Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Agile AppSec DevOps

182 views

Published on

Secure Software Development with Agile DevOps

Published in: Technology
  • Be the first to comment

Agile AppSec DevOps

  1. 1. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 1 AGILE APPSEC DEVOPS Secure Software Development with Agile DevOps robertGrupe, CISSP, CSSLP, PE, PMP Tags :: Application, Software, Security, Development, AppSec, DevOps, DevSecOps OWASP, Agile, Kanban, Scrum, Best Practices, Feature Driven Development, FDD, Test Driven Development , TDD
  2. 2. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 2 Presentation Summary How ... Application Security (AppSec), Secure Software Development Life Cycle (SSDLC) is applied to Development and IT Operations (DevOps) in Agile, rapid software development and delivery. Moving from 1. Waterfall/Agile: AppSec 2. Feature Driven Development: AppSec with DevOps 3. Test Driven Development (TDD): DevSecOps
  3. 3. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 3 Table of Contents 1. AppSec with DevOps: Feature Diven Development 1. Foundational Elements 2. DevSecOps: Security Driven Development
  4. 4. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 4 I FOUNDATION Security Feature Driven Development
  5. 5. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 5 DevOps Dev • Plan: Requirements, Architecture, Schedule • Create: Design, Coding, Build • Verify: Test • Package: Pre-Production Staging Ops • Release: Coordinating, Deploying • Configure: Infrastructure, Applications • Monitor: Performance, Use, Metrics DevOps Collaboration of software delivery teams: • Developers; • Operations; • Quality Assurance: Testers • Management; • ... etc. Continuous Development automate delivery, focuses on • Bringing together different processes; • Executing them more quickly and more frequently.
  6. 6. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 6 SSDLC (SDLC with AppSec) Requirements (Scoping) Design Implementation (Development) Verification (Test) Release • AppSec Requirements (User Stories with Acceptance Criteria) • Security & Regulatory Risk Assessment • Frameworks Patterns • Analyze Attack Surface • Threat Modeling • Approved Tools • Deprecate Unsafe Functions • Static Analysis • Unit Tests/ User Story Acceptance • Dynamic Analysis • Fuzz Testing • Attack Surface Review • Penetration Testing • Deferred Defects Risk Acceptance • Go/No-Go
  7. 7. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 7 Application Security Requirement Foundation • AppSec Requirements Library • Use Cases with Acceptance Criteria • Compliance Traceability • Feature Use Case Process Flow Diagrams • Architecture, Components, Patterns • Prototypes • Risk Assessment Threat Modeling Intake • Context Diagram • Data Flow Diagram • Data Map & Model • Process Flow Diagrams
  8. 8. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 8 Agile: Scrumban FDD* • Kanban workflow† • Scrum development Ideas Features w/User Stories Design Dev Test Static Test Dynamic Final Approval Release WIP Limit * Feature Driven Development † Adaptive Software Development
  9. 9. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 9 Phase 1 (Foundational) AppSec DevOps: Security Feature Driven Development • User Stories • Assess Risks • Frameworks/Patterns • Attack Analysis • Threat Modeling • Approved Tools • Deprecate Functions • Static Analysis • Unit Tests • Dynamic Analysis • Fuzz Testing • Attack Review • Penetration Testing • Risk Acceptance • Go/No-Go • Logs • Alerts • Management • Usage • Changes • Vulnerabilities • Dashboards & Reports
  10. 10. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 10 II DEVSECOPS Security Test Driven Development
  11. 11. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 11 Host Platform Prerequisites 0.01 Minimum required platform components 0.02 Fully patched and up-to-date platform 0.03 Vulnerability free Components & Development Framework 0.04 Host firewall-ing: only required ports 0.05 Anti-malware scanning 0.06 Load balancing 0.07 Resiliency – failover 0.08 Backups – encrypted 0.09 Certificate Management 0.10 Key Management 0.11 Access Management: least privilege roles for admin & maintenance
  12. 12. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 12 Application Defense • Inside-Out (the network is porous) • 1. Design Threat Analysis • 2. SAST (Static Security Testing) in IDE • 3. SAST in builds • 4. Secure Code Reviews (optional / out-of-band) • 5. DAST (Dynamic Security Testing) • 6. QA of requirements (white box) • 7. Fuzzing (As required, based on risk: QA Pen Test) • Outside-In • 8. Pen Test Suite • 9. Public Bug Bounty Program • Responsive/Active Defense - detection & response • 10. RASP (Runtime Application Self-Protection Security): Logging, with automated response • 11. SIEM (Security Information and Event Management: Dashboards with auto alerts • 12. Training (reducing detected vulnerabilites)
  13. 13. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 13 Phase 2 DevSecOps: Security Test Driven Development • Threat Analysis • CI Training • SAST in IDE • SAST in build mgmt • Automated Security Requirements QA • DAST • RASP • SIEM • Secure Code Review • Fuzzing (PenT) • Bug Bounty
  14. 14. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 14 Finis • Robert Grupe, CISSP, CSSLP, PE, PMP • robert@rgrupe.com • +1.314.278.7901

×