Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Matthew Coles - Izar Tarandach - Security Toolbox


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Matthew Coles - Izar Tarandach - Security Toolbox

  1. 1. Security Toolbox: Managing Security Risk for Agile Practitioners Matthew Coles & Izar Tarandach RSA, the Security Division of EMC
  2. 2. Challenges in Agile <ul><li>Agile Development simulated by a classic arcade game
  3. 3. Defects (”holes”) occur for many reasons </li><ul><li>Flood of requirements
  4. 4. No visibility
  5. 5. No resources </li></ul></ul>
  6. 6. Challenges in Agile <ul><li>Goal to successfully implement slices of requirements, adapting to changes as they come from the customer </li><ul><li>Function over Form
  7. 7. Success criteria defined by Product Owner (channelling the customer)
  8. 8. Acceptance tests and design requirements only as good as team </li></ul><li>Reliance on subject matter expertise; not always dedicated to the effort </li></ul>
  9. 9. Traditional Techniques <ul><li>Security for Software Development Lifecycle </li><ul><li>Risk Analysis
  10. 10. Code Analysis
  11. 11. Security Testing
  12. 12. Security Documentation </li></ul><li>Only Risk Analysis can help avoid security risk </li><ul><li>Before ”security debt” exists
  13. 13. But can still be too late to avoid costly rework </li></ul></ul>
  14. 14. Security Debt <ul><li>Technical Debt </li><ul><li>Measure of rework that will be required to address built-in flaws </li></ul><li>Security Debt </li><ul><li>Technical Debt which leads to security vulnerabilities </li></ul></ul>
  15. 15. Our Vision <ul><li>Give Product Owners and Agile teams a method to prevent injecting security defects </li><ul><li>Predict backlog items, acceptance tests, and documentation as architecture is defined
  16. 16. Enable better work estimation
  17. 17. Identify and manage technical debt </li></ul><li>Give security SMEs a helping hand </li><ul><li>or give small organizations the benefit of an SME if they don't have one </li></ul><li>Minimize Security Debt </li></ul>
  18. 18. Security Toolbox <ul><li>”Playbook” for security </li><ul><li>Collection of security knowledge
  19. 19. Each item associated to architectural feature </li></ul><li>Built-in Security </li><ul><li>Functional elements for security improvement
  20. 20. Acceptance tests to implement
  21. 21. Policy compliance updates
  22. 22. Resource cost estimates
  23. 23. Priority Hints to Product Owners and Scrum Masters </li></ul></ul>
  24. 24. Constructing the Toolbox <ul><li>Requires security knowledge (of course)
  25. 25. Where can we find good security knowledge? </li><ul><li>Microsoft (de facto reference) </li><ul><li>Also discusses applying this knowledge in Agile </li></ul><li>OWASP
  26. 26. Security Innovations (vendor)
  27. 27. Policies
  28. 28. Corporate resources </li></ul></ul>
  29. 29. Constructing the Toolbox <ul><li>MITRE has a great source for security knowledge </li><ul><li>Common Weakness Enumeration (CWE)
  30. 30. Common Attack Pattern Enumeration and Classification (CAPEC)
  31. 31. Common Vulnerability Enumeration (CVE) </li></ul><li>Toolbox Items = Community-driven security knowledge + solid software engineering </li></ul>
  32. 32. Toolbox ”Schema” (CWE) (CWE) (CAPEC) (Policy) Architectural Elements Toolbox Item Lens or Filter Web Server (generic) Apache (specific) Apache 2.0.29 (instance) IIS (specific) CVE Policy CWE Internal Document CWE Mitigation (Backlog) Mitigation (Task) Acceptance Criteria (Test) Component Whitelist*
  33. 33. Exercise <ul><li>The Team </li><ul><li>Three dev teams, each with a ScrumMaster
  34. 34. One Product Owner
  35. 35. Shared security consultant </li></ul><li>Each dev team has </li><ul><li>2-3 domain-knowledgable programmers
  36. 36. One QA engineer
  37. 37. One doc writer
  38. 38. One business analyst </li></ul></ul>
  39. 39. Exercise <ul><li>Customer Requirements for Online Comment System </li><ul><li>”Flexible, easy to use, nice looking”
  40. 40. ”User at home or mobile with web browser”
  41. 41. ”Storage in backend processing system”
  42. 42. ”User name and email address stored for later follow-up” </li></ul></ul>Acceptance Criteria Interface works on Windows and Mac Acceptance Criteria User data goes from Interface to backend User Story User with web browser enters data into interface and data is stored in backend system. Acceptance Criteria User interface is visually appealing (focus group).
  43. 43. Epic User with web browser enters data into interface and data is stored in backend system. Story B UI process sends data to backend store Points: 200 Story A User enters data into interface Points: 500 Story C User gets response of successful upload Points: 100
  44. 44. Web Browser HTTP Server Database Constraint - UI Technology Choices HTML, Flash Constraint - Server Technology Choices LAMP (Linux, Apache, MySQL, PHP) Constraint - DB Technology Choices MySQL
  45. 45. Backlogs w/o Toolbox Product Sprint Task 1 (80 pts) Construct Flash UI for user input Task 3 (30 pts) Validate UI input Task 2 (40 pts) Enable connection to server via HTTP Task 4 (30 pts) Write user input to database Task S1 (25 pts) Create form with user input fields in Flash/ActionScript Task S2 (25 pts) Check input meets type/range criteria Task S3 (25 pts) Create submit() function to send user data to server Task S4 (25 pts) Accept data from web client and write to database Acceptance Test Validate test data is stored in database after user hits submit button Acceptance Test Validate user input field accepts only plain text input.
  46. 46. Web Browser HTTP Server Database User Interface Flash Web Server Apache Apache 2.0.29 Database MySQL HTML Server HTTP/1.1
  47. 47. Web Server Apache Apache 2.0.29 Security Test: Sniffing data communications (CAPEC-157) Task: Enable port 443 in firewall Policy: Secure user communications Component Check: Apache 2.0.29 Backlog: SSLv3/TLSv1 Risk: High Cost: 10 Acceptance Test: Network vulnerability scan reports 0 critical defects
  48. 48. HTTP/1.1 HTTP/1.1 SSLv3 tcp/443 SPRINT 1 Without Toolbox With Toolbox Flash UI Apache MySQL Flash UI Apache 2.0.29 MySQL
  49. 49. Now when you play that game... <ul><li>Give teams hints to predict how the pieces come together </li><ul><li>Avoid blank spaces
  50. 50. Avoid technical debt
  51. 51. Don't defer security </li></ul></ul>
  52. 52. References <ul><li>Keramati, H; Mirian-Hosseinabadi, S.H., ”Integrating Software Development Security Activities with Agile Methodologies”, IEEE, 2008
  53. 53. Siponen, M.; Baskerville, R.; Kuivalainen, T., ”Integrating Security into Agile Development Methods”, IEEE, 2005
  54. 54. Common Weakness Enumeration (CWE):
  55. 55. Common Attack Pattern Enumeration and Classification (CAPEC):
  56. 56. Common Vulnerability Enumeration (CVE):
  57. 57. Microsoft Security Development Lifecycle (SDL): </li></ul>
  58. 58. Security Toolbox Discussion Q & A
  59. 59. Future Topics Areas for additional work
  60. 60. Adding and removing knowledge <ul><li>Security knowledge as 'facts' </li><ul><li>Apache X.Y.Z is vulnerable to a buffer overflow via the HTTP version field (CVE-AAAA-BBBB): </li><ul><li>(Apache,X.Y.Z,CVE-AAAA-BBBB) -> CWE-121: Stack-based Buffer Overflow
  61. 61. (Apache,X.Y.Z,CVE-AAAA-BBBB) -> CWE-120: Buffer Copy without Checking Size of Input </li></ul></ul><li>Periodic purges of out-of-date facts </li><ul><li>Set all versions of SSL lower than 0.9.7a to UNACCEPTABLE </li></ul></ul>
  62. 62. Giving the Sec SME a break Facts and derivations are ideal for expert systems. <ul><li>target(WWW Server)
  63. 63. instance(WWW Server,Apache,OS=Any)
  64. 64. instance(WWW Server,FooServer,OS=Linux)
  65. 65. constraint(OS = Microsoft Windows)
  66. 66. constraint(instance = Apache:9.2.3, OS = not Microsoft Windows)
  67. 67. vuln(WWW Server,Privileged network port open)
  68. 68. vuln(WWW Server,Tainted data over network)
  69. 69. vuln(Apache:7.0.12:-,CVE-2011-1475)
  70. 70. mitigation(Tainted data over network,SSL,cost=5)
  71. 71. mitigation(Privileged network port open,drop privileges after opening port,cost=1)
  72. 72. (….) </li></ul>Example Goal: secure implementation of target X == list of all needed mitigations per instance of targets, observing constraints, ranked by cost.