Matthew Coles - Izar Tarandach - Security Toolbox
•Transferir como ODP, PDF•
0 gostou•2,209 visualizações
![Challenges in Agile ,[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Semelhante a Matthew Coles - Izar Tarandach - Security Toolbox
Semelhante a Matthew Coles - Izar Tarandach - Security Toolbox (20)
Mais de Source Conference
Mais de Source Conference (20)
Último
Último (20)
Matthew Coles - Izar Tarandach - Security Toolbox
- 1. Security Toolbox: Managing Security Risk for Agile Practitioners Matthew Coles & Izar Tarandach RSA, the Security Division of EMC
- 5. No resources
- 7. Success criteria defined by Product Owner (channelling the customer)
- 10. Code Analysis
- 11. Security Testing
- 13. But can still be too late to avoid costly rework
- 16. Enable better work estimation
- 20. Acceptance tests to implement
- 23. Priority Hints to Product Owners and Scrum Masters
- 27. Policies
- 30. Common Attack Pattern Enumeration and Classification (CAPEC)
- 32. Toolbox ”Schema” (CWE) (CWE) (CAPEC) (Policy) Architectural Elements Toolbox Item Lens or Filter Web Server (generic) Apache (specific) Apache 2.0.29 (instance) IIS (specific) CVE Policy CWE Internal Document CWE Mitigation (Backlog) Mitigation (Task) Acceptance Criteria (Test) Component Whitelist*
- 36. One QA engineer
- 37. One doc writer
- 40. ”User at home or mobile with web browser”
- 41. ”Storage in backend processing system”
- 42. ”User name and email address stored for later follow-up” Acceptance Criteria Interface works on Windows and Mac Acceptance Criteria User data goes from Interface to backend User Story User with web browser enters data into interface and data is stored in backend system. Acceptance Criteria User interface is visually appealing (focus group).
- 43. Epic User with web browser enters data into interface and data is stored in backend system. Story B UI process sends data to backend store Points: 200 Story A User enters data into interface Points: 500 Story C User gets response of successful upload Points: 100
- 44. Web Browser HTTP Server Database Constraint - UI Technology Choices HTML, Flash Constraint - Server Technology Choices LAMP (Linux, Apache, MySQL, PHP) Constraint - DB Technology Choices MySQL
- 45. Backlogs w/o Toolbox Product Sprint Task 1 (80 pts) Construct Flash UI for user input Task 3 (30 pts) Validate UI input Task 2 (40 pts) Enable connection to server via HTTP Task 4 (30 pts) Write user input to database Task S1 (25 pts) Create form with user input fields in Flash/ActionScript Task S2 (25 pts) Check input meets type/range criteria Task S3 (25 pts) Create submit() function to send user data to server Task S4 (25 pts) Accept data from web client and write to database Acceptance Test Validate test data is stored in database after user hits submit button Acceptance Test Validate user input field accepts only plain text input.
- 46. Web Browser HTTP Server Database User Interface Flash Web Server Apache Apache 2.0.29 Database MySQL HTML Server HTTP/1.1
- 47. Web Server Apache Apache 2.0.29 Security Test: Sniffing data communications (CAPEC-157) Task: Enable port 443 in firewall Policy: Secure user communications Component Check: Apache 2.0.29 Backlog: SSLv3/TLSv1 Risk: High Cost: 10 Acceptance Test: Network vulnerability scan reports 0 critical defects
- 48. HTTP/1.1 HTTP/1.1 SSLv3 tcp/443 SPRINT 1 Without Toolbox With Toolbox Flash UI Apache MySQL Flash UI Apache 2.0.29 MySQL
- 53. Siponen, M.; Baskerville, R.; Kuivalainen, T., ”Integrating Security into Agile Development Methods”, IEEE, 2005
- 54. Common Weakness Enumeration (CWE): http://cwe.mitre.org/
- 55. Common Attack Pattern Enumeration and Classification (CAPEC): http://capec.mitre.org/
- 56. Common Vulnerability Enumeration (CVE): http://cve.mitre.org/
- 57. Microsoft Security Development Lifecycle (SDL): http://go.microsoft.com/?linkid=9769715
- 58. Security Toolbox Discussion Q & A
- 59. Future Topics Areas for additional work
- 65. constraint(OS = Microsoft Windows)
- 66. constraint(instance = Apache:9.2.3, OS = not Microsoft Windows)
- 67. vuln(WWW Server,Privileged network port open)
- 68. vuln(WWW Server,Tainted data over network)
- 70. mitigation(Tainted data over network,SSL,cost=5)
- 71. mitigation(Privileged network port open,drop privileges after opening port,cost=1)
- 72. (….) Example Goal: secure implementation of target X == list of all needed mitigations per instance of targets, observing constraints, ranked by cost.
Notas do Editor
- Welcome This presentation is presented by Matthew Coles and Izar Tarandach with the EMC Product Security Office. We are presenting a method for identifying and managing security in product development. While our focus today is a result of issues we have observed from teams performing software development in an Agile or iterative lifecycle, this approach may be feasible for more traditional development methods. Ask people why they are at the presentation. Have they done agile before? Are they planning to? Software development team. Scope of work we do at EMC.
- Security engineering is a puzzle game. We thought Tetris actually provided an excellent way to represent Agile development. Tetris presents a number of matching qualities: * The game starts cleanly, and builds upon previous layers, ad nauseum * Components are added according to some pattern, but that pattern is not known to the player * The player must somehow make all the pieces fit together, and must do this more quickly as time progresses * When (not if) mistakes are made, holes are present in the structure being built. These holes represent security defects. The caveat: in the real world, those holes are not visible, unless certain activities are performed.
- In an Agile development model, requirements are collected and components fit together, but unlike in standard development lifecycles (i.e waterfall) the order and priority is vaguely random. This is similar to the selection pattern of components in the game from the previous slide. Success criteria is also a moving target, and requires the Product Owner to successfully interpret customer and stakeholder requirements. Finally, acceptance tests, functional design, and other metrics are only as good as the subject matter experts knowledge. Given the often shortened timeframe between requirement generation and functional product, there is limited time to review possible options to select the most secure option.
- There are of course ways to detect security defects. Risk Analysis – EMC uses a variant of Threat Modeling based on a ”library” tying architecture to threats.
- As more features are added, security debt (and therefore risk) increases, without mitigations. When mitigations happen (fixing threats and bugs, not testing or threat modeling), there is a momentary drop in debt/risk. Until security detection activities like Threat Modeling or Code Analysis is performed, debt/risk is ”potential” rather than ”kinetic”.
- Caveat: Toolbox cannot alone fix security defects, only help you avoid them. Just-in-time guidance, without the promise of 100% completeness.
- .
- Describe how to select based on architecture, and how to choose between generic or specific.
- The architecture of the knowledge base upon which the toolbox is created is a great example of the use of the famed expert systems of years gone by. A team looking for help can perform many different queries upon the same fact database: Given a need for a web server, which instance would give me less work to make secure? Given a vulnerability (at any granularity) what instances are NOT vulnerable? Given a set of constraints, what kind of mitigations will I be considering?