• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Agile Software Security
 

Agile Software Security

on

  • 892 views

How can security assurance (SA) be applied in agile software development? This presentation discusses reasons for misalignment between agile and SA practices, as well as compatible or even mutually ...

How can security assurance (SA) be applied in agile software development? This presentation discusses reasons for misalignment between agile and SA practices, as well as compatible or even mutually reinforcing techniques. The intuitive concept of evil user stories is explored, and the more wholesome and formal approach of Microsoft, SDL/Agile, is outlined.

Statistics

Views

Total Views
892
Views on SlideShare
888
Embed Views
4

Actions

Likes
1
Downloads
16
Comments
0

1 Embed 4

http://www.slideshare.net 4

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Agile Software Security Agile Software Security Presentation Transcript

    • Agile Software Security Olli Ahonen
    • Outline
      • Security assurance
      • Misaligned
      • Aligned
      • Evil user stories
      • Microsoft
    • Outline
      • Security assurance
      • Misaligned
      • Aligned
      • Evil user stories
      • Microsoft
    • Security assurance
      • Design principles
      • Static code analysis
      • External reviews
      • Penetration testing
      • ...
      • “ Good old heavyweight assurance processes”
      K. Beznosov and P. Kruchten
    • Outline
      • Security assurance
      • Misaligned
      • Aligned
      • Evil user stories
      • Microsoft
    • Root causes
    • Working software over comprehensive documentation
    • Big Up-Front Design
    • Deliver working software frequently
    • Deliver working software frequently Collective ownership of code
    • Deliver working software frequently Collective ownership of code Back to square one + =
    • 3rd party
      • Independence
      • Objectivity
      • Credibility
    • Misaligned
      • External reviews
      • Analysis and validation
      • Test depth analysis
      • Manual security testing
    • Root causes
    • Outline
      • Security assurance
      • Misaligned
      • Aligned
      • Evil user stories
      • Microsoft
    • Natural match
      • Internal reviews
      • Build security in
    • Works anyway
      • Architecture and design principles
      • High-level languages & run-time environments
      • Change tracking
    • Automatic
      • Static code analysis
      • Unit testing
      • System testing
    • Outline
      • Security assurance
      • Misaligned
      • Aligned
      • Evil user stories
      • Microsoft
    • Evil user stories
      • From user stories
      • “ How can this functionality be misused?”
      • Build security in
      As an employee, I can search for other employees by their last name As an employee, I can alter the database by inserting an SQL search string
    • Disconnected stories “ User adds “&debug=true” to URL on any page, and receives debug information that discloses system configuration details.”
    • Missing stories
      • Incomplete
      • Inexpressible
    • Outline
      • Security assurance
      • Misaligned
      • Aligned
      • Evil user stories
      • Microsoft
    • Security Development Lifecycle
      • Attack surface analysis
      • Threat modeling
      • Cryptography review
      • Response plan
      • ...
    • SDL/ Agile
    • SDL/ Agile
    • SDL/ Agile
    • SDL/ Agile
    • Summary
      • Don’t force it
      • Nourish synergy
      • Aim for secure enough