SlideShare a Scribd company logo

Agile and Secure

Denim Group
Denim Group

This presentation describes Agile development practices as well as the requirements for building secure applications. It examines ways that teams can incorporate security into Agile development projects to successfully meet the goals of both.

Technology
1 of 35
Download to read offline
Agile and Secure – Can We Be Both? San Antonio AITP August 15th, 2007
Agenda • Background • Evolution of traditional software development methodologies • Benefits of Agile development • Requirement for Secure development • Agile and Secure • Questions 1
Background • Programmer b b k P by background d – Both .NET and JEE: MCSD, Java 2 Certified Programmer – Developer focused on security, not a security professional looking at development • Denim Group – Software Development: .NET and JEE NET – Software / Application Security • Vulnerability Assessments, Penetration Tests, Training, Mentoring • Basis for this presentation: – Work with our customers doing SDLC security mentoring – Challenges facing our own agile development teams g g g p • Deliver projects in an economically-responsible manner • Uphold security goals 2
Evolution of Traditional Software Development Methodologies p g • Ad Hoc • Waterfall 3
Ad Hoc Software Development • Early days of computing – Focus was on hardware – Software was secondary • No structure – “cowboy coding” • Became unacceptable as software systems became larger and more critical 4
Waterfall Software Development • Treat software engineering as any structure engineering process • House building metaphor 5
Waterfall Software Development Integration Requirements Architecture Design Coding Deployment Testing 6
Problems with Waterfall Model • Creating software is different than creating bridges or buildings – Creativity required throughout the process – not just at the outset • Very documentation heavy • Changes are expensive – Must go back up the waterfall for impact analysis • Business requirements change over time – By the time you finish a system, the target has moved 7
Enter Agile Methods Be more responsive to business concerns Increase the frequency of stable releases Decrease the time it takes to deploy new features Do not waste time on “superfluous” documentation and p planning g 8
Notable Agile Methods • eXtreme Programming (XP) • Feature Driven Development (FDD) • SCRUM • MSF for Agile Software Development • Agile Unified Process (AUP) • Crystal 9
Manifesto for Agile Software p Development Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan Source: http://www.agilemanifesto.org/ 10
Agile’s Core Values • Communication C i ti • Simplicity • Feedback • Courage 11
Principles of Agile Development • Rapid Feedback • The system is appropriate for the intended audience audience. • Simple Design • The code passes all the tests. • Incremental Change • Th code communicates everything The d i hi it needs to. • Embracing Change • The code has the smallest number of classes and methods. • Quality Work 12
Agile Practices • Customer: scope, priorities and release dates • The Planning Game • Developer: estimates estimates, consequences and detailed • The Driving Metaphor scheduling • Shared Vision • On-Site Customer • Development iterations or • Small Releases cycles that last 1-4 weeks. • Release iterations as soon as possible (weekly, monthly, quarterly). 13
More Agile Practices • Collective Ownership • Test Driven • Continuous Integration • Coding Standards g • Pair Programming 14
The Agile Practitioner’s Dilemma Practitioner s Agile Forces: Secure Forces: Be more responsive to Comply with more business concerns aggressive regulatory Increase the frequency environment of stable releases Focus on need for Decrease the time it security takes to deploy new Traditional approaches features to security require Do not waste time on additional “superfluous” documentation and documentation and planning (D’Oh!) planning 15
Definition of Secure A secure product is one that protects the confidentiality, p p y, integrity, and availability of the customers’ information, and the integrity and availability of processing resources under control of the s stem’s o ner or administrator system’s owner administrator. -- Source: Writing Secure Code (Microsoft com) (Microsoft.com) 16
A Secure Development Process… • Strives To Be A Repeatable Process • Requires Team Member Education • Tracks Metrics and Maintains Accountability Sources: “Writing Secure Code” 2nd Ed., Howard & LeBlanc “The Trustworthy Computing Security Development Lifecycle” by Lipner & Howard y p 17
Secure Development Principles • SD3: Secure by Design, Secure by Default, and in Deployment • Learn From Mistakes • Minimize Your Attack Surface • Assume External Systems Are Insecure • Plan On Failure • Never Depend on Security Through Obscurity Alone • Fix Security Issues Correctly 18
Secure Development Practices • Threat Modeling / Architectural Risk Assessment • Education, Education, Education • Secure Coding – Via standards and practitioner knowledge • Security Reviews – A hit t Architecture – Design – Code • Security Testing (Penetration Testing) 19
Microsoft s Microsoft’s Secure Development Lifecycle (SDL) • Requirements • Design • Implementation • Verification • Release • (Waterfall!) 20
Dr. Dr Dobb’s says Agile Methods Are Catching On 41% of organizations have adopted an agile methodology Of the 2,611 respondents doing agile… p g g • 37% using eXtreme Programming • 19% using Feature Driven Development (FDD) • 16% using SCRUM • 7% using MSF for Agile S ft i f A il Software DDevelopment l t Source: http://www.ddj.com/dept/architect/191800169 21
Agile Teams are “Quality Infected” • 60% reported increased productivity • 66% reported improved quality • 58% improved stakeholder satisfaction 22
Adoption Rate for Agile Practices Of the respondents using an agile method… • 36% have active customer participation • 61% have adopted common coding guidelines • 53% perform code regression testing • 37% utilize pair programming 23
An Integrated Process Making Agile Trustworthy 24
Project Roles • Product Manager / Customer • Program Manager / Coach • Architect • Developer • Tester • Security Adviser 25
Organization Setup • Education & Training (include Security) – Developers – Testers – Customers • User Stories / Use Case Driven Processes • Enterprise Architecture Decisions • Organizational adoption of Threat Modeling 26
Project / Release Planning • User Stories / Use Cases Drive… – Acceptance Test Scenarios – Estimations may affect priorities and thus the composition of the release – Inputs for Threat Modeling p g – Security Testing Scenarios – Determine the qualitative “risk budget” • Keep the customer involved in making risk tradeoffs p g • Finalize Architecture & Development Guidelines – Common Coding Standards (include security) • Crucial for collective code ownership p – Data Classification standards – Conduct Initial Threat Modeling (assets & threats) • Agree on STRIDE and DREAD classifications – Designer’s Security Checklist 27
Iteration Planning • 1-4 Weeks in Length (2 weeks is very common) • B i with an It ti Pl Begins ith Iteration Planning M ti i Meeting – User Stories are broken down into Development Tasks – Developers estimate their own tasks p – Document the Attack Surface (Story Level) – Model the threats alongside the user story documentation • Crucial in documentation-light processes documentation light • Capture these and keep them – Code will tell you what decision was made, threat models will tell you why decisions were made – Crucial for “refactoring” in the face of changing security priorities • Never Slip the Date – Add or Remove Stories As Necessary 28
Executing an Iteration • Daily Stand-ups • Continuous Integration – Code Scanning Tools – Security Testing Tools • Adherence to Common Coding Standards and Security Guidelines – Crucial for communal code ownership • Developer’s Checklist 29
Closing an Iteration • Automation of Customer Acceptance Tests – Include negative testing for identified threats • Security Code Review – Some may have happened informally during pair programming 30
Stabilizing a Release • Schedule Defects & Vulnerabilities – Prioritize vulnerabilities with client input based on agreed-upon STRIDE and DREAD standards t d d • Security Push – Include traditional penetration testing 31
Compromises We’ve Made • Security Compromises: – Short term, iterative focus removes “top down” control – Focus on individual features can blind process to cross-feature security issues • Agile Compromises: – More documentation than is required in pure Agile development • Security coding standards • Data classification standards • Project-specific STRIDE and DREAD standards • User story threat models – Additional tasks increase development time – Forces customers to accept security (isn’t this a good thing?) 32
Characteristics of an Agile and Secure Process • Customer-focused C t f d • Responsive • Iterative • Trustworthy 33
Questions Dan Cornell dan@denimgroup.com (210) 572-4400 Website: www denimgroup com www.denimgroup.com Blog 1: www.agileandsecure.com Blog 2: denimgroup.typepad.com 34

Recommended

Scrum
ScrumScrum
Scrum
Amit Sawhney
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
 
My talk at PMI Sweden Congress 2013 on Agile and Large Software Products
My talk at PMI Sweden Congress 2013 on Agile and Large Software ProductsMy talk at PMI Sweden Congress 2013 on Agile and Large Software Products
My talk at PMI Sweden Congress 2013 on Agile and Large Software Products
Svante Lidman
 
Agile methods and safety critical software - Peter Gardner
Agile methods and safety critical software - Peter GardnerAgile methods and safety critical software - Peter Gardner
Agile methods and safety critical software - Peter Gardner
AdaCore
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
Rogue Wave Software
 
Software Lifecycle
Software LifecycleSoftware Lifecycle
Software Lifecycle
Soumen Sarkar
 
Agile Software Development In The Large
Agile Software Development In The LargeAgile Software Development In The Large
Agile Software Development In The Large
ConSanFrancisco123
 
Challenges of Agile Qualification
Challenges of Agile QualificationChallenges of Agile Qualification
Challenges of Agile Qualification
AdaCore
 

Recommended

Scrum
ScrumScrum
Scrum
Amit Sawhney
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
 
My talk at PMI Sweden Congress 2013 on Agile and Large Software Products
My talk at PMI Sweden Congress 2013 on Agile and Large Software ProductsMy talk at PMI Sweden Congress 2013 on Agile and Large Software Products
My talk at PMI Sweden Congress 2013 on Agile and Large Software Products
Svante Lidman
 
Agile methods and safety critical software - Peter Gardner
Agile methods and safety critical software - Peter GardnerAgile methods and safety critical software - Peter Gardner
Agile methods and safety critical software - Peter Gardner
AdaCore
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
Rogue Wave Software
 
Software Lifecycle
Software LifecycleSoftware Lifecycle
Software Lifecycle
Soumen Sarkar
 
Agile Software Development In The Large
Agile Software Development In The LargeAgile Software Development In The Large
Agile Software Development In The Large
ConSanFrancisco123
 
Challenges of Agile Qualification
Challenges of Agile QualificationChallenges of Agile Qualification
Challenges of Agile Qualification
AdaCore
 
Open source software support for the enterprise
Open source software support for the enterpriseOpen source software support for the enterprise
Open source software support for the enterprise
Rogue Wave Software
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
 
Agile Maintenance
Agile MaintenanceAgile Maintenance
Agile Maintenance
Naresh Jain
 
Agile Software Development - Making Programming Fun Again
Agile Software Development - Making Programming Fun AgainAgile Software Development - Making Programming Fun Again
Agile Software Development - Making Programming Fun Again
Calen Legaspi
 
Managing Software Debt - Quality Debt Focus for QASIG Seattle
Managing Software Debt - Quality Debt Focus for QASIG SeattleManaging Software Debt - Quality Debt Focus for QASIG Seattle
Managing Software Debt - Quality Debt Focus for QASIG Seattle
Chris Sterling
 
intro to DevOps
intro to DevOpsintro to DevOps
intro to DevOps
Mujahed Al-Tahle
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
Quality
QualityQuality
Quality
Naren Kmar
 
Agile Software Development Process Practice in Thai Culture
Agile Software Development Process Practice in Thai CultureAgile Software Development Process Practice in Thai Culture
Agile Software Development Process Practice in Thai Culture
Wee Witthawaskul
 
Agile Software Development in Practice - A Developer Perspective
Agile Software Development in Practice - A Developer PerspectiveAgile Software Development in Practice - A Developer Perspective
Agile Software Development in Practice - A Developer Perspective
Wee Witthawaskul
 
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Perfecto Mobile
 
P&msp2010 08 development-management
P&msp2010 08 development-managementP&msp2010 08 development-management
P&msp2010 08 development-management
Emanuele Della Valle
 
Agile intro module 1
Agile intro module 1Agile intro module 1
Agile intro module 1
André Heijstek
 
Offshore Agile Maintenance
Offshore Agile MaintenanceOffshore Agile Maintenance
Offshore Agile Maintenance
Naresh Jain
 
Resource Adaptive Systems
Resource Adaptive SystemsResource Adaptive Systems
Resource Adaptive Systems
Tom Mueck
 
Software testing agile_environment_wp
Software testing agile_environment_wpSoftware testing agile_environment_wp
Software testing agile_environment_wp
Cristiano Caetano
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4
Marvin Heery
 
Think future technologies – corporate presentation (public)
Think future technologies – corporate presentation (public)Think future technologies – corporate presentation (public)
Think future technologies – corporate presentation (public)
Tft Us
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
 
Think Future Technologies
Think Future TechnologiesThink Future Technologies
Think Future Technologies
Swati Singh
 
Wasserman Keynote at ICSSP 2013
Wasserman Keynote at ICSSP 2013Wasserman Keynote at ICSSP 2013
Wasserman Keynote at ICSSP 2013
twasserman
 

More Related Content

What's hot

P&msp2010 08 development-management
P&msp2010 08 development-managementP&msp2010 08 development-management
P&msp2010 08 development-management
Emanuele Della Valle
 
Software testing agile_environment_wp
Software testing agile_environment_wpSoftware testing agile_environment_wp
Software testing agile_environment_wp
Cristiano Caetano
 

What's hot (16)

Open source software support for the enterprise
Open source software support for the enterpriseOpen source software support for the enterprise
Open source software support for the enterprise
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
 
Agile Maintenance
Agile MaintenanceAgile Maintenance
Agile Maintenance
 
Agile Software Development - Making Programming Fun Again
Agile Software Development - Making Programming Fun AgainAgile Software Development - Making Programming Fun Again
Agile Software Development - Making Programming Fun Again
 
Managing Software Debt - Quality Debt Focus for QASIG Seattle
Managing Software Debt - Quality Debt Focus for QASIG SeattleManaging Software Debt - Quality Debt Focus for QASIG Seattle
Managing Software Debt - Quality Debt Focus for QASIG Seattle
 
intro to DevOps
intro to DevOpsintro to DevOps
intro to DevOps
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
 
Quality
QualityQuality
Quality
 
Agile Software Development Process Practice in Thai Culture
Agile Software Development Process Practice in Thai CultureAgile Software Development Process Practice in Thai Culture
Agile Software Development Process Practice in Thai Culture
 
Agile Software Development in Practice - A Developer Perspective
Agile Software Development in Practice - A Developer PerspectiveAgile Software Development in Practice - A Developer Perspective
Agile Software Development in Practice - A Developer Perspective
 
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
 
P&msp2010 08 development-management
P&msp2010 08 development-managementP&msp2010 08 development-management
P&msp2010 08 development-management
 
Agile intro module 1
Agile intro module 1Agile intro module 1
Agile intro module 1
 
Offshore Agile Maintenance
Offshore Agile MaintenanceOffshore Agile Maintenance
Offshore Agile Maintenance
 
Resource Adaptive Systems
Resource Adaptive SystemsResource Adaptive Systems
Resource Adaptive Systems
 
Software testing agile_environment_wp
Software testing agile_environment_wpSoftware testing agile_environment_wp
Software testing agile_environment_wp
 

Similar to Agile and Secure

Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4
Marvin Heery
 
Think future technologies – corporate presentation (public)
Think future technologies – corporate presentation (public)Think future technologies – corporate presentation (public)
Think future technologies – corporate presentation (public)
Tft Us
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
 
Software Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And WisdmSoftware Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And Wisdm
guestc990b6
 
ppt_se.bdfhrfykjyftiktgdukhydiyiuoyu8otrfu
ppt_se.bdfhrfykjyftiktgdukhydiyiuoyu8otrfuppt_se.bdfhrfykjyftiktgdukhydiyiuoyu8otrfu
ppt_se.bdfhrfykjyftiktgdukhydiyiuoyu8otrfu
tubashaikh26
 
SharePoint and Lean Development: Critical Factors for Accelerating Time to Va...
SharePoint and Lean Development: Critical Factors for Accelerating Time to Va...SharePoint and Lean Development: Critical Factors for Accelerating Time to Va...
SharePoint and Lean Development: Critical Factors for Accelerating Time to Va...
Dave Healey
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
Denim Group
 
Bridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to ProductionBridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to Production
Florian Wilhelm
 

Similar to Agile and Secure (20)

Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4
 
Think future technologies – corporate presentation (public)
Think future technologies – corporate presentation (public)Think future technologies – corporate presentation (public)
Think future technologies – corporate presentation (public)
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Think Future Technologies
Think Future TechnologiesThink Future Technologies
Think Future Technologies
 
Wasserman Keynote at ICSSP 2013
Wasserman Keynote at ICSSP 2013Wasserman Keynote at ICSSP 2013
Wasserman Keynote at ICSSP 2013
 
Software Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And WisdmSoftware Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And Wisdm
 
ppt_se.bdfhrfykjyftiktgdukhydiyiuoyu8otrfu
ppt_se.bdfhrfykjyftiktgdukhydiyiuoyu8otrfuppt_se.bdfhrfykjyftiktgdukhydiyiuoyu8otrfu
ppt_se.bdfhrfykjyftiktgdukhydiyiuoyu8otrfu
 
From XP and Continuous Integration to DevOps
From XP and Continuous Integration to DevOpsFrom XP and Continuous Integration to DevOps
From XP and Continuous Integration to DevOps
 
ppt_se.pdf
ppt_se.pdfppt_se.pdf
ppt_se.pdf
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Enterprise system implementation strategies and phases
Enterprise system implementation strategies and phasesEnterprise system implementation strategies and phases
Enterprise system implementation strategies and phases
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
SharePoint and Lean Development: Critical Factors for Accelerating Time to Va...
SharePoint and Lean Development: Critical Factors for Accelerating Time to Va...SharePoint and Lean Development: Critical Factors for Accelerating Time to Va...
SharePoint and Lean Development: Critical Factors for Accelerating Time to Va...
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
 
Continuous Delivery: why ? where to start ? how to scale ?
Continuous Delivery: why ? where to start ? how to scale ?Continuous Delivery: why ? where to start ? how to scale ?
Continuous Delivery: why ? where to start ? how to scale ?
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Bridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to ProductionBridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to Production
 

More from Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

More from Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Agile and Secure

  • 1. Agile and Secure – Can We Be Both? San Antonio AITP August 15th, 2007
  • 2. Agenda • Background • Evolution of traditional software development methodologies • Benefits of Agile development • Requirement for Secure development • Agile and Secure • Questions 1
  • 3. Background • Programmer b b k P by background d – Both .NET and JEE: MCSD, Java 2 Certified Programmer – Developer focused on security, not a security professional looking at development • Denim Group – Software Development: .NET and JEE NET – Software / Application Security • Vulnerability Assessments, Penetration Tests, Training, Mentoring • Basis for this presentation: – Work with our customers doing SDLC security mentoring – Challenges facing our own agile development teams g g g p • Deliver projects in an economically-responsible manner • Uphold security goals 2
  • 4. Evolution of Traditional Software Development Methodologies p g • Ad Hoc • Waterfall 3
  • 5. Ad Hoc Software Development • Early days of computing – Focus was on hardware – Software was secondary • No structure – “cowboy coding” • Became unacceptable as software systems became larger and more critical 4
  • 6. Waterfall Software Development • Treat software engineering as any structure engineering process • House building metaphor 5
  • 7. Waterfall Software Development Integration Requirements Architecture Design Coding Deployment Testing 6
  • 8. Problems with Waterfall Model • Creating software is different than creating bridges or buildings – Creativity required throughout the process – not just at the outset • Very documentation heavy • Changes are expensive – Must go back up the waterfall for impact analysis • Business requirements change over time – By the time you finish a system, the target has moved 7
  • 9. Enter Agile Methods Be more responsive to business concerns Increase the frequency of stable releases Decrease the time it takes to deploy new features Do not waste time on “superfluous” documentation and p planning g 8
  • 10. Notable Agile Methods • eXtreme Programming (XP) • Feature Driven Development (FDD) • SCRUM • MSF for Agile Software Development • Agile Unified Process (AUP) • Crystal 9
  • 11. Manifesto for Agile Software p Development Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan Source: http://www.agilemanifesto.org/ 10
  • 12. Agile’s Core Values • Communication C i ti • Simplicity • Feedback • Courage 11
  • 13. Principles of Agile Development • Rapid Feedback • The system is appropriate for the intended audience audience. • Simple Design • The code passes all the tests. • Incremental Change • Th code communicates everything The d i hi it needs to. • Embracing Change • The code has the smallest number of classes and methods. • Quality Work 12
  • 14. Agile Practices • Customer: scope, priorities and release dates • The Planning Game • Developer: estimates estimates, consequences and detailed • The Driving Metaphor scheduling • Shared Vision • On-Site Customer • Development iterations or • Small Releases cycles that last 1-4 weeks. • Release iterations as soon as possible (weekly, monthly, quarterly). 13
  • 15. More Agile Practices • Collective Ownership • Test Driven • Continuous Integration • Coding Standards g • Pair Programming 14
  • 16. The Agile Practitioner’s Dilemma Practitioner s Agile Forces: Secure Forces: Be more responsive to Comply with more business concerns aggressive regulatory Increase the frequency environment of stable releases Focus on need for Decrease the time it security takes to deploy new Traditional approaches features to security require Do not waste time on additional “superfluous” documentation and documentation and planning (D’Oh!) planning 15
  • 17. Definition of Secure A secure product is one that protects the confidentiality, p p y, integrity, and availability of the customers’ information, and the integrity and availability of processing resources under control of the s stem’s o ner or administrator system’s owner administrator. -- Source: Writing Secure Code (Microsoft com) (Microsoft.com) 16
  • 18. A Secure Development Process… • Strives To Be A Repeatable Process • Requires Team Member Education • Tracks Metrics and Maintains Accountability Sources: “Writing Secure Code” 2nd Ed., Howard & LeBlanc “The Trustworthy Computing Security Development Lifecycle” by Lipner & Howard y p 17
  • 19. Secure Development Principles • SD3: Secure by Design, Secure by Default, and in Deployment • Learn From Mistakes • Minimize Your Attack Surface • Assume External Systems Are Insecure • Plan On Failure • Never Depend on Security Through Obscurity Alone • Fix Security Issues Correctly 18
  • 20. Secure Development Practices • Threat Modeling / Architectural Risk Assessment • Education, Education, Education • Secure Coding – Via standards and practitioner knowledge • Security Reviews – A hit t Architecture – Design – Code • Security Testing (Penetration Testing) 19
  • 21. Microsoft s Microsoft’s Secure Development Lifecycle (SDL) • Requirements • Design • Implementation • Verification • Release • (Waterfall!) 20
  • 22. Dr. Dr Dobb’s says Agile Methods Are Catching On 41% of organizations have adopted an agile methodology Of the 2,611 respondents doing agile… p g g • 37% using eXtreme Programming • 19% using Feature Driven Development (FDD) • 16% using SCRUM • 7% using MSF for Agile S ft i f A il Software DDevelopment l t Source: http://www.ddj.com/dept/architect/191800169 21
  • 23. Agile Teams are “Quality Infected” • 60% reported increased productivity • 66% reported improved quality • 58% improved stakeholder satisfaction 22
  • 24. Adoption Rate for Agile Practices Of the respondents using an agile method… • 36% have active customer participation • 61% have adopted common coding guidelines • 53% perform code regression testing • 37% utilize pair programming 23
  • 25. An Integrated Process Making Agile Trustworthy 24
  • 26. Project Roles • Product Manager / Customer • Program Manager / Coach • Architect • Developer • Tester • Security Adviser 25
  • 27. Organization Setup • Education & Training (include Security) – Developers – Testers – Customers • User Stories / Use Case Driven Processes • Enterprise Architecture Decisions • Organizational adoption of Threat Modeling 26
  • 28. Project / Release Planning • User Stories / Use Cases Drive… – Acceptance Test Scenarios – Estimations may affect priorities and thus the composition of the release – Inputs for Threat Modeling p g – Security Testing Scenarios – Determine the qualitative “risk budget” • Keep the customer involved in making risk tradeoffs p g • Finalize Architecture & Development Guidelines – Common Coding Standards (include security) • Crucial for collective code ownership p – Data Classification standards – Conduct Initial Threat Modeling (assets & threats) • Agree on STRIDE and DREAD classifications – Designer’s Security Checklist 27
  • 29. Iteration Planning • 1-4 Weeks in Length (2 weeks is very common) • B i with an It ti Pl Begins ith Iteration Planning M ti i Meeting – User Stories are broken down into Development Tasks – Developers estimate their own tasks p – Document the Attack Surface (Story Level) – Model the threats alongside the user story documentation • Crucial in documentation-light processes documentation light • Capture these and keep them – Code will tell you what decision was made, threat models will tell you why decisions were made – Crucial for “refactoring” in the face of changing security priorities • Never Slip the Date – Add or Remove Stories As Necessary 28
  • 30. Executing an Iteration • Daily Stand-ups • Continuous Integration – Code Scanning Tools – Security Testing Tools • Adherence to Common Coding Standards and Security Guidelines – Crucial for communal code ownership • Developer’s Checklist 29
  • 31. Closing an Iteration • Automation of Customer Acceptance Tests – Include negative testing for identified threats • Security Code Review – Some may have happened informally during pair programming 30
  • 32. Stabilizing a Release • Schedule Defects & Vulnerabilities – Prioritize vulnerabilities with client input based on agreed-upon STRIDE and DREAD standards t d d • Security Push – Include traditional penetration testing 31
  • 33. Compromises We’ve Made • Security Compromises: – Short term, iterative focus removes “top down” control – Focus on individual features can blind process to cross-feature security issues • Agile Compromises: – More documentation than is required in pure Agile development • Security coding standards • Data classification standards • Project-specific STRIDE and DREAD standards • User story threat models – Additional tasks increase development time – Forces customers to accept security (isn’t this a good thing?) 32
  • 34. Characteristics of an Agile and Secure Process • Customer-focused C t f d • Responsive • Iterative • Trustworthy 33
  • 35. Questions Dan Cornell dan@denimgroup.com (210) 572-4400 Website: www denimgroup com www.denimgroup.com Blog 1: www.agileandsecure.com Blog 2: denimgroup.typepad.com 34