Threat Assessment • Code Review • Design Review – Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime. • Dynamic Security testing • Fuzz Testing (mis-use) – One-Time practices: Foundational security practices that must be established once at the start of every new Agile project. • Risk Assessment • Define Requirements • Incident Response 24
Security within Agile Development Focus: • Coding guidelines/standards/secure design patterns • Continuous Testing 25
Security within a Development Project Secure Development Lifecycle Initiate Plan Design Develop Test Release Development Process High Level Functional Requirements Business End to End Pre / Post Build QA Requirements Design Production Non-Functional Requirements Penetration Testing Secure Development Threat Modelling Source High Level Abuse Cases Code Security Metrics and Reporting Risk Assessment Review Security Requirements Review Checklist Review - Checklist Review Security Code – Infosec Criteria Architecture Review Risk Assessment, Metrics and Reporting Supporting Processes Training and Education (Awareness, Process, Technical) Project Close Down Project Governance and Change Management Defect Management Documents Supporting Development Corporate Acceptance Infosec Standards Standards and Infosec Policies Criteria Guidelines 26 2 6
Methods Compared (Security Perspective) Waterfall Agile  Defined in distinct project  Iterative inline with project Timing of phases lifecycle phases Activities  Focus towards end of project/  Focus on continuous testing pre-release throughout project  Specialty skills primarily in  Broader range of security and Security information security software development skills Skills Integration  Brought in as needed  Embedded within project teams  Interaction as needed  Frequent interaction/ involvement  Specific security testing  Hybrid Security Testing Security Testing  Periodic  Continuous  More towards end of project  Steady level of testing activity throughout project 27
Threat Assessment • Structured process to identify, categorise and document application level risks; • Provides important input in to subsequent phases of the SDLC such as the formulation of application security requirements, generation of abuse cases, targeted code review and most importantly the design of compensating controls to protect against specific threats. 28
Example – Threat Assessment Mobile Device Customer Banking Application Performed threat assessment of proposed solution • Assessed Use Cases and Scenarios (story boards) – Results lead to the following: • Understand primary threats • Derive Primary Security Objectives • Validated Security Requirements • Security considerations for solution design prior to and while coding 29
Example – Integrated Code Review Financial Transaction Processing Application  Security Code Review Capabilities to project teams – Integrated security code review capabilities within the development infrastructure • On to developer desktops • Within build environment – Results led to the following: • Increased awareness of security within teams • Ability to perform continuous testing • Emergence of ‘secure code libraries’ 30
Are Agile and Secure Development Mutually Exclusive? 31
Summary of security vulnerabilities, and how Agile can help:  Code weaknesses – Code standards: These can be tested using security unit tests  Architecture/Design weaknesses – Agile iterations revisit the design every iteration, raise security as first class consideration  Social engineering / cognitive hacking – Run an Agile security sprint to simulate scenarios and identify weak spots  Lack of motivation to implement security – Agile collaboration can raise security profile: it may not be seen to add value to an application but it lowers customer’s risk (fear) 32
Methods Compared (Security Perspective) Waterfall Agile  Defined in distinct project  Iterative inline with project Timing of phases lifecycle phases Activities  Focus towards end of project/  Focus on continuous testing pre-release throughout project  Specialty skills primarily in  Broader range of security and Security information security software development skills Skills Integration  Brought in as needed  Embedded within project teams  Interaction as needed  Frequent interaction/ involvement  Specific security testing  Hybrid Security Testing Security Testing  Periodic  Continuous  More towards end of project  Steady level of testing activity pre-release throughout project 33
Conclusions  Agile Management processes compliment GRC objectives: – Continuous auditing and controls monitoring  Like any processes, success is dependent on a number of factors: – People (Skills) – Metrics – Defined Clear Objectives – Clear Requirements  Stronger Emphasis on coding guidelines/standards/secure design patterns 34

Recommended

Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
Positive Hack Days
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Raphael Denipotti
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
Avancercorp
 

Recommended

Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
Positive Hack Days
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Raphael Denipotti
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
Avancercorp
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
Ishrath Sultana
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
Nazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
The security sdlc
The security sdlcThe security sdlc
The security sdlc
Mohamed Siraj
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Testing Tools and Tips
Testing Tools and TipsTesting Tools and Tips
Testing Tools and Tips
SoftServe
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
Agile and Secure
Agile and SecureAgile and Secure
Agile and Secure
Denim Group
 
Think Future Technologies
Think Future TechnologiesThink Future Technologies
Think Future Technologies
Swati Singh
 

More Related Content

What's hot

Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 

What's hot (20)

Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
The security sdlc
The security sdlcThe security sdlc
The security sdlc
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Testing Tools and Tips
Testing Tools and TipsTesting Tools and Tips
Testing Tools and Tips
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 

Similar to Are Agile And Secure Development Mutually Exclusive?

Introduction to Agile
Introduction to AgileIntroduction to Agile
Introduction to Agile
Richard Cheng
 
Software Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And WisdmSoftware Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And Wisdm
guestc990b6
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 

Similar to Are Agile And Secure Development Mutually Exclusive? (20)

Agile and Secure
Agile and SecureAgile and Secure
Agile and Secure
 
Think Future Technologies
Think Future TechnologiesThink Future Technologies
Think Future Technologies
 
Agile
AgileAgile
Agile
 
Software Lifecycle
Software LifecycleSoftware Lifecycle
Software Lifecycle
 
Introduction to Agile
Introduction to AgileIntroduction to Agile
Introduction to Agile
 
Skyward Erp Presentation
Skyward Erp PresentationSkyward Erp Presentation
Skyward Erp Presentation
 
5 Quality
5 Quality5 Quality
5 Quality
 
Software Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And WisdmSoftware Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And Wisdm
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Top 7 Myths of Agile Testing - Busted!
Top 7 Myths of Agile Testing - Busted!Top 7 Myths of Agile Testing - Busted!
Top 7 Myths of Agile Testing - Busted!
 
Pivotal Overview: Canadian Team
Pivotal Overview: Canadian TeamPivotal Overview: Canadian Team
Pivotal Overview: Canadian Team
 
Agile Product Management
Agile Product ManagementAgile Product Management
Agile Product Management
 
Agile- To Infinity and Beyond
Agile- To Infinity and BeyondAgile- To Infinity and Beyond
Agile- To Infinity and Beyond
 
From Waterfall to Agile - from predictive to adaptive methods
From Waterfall to Agile - from predictive to adaptive methodsFrom Waterfall to Agile - from predictive to adaptive methods
From Waterfall to Agile - from predictive to adaptive methods
 
Scrum Portugal Meeting 1 Lisbon - ALM
Scrum Portugal Meeting 1 Lisbon - ALMScrum Portugal Meeting 1 Lisbon - ALM
Scrum Portugal Meeting 1 Lisbon - ALM
 
Application Lifecycle Management (ALM), by Marco Silva
Application Lifecycle Management (ALM), by Marco SilvaApplication Lifecycle Management (ALM), by Marco Silva
Application Lifecycle Management (ALM), by Marco Silva
 
Agile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsAgile Requirements by Agile Analysts
Agile Requirements by Agile Analysts
 

More from Source Conference

How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Are Agile And Secure Development Mutually Exclusive?

  • 1. Matt Bartoldus matt@gdssecurity.com Are Agile and Secure Development Mutually Exclusive? Source Barcelona November 2011 ©2011 Gotham Digital Science, Ltd
  • 2. Introduction o Me o Who Are You? – Assessment (Penetration Tester; Security Auditors) – Developer – IT Architect – Management – Academia – Consultant (2 or more above) – Here because someone told you that you now have to do security 2
  • 3. Agenda  ‘Traditional’ Project Method  Agile Project Method  Agile Conditions and Culture  Project Managers and Objectives  QA and Agile Testing  Frameworks and Agile  Security in Agile Development  Waterfall vs Agile  Real World Examples  Are Agile and Secure Development Mutually Exclusive? 3
  • 4. ‘Traditional’ Project Method  Tasks are completed in a stage by stage manner - linear;  Each stage assigned to a different team  Requires a significant part of the project to be planned up front;  Once a phase is complete, it is assumed that it will not be revisited;  Lays out the steps for development teams;  Stresses the importance of requirements 4
  • 6. Manifesto for Agile Software Development Signatories in 2001 (following a decade of Agile methodology practices): We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan That is, while there is value in the items on the right, we value the items on the left more Source: www.agilemanifesto.org 6
  • 7. Agile Method  Working in cycles i.e. a week, a month, etc;  Project priorities are re-evaluated and at the end of each cycle;  Aims to cut down the big picture into puzzle size bits, fitting them together when the time is right;  Agile methods benefit small teams with constantly changing requirements, rather more than larger projects. 7
  • 9. Conditions for Agile  Project value is clear  Customer actively participates throughout the project  Customer, designers, and developers are located together  Incremental feature-driven development is possible (focus on one feature at a time) 9
  • 10. Culture of Organisation and How It Affects Agile Unhelpful characteristics Helpful characteristics  Top-Down  Holistic  Command and Control  Systems thinking  Hierarchical  Delegated  Micromanaged  Macromanaged 10
  • 12. PM - Define Security Objectives  Understand current threats and risks – As well as control objectives and controls  Know security drivers  Understand Resources (skills needed)  Have defined requirements  Have a Plan 12
  • 13. PM - Align with IT Objectives Handover – Ensure security objectives for  Who will own the project the project align with those of solution? IT and the organisation as a – Accountability whole.  How will it be supported? • Beyond the project – Maintenance • Quality • Compliance  Responsible for security and • Availability compliance to policy? • KPIs – Security Operations and Monitoring – Compliance 13
  • 14. PM - Align with IT  Embed Security skills within IT – Development = secure code skills – Architecture = security technology and architecture skills – Communications (Networks) = network and infrastructure security skills – Support = security training and awareness, security operations and monitoring – Quality = security testers, auditors  Develop working relationships with IT management and help them understand security objectives aligned with theirs. 14
  • 15. PM Objective - Quality  What is Quality? – Subjective – Depends on context ISO 9001 Six Sigma "Degree to which a set of inherent "Number of defects characteristics fulfills per million requirements." opportunities." Quality Assurance Quality Control • Prevention of defects • Detection of defects 15
  • 16. The role for QA  Traditional – Testing performed at end of waterfall process – Document centric: specifications and test plans – Developer-QA interaction: throw over wall  Agile – Testing activity at all stages of the development lifecycle – Face to face interactions matter more than documents • Testers talk to developers – QA is essential for a complete Agile process (by-passing the QA team is high risk) 16
  • 17. Agile Testing  Requirements documents give way to stories tied with User Acceptance Tests  Specifications give way to prototypes, mock ups, examples – but some documents are necessary  QA and testers are part of Agile team, interact with developers, end users, and customer 17
  • 18. How much automated testing? Ideal Typical UI (end-to-end) UI Service Service Unit Unit  UI: What is meant here is testing the whole application through the UI layer – becomes difficult to tell where the problem is 18
  • 19. Security within a Generic Waterfall Project Secure Development Lifecycle Initiate Plan Design Develop Test Release Development Process High Level Functional Requirements Business End to End Pre / Post Build QA Requirements Design Production Non-Functional Requirements Penetration Testing Secure Development Threat Modelling Source High Level Abuse Cases Code Security Metrics and Reporting Risk Assessment Review Security Requirements Review Checklist Review - Checklist Review Security Code – Infosec Criteria Architecture Review Risk Assessment, Metrics and Reporting Supporting Processes Training and Education (Awareness, Process, Technical) Project Close Down Project Governance and Change Management Defect Management Documents Supporting Development Corporate Acceptance Infosec Standards Standards and Infosec Policies Criteria Guidelines 19 1 9
  • 20. Agile Lifecycle: what happens before first Sprint Project Setup: . Requirements gathering, Team, infrastructure … Project Idea: Project Sprint 0: Sprint 1 Sprint 2 Sprint N Inception: Is this 1st worthwhile? Issues, risks, architecture Sprint or Iteration opportunities, iteration Is this marketing, feasible? High view green/red light design 20
  • 21. Benefits of a Framework Approach  Primary Benefit – A way to link the inherent threats and risks of applications and underlying infrastructure to those facing the organisation as a whole. That’s business speak for ‘get all of the super techies and business types on the same page’ 21
  • 22. Microsoft Security Development Lifecycle  Software development processes designed to improve the security of the software – Reaction to negative security reputation in early 2000’s – Three core concepts—education, continuous process improvement, and accountability. 22
  • 23. Software Assurance Security Model o An OWASP Project o Open framework to help organizations formulate and implement a strategy for software security. 23
  • 24. Microsoft SDL for Agile  Security practices – Every-Sprint practices: Essential security practices that should be performed in every release. • Threat Assessment • Code Review • Design Review – Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime. • Dynamic Security testing • Fuzz Testing (mis-use) – One-Time practices: Foundational security practices that must be established once at the start of every new Agile project. • Risk Assessment • Define Requirements • Incident Response 24
  • 25. Security within Agile Development Focus: • Coding guidelines/standards/secure design patterns • Continuous Testing 25
  • 26. Security within a Development Project Secure Development Lifecycle Initiate Plan Design Develop Test Release Development Process High Level Functional Requirements Business End to End Pre / Post Build QA Requirements Design Production Non-Functional Requirements Penetration Testing Secure Development Threat Modelling Source High Level Abuse Cases Code Security Metrics and Reporting Risk Assessment Review Security Requirements Review Checklist Review - Checklist Review Security Code – Infosec Criteria Architecture Review Risk Assessment, Metrics and Reporting Supporting Processes Training and Education (Awareness, Process, Technical) Project Close Down Project Governance and Change Management Defect Management Documents Supporting Development Corporate Acceptance Infosec Standards Standards and Infosec Policies Criteria Guidelines 26 2 6
  • 27. Methods Compared (Security Perspective) Waterfall Agile  Defined in distinct project  Iterative inline with project Timing of phases lifecycle phases Activities  Focus towards end of project/  Focus on continuous testing pre-release throughout project  Specialty skills primarily in  Broader range of security and Security information security software development skills Skills Integration  Brought in as needed  Embedded within project teams  Interaction as needed  Frequent interaction/ involvement  Specific security testing  Hybrid Security Testing Security Testing  Periodic  Continuous  More towards end of project  Steady level of testing activity throughout project 27
  • 28. Threat Assessment • Structured process to identify, categorise and document application level risks; • Provides important input in to subsequent phases of the SDLC such as the formulation of application security requirements, generation of abuse cases, targeted code review and most importantly the design of compensating controls to protect against specific threats. 28
  • 29. Example – Threat Assessment Mobile Device Customer Banking Application Performed threat assessment of proposed solution • Assessed Use Cases and Scenarios (story boards) – Results lead to the following: • Understand primary threats • Derive Primary Security Objectives • Validated Security Requirements • Security considerations for solution design prior to and while coding 29
  • 30. Example – Integrated Code Review Financial Transaction Processing Application  Security Code Review Capabilities to project teams – Integrated security code review capabilities within the development infrastructure • On to developer desktops • Within build environment – Results led to the following: • Increased awareness of security within teams • Ability to perform continuous testing • Emergence of ‘secure code libraries’ 30
  • 31. Are Agile and Secure Development Mutually Exclusive? 31
  • 32. Summary of security vulnerabilities, and how Agile can help:  Code weaknesses – Code standards: These can be tested using security unit tests  Architecture/Design weaknesses – Agile iterations revisit the design every iteration, raise security as first class consideration  Social engineering / cognitive hacking – Run an Agile security sprint to simulate scenarios and identify weak spots  Lack of motivation to implement security – Agile collaboration can raise security profile: it may not be seen to add value to an application but it lowers customer’s risk (fear) 32
  • 33. Methods Compared (Security Perspective) Waterfall Agile  Defined in distinct project  Iterative inline with project Timing of phases lifecycle phases Activities  Focus towards end of project/  Focus on continuous testing pre-release throughout project  Specialty skills primarily in  Broader range of security and Security information security software development skills Skills Integration  Brought in as needed  Embedded within project teams  Interaction as needed  Frequent interaction/ involvement  Specific security testing  Hybrid Security Testing Security Testing  Periodic  Continuous  More towards end of project  Steady level of testing activity pre-release throughout project 33
  • 34. Conclusions  Agile Management processes compliment GRC objectives: – Continuous auditing and controls monitoring  Like any processes, success is dependent on a number of factors: – People (Skills) – Metrics – Defined Clear Objectives – Clear Requirements  Stronger Emphasis on coding guidelines/standards/secure design patterns 34