SlideShare a Scribd company logo

Security Checkpoints in Agile SDLC

R
Rahul Raghavan

Product Engineering teams have started to realize the importance of software security. This has resulted in the trend where teams are taking efforts to include it as part of their software development life cycle; as opposed to treating it as another item in their checklist prior to release. However, the real challenge is in trying to find the balance between agility and quality which is where many team find this an uphill task. While there is no golden standard when it comes to implementing software security, product teams should focus on bringing about systematic and cultural practices within their teams. This should help them to bring about the required efficiency to enable software security as a market differentiator. This slide-deck on Software Security Initiative focuses on translating a plan of action into sustainable activities as part of the secure software development life cycle that can be adopted by engineering teams. The slides will delve deep into aspects like identifying and designing security checkpoints in the SDLC alongside concepts such as Threat Modelling in Agile, AppSec Toolchain and Security Regressions. This was presented as a we45 Webinar on April 12, 2018

Technology
1 of 27
Download to read offline
ENFORCING SECURITY CHECKPOINTS Rahul Raghavan Co Founder and DevSecOps Proponent, we45
Agenda Ø Software Security Initiative – A Quick Recap Ø Challenges in Application Security Ø The advent of DevSecOps Ø SDLC Security Checkpoints Ø Application Threat Modeling Ø Application Security Tooling Ø Regressions for Application Security
Software Security Initiative “Collection of activities that Measure, Maintain and Improve the state of Software Security”
Phases of an SSI Prepare to Kick Start / Improve your SSI Take Control and Implement your SSI Measure Success of your SSI Identify Continuous Improvements of your SSI PLAN DO CHECK ACT
In focus today… Application Team Mapping Gather Historic Current State Data Ascertain Compliance Legal Objectives Establish SSI Governance Identify Training Needs Organize Tool-chest Identify Security Checkpoints Toolchain implementation Enhance existing automation Build Internal Capability SIG Collaborations Transcend Beyond Penetration Tests Enforce Security Checkpoints PLAN DO
The Advent of DevSecOps Ø Security = Continuous Feedback + Improved Automation Ø End of the chain security activities broken down into piece-meal engagements Ø Division of security responsibilities – Dev, Ops, QA, Security Ø Transformation of engineering tools and platform – interfacing capabilities Ø Everyone needs to “get” code
DevSecOps : Gartner’s Infinite Loop
DevSecOps : The we45 Model
Security Checkpoints Ø Logical security turnstiles at every phase of development and deployment Ø Assimilate common security objectives across engineering teams Ø Establish traceability for identified security flaws
In simplespeak… Design Develop Deploy & Test Release & Monitor Plan Code Build Test Release Deploy Operate Monitor
SOFTWARE DESIGN “There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies” C.A.R Hoare
Threat Modeling Ø Identify, Enumerate and Prioritize - Security Risks Ø Systematic Breakdown of Attack Vectors and Attack Channels Ø Identifying Most Likely, Relevant Threats to a system Ø To identify controls and measures of risk treatment Ø Create a Security Playbook for the Product Team
Everything that’s wrong with Threat Modeling today Ø Assumption of frozen requirements => Very Waterfall! Ø Threat Models are not dynamic enough - Out of date with application delivery Ø Current Threat Modeling is not collaborative – Bunch of Security folks at the beginning of a project
The 1-2-3 of Threat Modeling Abuser Stories Attack Model Test Scenario User Story What can be done to abuse a functionality How to make your abuser story come to life Security checks you can formulate for each attack model
Threat Modeling :: Test Case Mapping User Story As a user I want to search for my notes using the Search functionality Abuser Story As an attacker, I will try to search for notes of other users so as to disclose potentially sensitive info As an attacker I will try to redirect users to malicious sites to compromise account credentials Attack Model Attacker can perform Man-In- The-Middle attacks Attacker can perform Injection attacks Test Scenarios Check if the application is always on HTTPS, across the application Check for SSL strength Check for HSTS header present in HTTP Headers while connecting to the application Check for SSL vulnerabilities like POODLE, BEAST…
Security in Design Ø Consolidate security requirements § Compliance mandates § Regulatory obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds / historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Design Checkpoint Abuser Stories linked to User Stories in JIRA/Confluence
DEVELOP & DEPLOY “The most secure code in the world is code which is never written” - Colin Percival
Develop Ø Table – Top code walkthroughs Ø SAST IDE Plugins Ø SCA runs as part of code review and build management Ø Peer-review prior to code commit Ø Evangelize use of Secure Coding Guidelines/checklist Ø Liaise security champions Develop Checkpoint SAST and SCA scans on local repo prior to code commit
AppSec Toolchain Ø Security tools (SAST, SCA and DAST) to work in conjunction with engineering platforms Ø “Force Multiplier Effect” through open source scanner components Ø Automated or scheduled triggers that kick off scan workflows Ø Transform from plain DAST to Parameterized DAST Ø Save critical security bandwidth by minimizing § Vulnerability Triaging § Testing common scenarios § Reconnaissance and Discovery Ø Transform vulnerabilities as “defects” routing them to the common defect pipeline system
AppSec Toolchain Architecture 1 2 3 4 5 6 78 9 10
Security Regression Ø Taking security one step closer to Quality Assurance (QA) Ø Leverage functional automation tools and resources to run security iterations with QA iterations Ø Extend and re-use automation scripts / technology to create “Security Regressions” Ø Increase efficiency of DAST scanners Ø Create security ”exploit scripts” for identified vulnerabilities Ø Automate security test case scenarios Ø Scale Security with QA Ø AppSec Toolchain + Security Regression = Savings in Resource Bandwidth
A sample regression architecture
Deploy and Test Ø Find bugs Early, Fix bugs Early! Ø Strategies for ‘Found bugs’ and ‘Yet to Find bugs’ Ø Threat Modeling :: Test cases mapping Ø Run Automated Tool Chain (DAST Scanners) Ø Leverage QA functional automation Ø Perform residual / iterative penetration tests Ø Non-Deterministic testing Ø Prioritize vulnerabilities based on impact Deploy & Test Checkpoint Piggyback on existing release gates (include security thresholds)
PRODUCT RELEASE AND MONITORING “When we launch a product, we’re already working on the next one. And possibly even the next, next one” - Tim Cook
Release & Monitor Ø Shift Right Strategy – Self Protect or Fail Safe Ø Use of RASP, WAF, Botnet Mitigation, Load Balancers, DDoS Ø Successful and failed attack metadata feedback as actionable intel Ø Integrate security cookbooks with deployment cookbooks (config audits more than testing) Ø Assisted Bug Bounties Release & Monitor Checkpoint Establish feedback mechanisms from Production to Design
Iteration 2 and forward Ø Consolidate security requirements Ø Compliance mandates Ø Regulation obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds/historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Ø Identify design changes to address security vulnerabilities Ø Update design documents Ø Update coding guidelines Design Checkpoint ➤ Table – top code walkthroughs ➤ SAST IDE Plugins ➤ SCA runs as part of code review and build management ➤ Peer-review prior to code commit ➤ Evangelize use of Secure Coding Guidelines/checklist ➤ Liaise security champions ➤ Code changes to remediate security vulnerabilities Develop Checkpoint Deploy & Test Checkpoint ➤ Find bugs Early, Fix bugs Early! ➤ Strategies for ”Found bugs” and “Yet to find bugs” ➤ Threat Modeling :: Test case mapping ➤ Run Automated Tool Chain (DAST Scanners) ➤ Leverage QA functional automation ➤ Perform residual/iterative penetration tests ➤ Non-deterministic testing ➤ Prioritize vulnerabilities based on impact ➤ Run regressions ➤ Compare scan results from previous iterations ➤ Shift Right Strategy – Self protect of Fail Safe ➤ Use of RASP, WAF Botnet mitigation, Load Balancers, DDoS ➤ Successful and failed attack metadata feedback as actionable intel ➤ Integrate security cookbooks with deployment cookbooks (config audits more than testing) ➤ Assisted Bug Bounties Release & Monitor Checkpoint
OPEN HOUSE Questions , Clarifications et all….. rahul@we45.com @rahul_raghav torahulraghavan we45.com/blog

Recommended

Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat ModelingDr. Anish Cheriyan (PhD)
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 

Recommended

Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat ModelingDr. Anish Cheriyan (PhD)
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOARSiemplify
 
TARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptxTARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptxShriya Rai
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptxAjit Wadhawan
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical SecurityAlfred Ouyang
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability ManagementRisk Analysis Consultants, s.r.o.
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 

More Related Content

What's hot

Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOARSiemplify
 
TARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptxTARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptxShriya Rai
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 

What's hot (20)

Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOAR
 
TARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptxTARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptx
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical Security
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 

Similar to Security Checkpoints in Agile SDLC

Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the HackersCheckmarx
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 

Similar to Security Checkpoints in Agile SDLC (20)

Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Security Checkpoints in Agile SDLC

  • 1. ENFORCING SECURITY CHECKPOINTS Rahul Raghavan Co Founder and DevSecOps Proponent, we45
  • 2. Agenda Ø Software Security Initiative – A Quick Recap Ø Challenges in Application Security Ø The advent of DevSecOps Ø SDLC Security Checkpoints Ø Application Threat Modeling Ø Application Security Tooling Ø Regressions for Application Security
  • 3. Software Security Initiative “Collection of activities that Measure, Maintain and Improve the state of Software Security”
  • 4. Phases of an SSI Prepare to Kick Start / Improve your SSI Take Control and Implement your SSI Measure Success of your SSI Identify Continuous Improvements of your SSI PLAN DO CHECK ACT
  • 5. In focus today… Application Team Mapping Gather Historic Current State Data Ascertain Compliance Legal Objectives Establish SSI Governance Identify Training Needs Organize Tool-chest Identify Security Checkpoints Toolchain implementation Enhance existing automation Build Internal Capability SIG Collaborations Transcend Beyond Penetration Tests Enforce Security Checkpoints PLAN DO
  • 6. The Advent of DevSecOps Ø Security = Continuous Feedback + Improved Automation Ø End of the chain security activities broken down into piece-meal engagements Ø Division of security responsibilities – Dev, Ops, QA, Security Ø Transformation of engineering tools and platform – interfacing capabilities Ø Everyone needs to “get” code
  • 7. DevSecOps : Gartner’s Infinite Loop
  • 8. DevSecOps : The we45 Model
  • 9. Security Checkpoints Ø Logical security turnstiles at every phase of development and deployment Ø Assimilate common security objectives across engineering teams Ø Establish traceability for identified security flaws
  • 10. In simplespeak… Design Develop Deploy & Test Release & Monitor Plan Code Build Test Release Deploy Operate Monitor
  • 11. SOFTWARE DESIGN “There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies” C.A.R Hoare
  • 12. Threat Modeling Ø Identify, Enumerate and Prioritize - Security Risks Ø Systematic Breakdown of Attack Vectors and Attack Channels Ø Identifying Most Likely, Relevant Threats to a system Ø To identify controls and measures of risk treatment Ø Create a Security Playbook for the Product Team
  • 13. Everything that’s wrong with Threat Modeling today Ø Assumption of frozen requirements => Very Waterfall! Ø Threat Models are not dynamic enough - Out of date with application delivery Ø Current Threat Modeling is not collaborative – Bunch of Security folks at the beginning of a project
  • 14. The 1-2-3 of Threat Modeling Abuser Stories Attack Model Test Scenario User Story What can be done to abuse a functionality How to make your abuser story come to life Security checks you can formulate for each attack model
  • 15. Threat Modeling :: Test Case Mapping User Story As a user I want to search for my notes using the Search functionality Abuser Story As an attacker, I will try to search for notes of other users so as to disclose potentially sensitive info As an attacker I will try to redirect users to malicious sites to compromise account credentials Attack Model Attacker can perform Man-In- The-Middle attacks Attacker can perform Injection attacks Test Scenarios Check if the application is always on HTTPS, across the application Check for SSL strength Check for HSTS header present in HTTP Headers while connecting to the application Check for SSL vulnerabilities like POODLE, BEAST…
  • 16. Security in Design Ø Consolidate security requirements § Compliance mandates § Regulatory obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds / historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Design Checkpoint Abuser Stories linked to User Stories in JIRA/Confluence
  • 17. DEVELOP & DEPLOY “The most secure code in the world is code which is never written” - Colin Percival
  • 18. Develop Ø Table – Top code walkthroughs Ø SAST IDE Plugins Ø SCA runs as part of code review and build management Ø Peer-review prior to code commit Ø Evangelize use of Secure Coding Guidelines/checklist Ø Liaise security champions Develop Checkpoint SAST and SCA scans on local repo prior to code commit
  • 19. AppSec Toolchain Ø Security tools (SAST, SCA and DAST) to work in conjunction with engineering platforms Ø “Force Multiplier Effect” through open source scanner components Ø Automated or scheduled triggers that kick off scan workflows Ø Transform from plain DAST to Parameterized DAST Ø Save critical security bandwidth by minimizing § Vulnerability Triaging § Testing common scenarios § Reconnaissance and Discovery Ø Transform vulnerabilities as “defects” routing them to the common defect pipeline system
  • 21. Security Regression Ø Taking security one step closer to Quality Assurance (QA) Ø Leverage functional automation tools and resources to run security iterations with QA iterations Ø Extend and re-use automation scripts / technology to create “Security Regressions” Ø Increase efficiency of DAST scanners Ø Create security ”exploit scripts” for identified vulnerabilities Ø Automate security test case scenarios Ø Scale Security with QA Ø AppSec Toolchain + Security Regression = Savings in Resource Bandwidth
  • 22. A sample regression architecture
  • 23. Deploy and Test Ø Find bugs Early, Fix bugs Early! Ø Strategies for ‘Found bugs’ and ‘Yet to Find bugs’ Ø Threat Modeling :: Test cases mapping Ø Run Automated Tool Chain (DAST Scanners) Ø Leverage QA functional automation Ø Perform residual / iterative penetration tests Ø Non-Deterministic testing Ø Prioritize vulnerabilities based on impact Deploy & Test Checkpoint Piggyback on existing release gates (include security thresholds)
  • 24. PRODUCT RELEASE AND MONITORING “When we launch a product, we’re already working on the next one. And possibly even the next, next one” - Tim Cook
  • 25. Release & Monitor Ø Shift Right Strategy – Self Protect or Fail Safe Ø Use of RASP, WAF, Botnet Mitigation, Load Balancers, DDoS Ø Successful and failed attack metadata feedback as actionable intel Ø Integrate security cookbooks with deployment cookbooks (config audits more than testing) Ø Assisted Bug Bounties Release & Monitor Checkpoint Establish feedback mechanisms from Production to Design
  • 26. Iteration 2 and forward Ø Consolidate security requirements Ø Compliance mandates Ø Regulation obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds/historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Ø Identify design changes to address security vulnerabilities Ø Update design documents Ø Update coding guidelines Design Checkpoint ➤ Table – top code walkthroughs ➤ SAST IDE Plugins ➤ SCA runs as part of code review and build management ➤ Peer-review prior to code commit ➤ Evangelize use of Secure Coding Guidelines/checklist ➤ Liaise security champions ➤ Code changes to remediate security vulnerabilities Develop Checkpoint Deploy & Test Checkpoint ➤ Find bugs Early, Fix bugs Early! ➤ Strategies for ”Found bugs” and “Yet to find bugs” ➤ Threat Modeling :: Test case mapping ➤ Run Automated Tool Chain (DAST Scanners) ➤ Leverage QA functional automation ➤ Perform residual/iterative penetration tests ➤ Non-deterministic testing ➤ Prioritize vulnerabilities based on impact ➤ Run regressions ➤ Compare scan results from previous iterations ➤ Shift Right Strategy – Self protect of Fail Safe ➤ Use of RASP, WAF Botnet mitigation, Load Balancers, DDoS ➤ Successful and failed attack metadata feedback as actionable intel ➤ Integrate security cookbooks with deployment cookbooks (config audits more than testing) ➤ Assisted Bug Bounties Release & Monitor Checkpoint
  • 27. OPEN HOUSE Questions , Clarifications et all….. rahul@we45.com @rahul_raghav torahulraghavan we45.com/blog