SlideShare a Scribd company logo

Security Checkpoints in Agile SDLC

R
Rahul Raghavan

Product Engineering teams have started to realize the importance of software security. This has resulted in the trend where teams are taking efforts to include it as part of their software development life cycle; as opposed to treating it as another item in their checklist prior to release. However, the real challenge is in trying to find the balance between agility and quality which is where many team find this an uphill task. While there is no golden standard when it comes to implementing software security, product teams should focus on bringing about systematic and cultural practices within their teams. This should help them to bring about the required efficiency to enable software security as a market differentiator. This slide-deck on Software Security Initiative focuses on translating a plan of action into sustainable activities as part of the secure software development life cycle that can be adopted by engineering teams. The slides will delve deep into aspects like identifying and designing security checkpoints in the SDLC alongside concepts such as Threat Modelling in Agile, AppSec Toolchain and Security Regressions. This was presented as a we45 Webinar on April 12, 2018

Technology
1 of 27
Download to read offline
ENFORCING SECURITY CHECKPOINTS Rahul Raghavan Co Founder and DevSecOps Proponent, we45
Agenda Ø Software Security Initiative – A Quick Recap Ø Challenges in Application Security Ø The advent of DevSecOps Ø SDLC Security Checkpoints Ø Application Threat Modeling Ø Application Security Tooling Ø Regressions for Application Security
Software Security Initiative “Collection of activities that Measure, Maintain and Improve the state of Software Security”
Phases of an SSI Prepare to Kick Start / Improve your SSI Take Control and Implement your SSI Measure Success of your SSI Identify Continuous Improvements of your SSI PLAN DO CHECK ACT
In focus today… Application Team Mapping Gather Historic Current State Data Ascertain Compliance Legal Objectives Establish SSI Governance Identify Training Needs Organize Tool-chest Identify Security Checkpoints Toolchain implementation Enhance existing automation Build Internal Capability SIG Collaborations Transcend Beyond Penetration Tests Enforce Security Checkpoints PLAN DO
The Advent of DevSecOps Ø Security = Continuous Feedback + Improved Automation Ø End of the chain security activities broken down into piece-meal engagements Ø Division of security responsibilities – Dev, Ops, QA, Security Ø Transformation of engineering tools and platform – interfacing capabilities Ø Everyone needs to “get” code
DevSecOps : Gartner’s Infinite Loop
DevSecOps : The we45 Model
Security Checkpoints Ø Logical security turnstiles at every phase of development and deployment Ø Assimilate common security objectives across engineering teams Ø Establish traceability for identified security flaws
In simplespeak… Design Develop Deploy & Test Release & Monitor Plan Code Build Test Release Deploy Operate Monitor
SOFTWARE DESIGN “There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies” C.A.R Hoare
Threat Modeling Ø Identify, Enumerate and Prioritize - Security Risks Ø Systematic Breakdown of Attack Vectors and Attack Channels Ø Identifying Most Likely, Relevant Threats to a system Ø To identify controls and measures of risk treatment Ø Create a Security Playbook for the Product Team
Everything that’s wrong with Threat Modeling today Ø Assumption of frozen requirements => Very Waterfall! Ø Threat Models are not dynamic enough - Out of date with application delivery Ø Current Threat Modeling is not collaborative – Bunch of Security folks at the beginning of a project
The 1-2-3 of Threat Modeling Abuser Stories Attack Model Test Scenario User Story What can be done to abuse a functionality How to make your abuser story come to life Security checks you can formulate for each attack model
Threat Modeling :: Test Case Mapping User Story As a user I want to search for my notes using the Search functionality Abuser Story As an attacker, I will try to search for notes of other users so as to disclose potentially sensitive info As an attacker I will try to redirect users to malicious sites to compromise account credentials Attack Model Attacker can perform Man-In- The-Middle attacks Attacker can perform Injection attacks Test Scenarios Check if the application is always on HTTPS, across the application Check for SSL strength Check for HSTS header present in HTTP Headers while connecting to the application Check for SSL vulnerabilities like POODLE, BEAST…
Security in Design Ø Consolidate security requirements § Compliance mandates § Regulatory obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds / historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Design Checkpoint Abuser Stories linked to User Stories in JIRA/Confluence
DEVELOP & DEPLOY “The most secure code in the world is code which is never written” - Colin Percival
Develop Ø Table – Top code walkthroughs Ø SAST IDE Plugins Ø SCA runs as part of code review and build management Ø Peer-review prior to code commit Ø Evangelize use of Secure Coding Guidelines/checklist Ø Liaise security champions Develop Checkpoint SAST and SCA scans on local repo prior to code commit
AppSec Toolchain Ø Security tools (SAST, SCA and DAST) to work in conjunction with engineering platforms Ø “Force Multiplier Effect” through open source scanner components Ø Automated or scheduled triggers that kick off scan workflows Ø Transform from plain DAST to Parameterized DAST Ø Save critical security bandwidth by minimizing § Vulnerability Triaging § Testing common scenarios § Reconnaissance and Discovery Ø Transform vulnerabilities as “defects” routing them to the common defect pipeline system
AppSec Toolchain Architecture 1 2 3 4 5 6 78 9 10
Security Regression Ø Taking security one step closer to Quality Assurance (QA) Ø Leverage functional automation tools and resources to run security iterations with QA iterations Ø Extend and re-use automation scripts / technology to create “Security Regressions” Ø Increase efficiency of DAST scanners Ø Create security ”exploit scripts” for identified vulnerabilities Ø Automate security test case scenarios Ø Scale Security with QA Ø AppSec Toolchain + Security Regression = Savings in Resource Bandwidth
A sample regression architecture
Deploy and Test Ø Find bugs Early, Fix bugs Early! Ø Strategies for ‘Found bugs’ and ‘Yet to Find bugs’ Ø Threat Modeling :: Test cases mapping Ø Run Automated Tool Chain (DAST Scanners) Ø Leverage QA functional automation Ø Perform residual / iterative penetration tests Ø Non-Deterministic testing Ø Prioritize vulnerabilities based on impact Deploy & Test Checkpoint Piggyback on existing release gates (include security thresholds)
PRODUCT RELEASE AND MONITORING “When we launch a product, we’re already working on the next one. And possibly even the next, next one” - Tim Cook
Release & Monitor Ø Shift Right Strategy – Self Protect or Fail Safe Ø Use of RASP, WAF, Botnet Mitigation, Load Balancers, DDoS Ø Successful and failed attack metadata feedback as actionable intel Ø Integrate security cookbooks with deployment cookbooks (config audits more than testing) Ø Assisted Bug Bounties Release & Monitor Checkpoint Establish feedback mechanisms from Production to Design
Iteration 2 and forward Ø Consolidate security requirements Ø Compliance mandates Ø Regulation obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds/historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Ø Identify design changes to address security vulnerabilities Ø Update design documents Ø Update coding guidelines Design Checkpoint ➤ Table – top code walkthroughs ➤ SAST IDE Plugins ➤ SCA runs as part of code review and build management ➤ Peer-review prior to code commit ➤ Evangelize use of Secure Coding Guidelines/checklist ➤ Liaise security champions ➤ Code changes to remediate security vulnerabilities Develop Checkpoint Deploy & Test Checkpoint ➤ Find bugs Early, Fix bugs Early! ➤ Strategies for ”Found bugs” and “Yet to find bugs” ➤ Threat Modeling :: Test case mapping ➤ Run Automated Tool Chain (DAST Scanners) ➤ Leverage QA functional automation ➤ Perform residual/iterative penetration tests ➤ Non-deterministic testing ➤ Prioritize vulnerabilities based on impact ➤ Run regressions ➤ Compare scan results from previous iterations ➤ Shift Right Strategy – Self protect of Fail Safe ➤ Use of RASP, WAF Botnet mitigation, Load Balancers, DDoS ➤ Successful and failed attack metadata feedback as actionable intel ➤ Integrate security cookbooks with deployment cookbooks (config audits more than testing) ➤ Assisted Bug Bounties Release & Monitor Checkpoint
OPEN HOUSE Questions , Clarifications et all….. rahul@we45.com @rahul_raghav torahulraghavan we45.com/blog

Recommended

Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 

Recommended

Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsTomas Honzak
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Making security champions in organization
Making security champions in organizationMaking security champions in organization
Making security champions in organizationkunwaratul hax0r
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software DevelopmentDevOps.com
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 

More Related Content

What's hot

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Making security champions in organization
Making security champions in organizationMaking security champions in organization
Making security champions in organizationkunwaratul hax0r
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software DevelopmentDevOps.com
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 

What's hot (20)

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
Making security champions in organization
Making security champions in organizationMaking security champions in organization
Making security champions in organization
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software Development
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 

Similar to Security Checkpoints in Agile SDLC

Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the HackersCheckmarx
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 

Similar to Security Checkpoints in Agile SDLC (20)

Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Security Checkpoints in Agile SDLC

  • 1. ENFORCING SECURITY CHECKPOINTS Rahul Raghavan Co Founder and DevSecOps Proponent, we45
  • 2. Agenda Ø Software Security Initiative – A Quick Recap Ø Challenges in Application Security Ø The advent of DevSecOps Ø SDLC Security Checkpoints Ø Application Threat Modeling Ø Application Security Tooling Ø Regressions for Application Security
  • 3. Software Security Initiative “Collection of activities that Measure, Maintain and Improve the state of Software Security”
  • 4. Phases of an SSI Prepare to Kick Start / Improve your SSI Take Control and Implement your SSI Measure Success of your SSI Identify Continuous Improvements of your SSI PLAN DO CHECK ACT
  • 5. In focus today… Application Team Mapping Gather Historic Current State Data Ascertain Compliance Legal Objectives Establish SSI Governance Identify Training Needs Organize Tool-chest Identify Security Checkpoints Toolchain implementation Enhance existing automation Build Internal Capability SIG Collaborations Transcend Beyond Penetration Tests Enforce Security Checkpoints PLAN DO
  • 6. The Advent of DevSecOps Ø Security = Continuous Feedback + Improved Automation Ø End of the chain security activities broken down into piece-meal engagements Ø Division of security responsibilities – Dev, Ops, QA, Security Ø Transformation of engineering tools and platform – interfacing capabilities Ø Everyone needs to “get” code
  • 7. DevSecOps : Gartner’s Infinite Loop
  • 8. DevSecOps : The we45 Model
  • 9. Security Checkpoints Ø Logical security turnstiles at every phase of development and deployment Ø Assimilate common security objectives across engineering teams Ø Establish traceability for identified security flaws
  • 10. In simplespeak… Design Develop Deploy & Test Release & Monitor Plan Code Build Test Release Deploy Operate Monitor
  • 11. SOFTWARE DESIGN “There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies” C.A.R Hoare
  • 12. Threat Modeling Ø Identify, Enumerate and Prioritize - Security Risks Ø Systematic Breakdown of Attack Vectors and Attack Channels Ø Identifying Most Likely, Relevant Threats to a system Ø To identify controls and measures of risk treatment Ø Create a Security Playbook for the Product Team
  • 13. Everything that’s wrong with Threat Modeling today Ø Assumption of frozen requirements => Very Waterfall! Ø Threat Models are not dynamic enough - Out of date with application delivery Ø Current Threat Modeling is not collaborative – Bunch of Security folks at the beginning of a project
  • 14. The 1-2-3 of Threat Modeling Abuser Stories Attack Model Test Scenario User Story What can be done to abuse a functionality How to make your abuser story come to life Security checks you can formulate for each attack model
  • 15. Threat Modeling :: Test Case Mapping User Story As a user I want to search for my notes using the Search functionality Abuser Story As an attacker, I will try to search for notes of other users so as to disclose potentially sensitive info As an attacker I will try to redirect users to malicious sites to compromise account credentials Attack Model Attacker can perform Man-In- The-Middle attacks Attacker can perform Injection attacks Test Scenarios Check if the application is always on HTTPS, across the application Check for SSL strength Check for HSTS header present in HTTP Headers while connecting to the application Check for SSL vulnerabilities like POODLE, BEAST…
  • 16. Security in Design Ø Consolidate security requirements § Compliance mandates § Regulatory obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds / historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Design Checkpoint Abuser Stories linked to User Stories in JIRA/Confluence
  • 17. DEVELOP & DEPLOY “The most secure code in the world is code which is never written” - Colin Percival
  • 18. Develop Ø Table – Top code walkthroughs Ø SAST IDE Plugins Ø SCA runs as part of code review and build management Ø Peer-review prior to code commit Ø Evangelize use of Secure Coding Guidelines/checklist Ø Liaise security champions Develop Checkpoint SAST and SCA scans on local repo prior to code commit
  • 19. AppSec Toolchain Ø Security tools (SAST, SCA and DAST) to work in conjunction with engineering platforms Ø “Force Multiplier Effect” through open source scanner components Ø Automated or scheduled triggers that kick off scan workflows Ø Transform from plain DAST to Parameterized DAST Ø Save critical security bandwidth by minimizing § Vulnerability Triaging § Testing common scenarios § Reconnaissance and Discovery Ø Transform vulnerabilities as “defects” routing them to the common defect pipeline system
  • 21. Security Regression Ø Taking security one step closer to Quality Assurance (QA) Ø Leverage functional automation tools and resources to run security iterations with QA iterations Ø Extend and re-use automation scripts / technology to create “Security Regressions” Ø Increase efficiency of DAST scanners Ø Create security ”exploit scripts” for identified vulnerabilities Ø Automate security test case scenarios Ø Scale Security with QA Ø AppSec Toolchain + Security Regression = Savings in Resource Bandwidth
  • 22. A sample regression architecture
  • 23. Deploy and Test Ø Find bugs Early, Fix bugs Early! Ø Strategies for ‘Found bugs’ and ‘Yet to Find bugs’ Ø Threat Modeling :: Test cases mapping Ø Run Automated Tool Chain (DAST Scanners) Ø Leverage QA functional automation Ø Perform residual / iterative penetration tests Ø Non-Deterministic testing Ø Prioritize vulnerabilities based on impact Deploy & Test Checkpoint Piggyback on existing release gates (include security thresholds)
  • 24. PRODUCT RELEASE AND MONITORING “When we launch a product, we’re already working on the next one. And possibly even the next, next one” - Tim Cook
  • 25. Release & Monitor Ø Shift Right Strategy – Self Protect or Fail Safe Ø Use of RASP, WAF, Botnet Mitigation, Load Balancers, DDoS Ø Successful and failed attack metadata feedback as actionable intel Ø Integrate security cookbooks with deployment cookbooks (config audits more than testing) Ø Assisted Bug Bounties Release & Monitor Checkpoint Establish feedback mechanisms from Production to Design
  • 26. Iteration 2 and forward Ø Consolidate security requirements Ø Compliance mandates Ø Regulation obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds/historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Ø Identify design changes to address security vulnerabilities Ø Update design documents Ø Update coding guidelines Design Checkpoint ➤ Table – top code walkthroughs ➤ SAST IDE Plugins ➤ SCA runs as part of code review and build management ➤ Peer-review prior to code commit ➤ Evangelize use of Secure Coding Guidelines/checklist ➤ Liaise security champions ➤ Code changes to remediate security vulnerabilities Develop Checkpoint Deploy & Test Checkpoint ➤ Find bugs Early, Fix bugs Early! ➤ Strategies for ”Found bugs” and “Yet to find bugs” ➤ Threat Modeling :: Test case mapping ➤ Run Automated Tool Chain (DAST Scanners) ➤ Leverage QA functional automation ➤ Perform residual/iterative penetration tests ➤ Non-deterministic testing ➤ Prioritize vulnerabilities based on impact ➤ Run regressions ➤ Compare scan results from previous iterations ➤ Shift Right Strategy – Self protect of Fail Safe ➤ Use of RASP, WAF Botnet mitigation, Load Balancers, DDoS ➤ Successful and failed attack metadata feedback as actionable intel ➤ Integrate security cookbooks with deployment cookbooks (config audits more than testing) ➤ Assisted Bug Bounties Release & Monitor Checkpoint
  • 27. OPEN HOUSE Questions , Clarifications et all….. rahul@we45.com @rahul_raghav torahulraghavan we45.com/blog