Bosnia Agile, profile picture
Uploaded byBosnia Agile
PDF, PPTX853 views

Agile Secure Development

The document discusses how to integrate security requirements within agile development teams, highlighting the lack of security throughout the software development lifecycle. It presents key strategies for improving application security, including threat modeling, continuous integration, and incorporating security activities into sprints. The author emphasizes the importance of collaboration and responsibility among team members to create secure applications.

Technology
Related topics:
Bosnia Agile

Embed presentation

Download as PDF, PPTX
SARAJEVO, 27.10.2014 Agile Secure Development Petter Sandholdt -How to make the agile team work with security requirements
Who am I? Petter Sandholdt -Senior Developer -Senior Security Consultant -Java, C, C++, C#, Cocoa, Erlang, PHP, Pike, Ruby, Cobol, Fortran, Lisp -Security in R&D for last 6 years ... in agile teams the last 5 years
Easy targets Verizon Enterprise’s 2013 Data Breach Investigations Report ●47,000reported security incidents, ●621confirmed data security breaches ●companies of all sizes. http://www.verizonenterprise.com/DBIR/2013/ 78% of successful security intrusions were simple to pull off
What do Dev and SO think? http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy Developers Security Officers Security of applications is not addressed There is no build security in process SSDLC Application had a security breach during the past 2 years Did not receive software and application security training Application meets security regulations 70% 50% 80% 64% 68% 47% 50% 50% 15% 12%
Agile application ≠ Secure? Agile moto: ●Do what’s in the sprint XP moto: ●Never do more that what’s required TDD moto: ●Code until its green
Agile application = Secure? REQS CODE
Agile application = Secure? CODE REQS NOT TESTED
When is an application secure? ●Requires hard-to-guess passwords? ●Has input validation? ●Has up-to-date and hardened 3rd-party libraries? ●The one that fulfills the security requirementsof the application
How can the POs know about security? POs are OWNERSin that role decide what is important for this application. ●Deployability (Architects or Operations) ●Performance (Architects,Testers & DBA) ●How to code it (Developers)
Secure Software Development Life Cycles ●Microsoft SDL ●Adobe SPLC ●CLASP ●Cigital Touchpoints
Secure Coding in 5 minutes 1.Take Responsibility 2.Never trust data 3.Create a threat model 4.Keep yourself updated 5.Make a fuzz 6.Stay proud of your code 7.Use the best tools http://bit.ly/1dZ6fwA
Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
1. Architecture overview
1. Architecture overview Image from: http://msdn.microsoft.com/en-us/library/ff649779.aspx
Data-Flow-Diagrams are great
Agile??? WTF! More artifacts! Not on my watch! -Helps collaboration-Find discrepancies-Creates ONE terminology
2. Threat Modeling session ●First session ○Brainstorming ●Following sessions ○Discussions aroundadded entities
2. Threat Modeling session Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidenciality Denial of Service Authentification Elevation of Privilege Authorization
Threat Modeling session Elevation of Privilege (EoP) Card Game
3. Backlog Review Look at the backlog from a security perspective Security Expert (from team) and PO Create checklist to facilitate
3. Checklist Example ●How will this new functionality be accessed? ●Can this affect “protected identites”? ●New entites in theatmodel require adding a new theatmodel session ●New role of users needs new validations on each resource ●Validations needed to be updated if property changes
4. Fix your tools to help you ●Continuous Integration ●Static code analyzers ●Dynamic code analyzers ●Penetration tests tools
4 Continuous Integration ●Find compile errors in configuration ●Automate robustness testing ○Unit ○Integration ○System ○Fuzz
4 Analyze the code ●Evaluate state of code checked in ○Complexity ○Rule breaking ●Tools ○SonarQube ○Coverity ○Fortify
5. Add activities to sprints ●Update high level diagram ●Keep updated ●Fuzz-testing
Buckets ●Verification ○Fuzz ○Data-flow ●Design ○Cryptology ○Privacy ●Planning ○Privacy tests ○Internal symbols
Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
Q & A -This won’t work in my team since… petter.sandholdt@softhouse.se
Thank You

More Related Content

PPTX
Security Champions - Introduce them in your Organisation
byIves Laaf
 
PDF
DevSecOps for Developers: How To Start
byPatricia Aas
 
PDF
Zero to Ninety in Securing DevOps
byDevSecOps Days
 
PPTX
Threat Modeling with Threat Dragon
bySteven Carlson
 
PPTX
Mobile security recipes for xamarin
byNicolas Milcoff
 
PDF
Adversary Driven Defense in the Real World
byJames Wickett
 
PPTX
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
byAgile Testing Alliance
 
PDF
Bug Bounties and The Path to Secure Software by 451 Research
byHackerOne
 
Security Champions - Introduce them in your Organisation
byIves Laaf
 
DevSecOps for Developers: How To Start
byPatricia Aas
 
Zero to Ninety in Securing DevOps
byDevSecOps Days
 
Threat Modeling with Threat Dragon
bySteven Carlson
 
Mobile security recipes for xamarin
byNicolas Milcoff
 
Adversary Driven Defense in the Real World
byJames Wickett
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
byAgile Testing Alliance
 
Bug Bounties and The Path to Secure Software by 451 Research
byHackerOne
 

What's hot

PDF
Security in open source projects
byJose Manuel Ortega Candel
 
PDF
Bridging the Security Testing Gap in Your CI/CD Pipeline
byDevOps.com
 
PDF
Top 10 Practices of Highly Successful DevOps Incident Management Teams
byDeborah Schalm
 
PPTX
2020 05-tech saturday-devsecops-#2-v03
byDiego Gabriel Cardoso
 
PDF
Pentest is yesterday, DevSecOps is tomorrow
byAmien Harisen Rosyandino
 
PDF
[OWASP Poland Day] OWASP for testing mobile applications
byOWASP
 
PDF
Demystifying DevSecOps
byArchana Joshi
 
PDF
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
PDF
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
byOWASP
 
PDF
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
bySimone Onofri
 
PDF
Why does security matter for devops by Caroline Wong
byDevSecCon
 
PDF
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
PPTX
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
PDF
How to automate your DevSecOps successfully
byManuel Pistner
 
PDF
Dev week cloud world conf2021
byArchana Joshi
 
PPTX
Unit testing : what are you missing for security
bySuman Sourav
 
PPTX
ExpoQA19 slides security awareness Steven Nienhuis
bysteavy
 
PDF
DevSecOps Everything You Need To Know
byCentextech
 
PPTX
DevSecOps Days SF at RSA Conference 2018
byDevSecOps Days
 
Security in open source projects
byJose Manuel Ortega Candel
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
byDevOps.com
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
byDeborah Schalm
 
2020 05-tech saturday-devsecops-#2-v03
byDiego Gabriel Cardoso
 
Pentest is yesterday, DevSecOps is tomorrow
byAmien Harisen Rosyandino
 
[OWASP Poland Day] OWASP for testing mobile applications
byOWASP
 
Demystifying DevSecOps
byArchana Joshi
 
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
byOWASP
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
bySimone Onofri
 
Why does security matter for devops by Caroline Wong
byDevSecCon
 
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
How to automate your DevSecOps successfully
byManuel Pistner
 
Dev week cloud world conf2021
byArchana Joshi
 
Unit testing : what are you missing for security
bySuman Sourav
 
ExpoQA19 slides security awareness Steven Nienhuis
bysteavy
 
DevSecOps Everything You Need To Know
byCentextech
 
DevSecOps Days SF at RSA Conference 2018
byDevSecOps Days
 

Similar to Agile Secure Development

PPT
Software security engineering
byAHM Pervej Kabir
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
ProdSec: A Technical Approach
byJeremy Brown
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PDF
SDLC & DevSecOps
byIrina Kostina
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
byDilum Bandara
 
PDF
An Introduction to Secure Application Development
byChristopher Frenz
 
PPTX
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
Agile security
byArthur Donkers
 
PPT
Software Security Engineering
byMarco Morana
 
ODP
Matthew Coles - Izar Tarandach - Security Toolbox
bySource Conference
 
PDF
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
PPTX
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
byAgileNetwork
 
PDF
A journey into Application Security
byChristian Martorella
 
PPT
Software Security in the Real World
byMark Curphey
 
PPTX
Application security testing in the age of Agile development - by Julio Cesar...
byBlaze Information Security
 
PPTX
Security within Scaled Agile
byMark Underwood
 
PPTX
Hacker vs Tools: Which to Choose?
bySecurity Innovation
 
PPTX
Hacker vs tools
byGeoffrey Vaughan
 
Software security engineering
byAHM Pervej Kabir
 
AppSec in an Agile World
byDavid Lindner
 
ProdSec: A Technical Approach
byJeremy Brown
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
SDLC & DevSecOps
byIrina Kostina
 
Software security engineering
byAHM Pervej Kabir
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
byDilum Bandara
 
An Introduction to Secure Application Development
byChristopher Frenz
 
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
Agile security
byArthur Donkers
 
Software Security Engineering
byMarco Morana
 
Matthew Coles - Izar Tarandach - Security Toolbox
bySource Conference
 
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
byAgileNetwork
 
A journey into Application Security
byChristian Martorella
 
Software Security in the Real World
byMark Curphey
 
Application security testing in the age of Agile development - by Julio Cesar...
byBlaze Information Security
 
Security within Scaled Agile
byMark Underwood
 
Hacker vs Tools: Which to Choose?
bySecurity Innovation
 
Hacker vs tools
byGeoffrey Vaughan
 

More from Bosnia Agile

PDF
How AI will transform agile project management by Jasna Pleho and Elvir Ćesko
byBosnia Agile
 
PDF
Supercharge your teams with Value Stream Management by Richard Knaster
byBosnia Agile
 
PDF
Disciplined Agile:  Past, present, and future. The path to true business agil...
byBosnia Agile
 
PDF
Agile Experimentation in Everyday Life - A Guide to More Aha! moments by Milo...
byBosnia Agile
 
PDF
Production Support - the DevOps way by Mustafa Mehmedić
byBosnia Agile
 
PDF
Agile playground - Navigating Change Through Continuous experimentation by St...
byBosnia Agile
 
PDF
Agile is not just for software development, it’s for the whole business! by O...
byBosnia Agile
 
PDF
Psychological Safety and Remote Work by Matthew Philip
byBosnia Agile
 
PDF
How can Operational Value Streams Shape Your Product Strategy and Roadmap Suc...
byBosnia Agile
 
PDF
Banking Reimagined - Navigating the Adaptive transformation by Ana Kafadar
byBosnia Agile
 
PDF
Beyond Boundaries: Nurturing Psychological Safety for Tech Excellence by Barı...
byBosnia Agile
 
PDF
Data Visualization Techniques in Meteorological and Climatological World usin...
byBosnia Agile
 
PDF
The Rationale for Continuous Delivery by Dave Farley
byBosnia Agile
 
PDF
Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...
byBosnia Agile
 
PDF
Scrum Turns 25 - Usage and the future by Dave West
byBosnia Agile
 
PDF
What’s a Design Sprint and Why Does it Matter? by Elvis Pivić
byBosnia Agile
 
PDF
Agile Experimentation in Everyday Life - A Guide to More Aha! moments by Milo...
byBosnia Agile
 
PDF
Building a world-class work culture by Rešad Začina
byBosnia Agile
 
PDF
Decoding Success in Pharma and e-Health by Lejla Zonić
byBosnia Agile
 
PDF
Culture eats everything for breakfast! by Vladimir Kelava
byBosnia Agile
 
How AI will transform agile project management by Jasna Pleho and Elvir Ćesko
byBosnia Agile
 
Supercharge your teams with Value Stream Management by Richard Knaster
byBosnia Agile
 
Disciplined Agile:  Past, present, and future. The path to true business agil...
byBosnia Agile
 
Agile Experimentation in Everyday Life - A Guide to More Aha! moments by Milo...
byBosnia Agile
 
Production Support - the DevOps way by Mustafa Mehmedić
byBosnia Agile
 
Agile playground - Navigating Change Through Continuous experimentation by St...
byBosnia Agile
 
Agile is not just for software development, it’s for the whole business! by O...
byBosnia Agile
 
Psychological Safety and Remote Work by Matthew Philip
byBosnia Agile
 
How can Operational Value Streams Shape Your Product Strategy and Roadmap Suc...
byBosnia Agile
 
Banking Reimagined - Navigating the Adaptive transformation by Ana Kafadar
byBosnia Agile
 
Beyond Boundaries: Nurturing Psychological Safety for Tech Excellence by Barı...
byBosnia Agile
 
Data Visualization Techniques in Meteorological and Climatological World usin...
byBosnia Agile
 
The Rationale for Continuous Delivery by Dave Farley
byBosnia Agile
 
Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...
byBosnia Agile
 
Scrum Turns 25 - Usage and the future by Dave West
byBosnia Agile
 
What’s a Design Sprint and Why Does it Matter? by Elvis Pivić
byBosnia Agile
 
Agile Experimentation in Everyday Life - A Guide to More Aha! moments by Milo...
byBosnia Agile
 
Building a world-class work culture by Rešad Začina
byBosnia Agile
 
Decoding Success in Pharma and e-Health by Lejla Zonić
byBosnia Agile
 
Culture eats everything for breakfast! by Vladimir Kelava
byBosnia Agile
 

Recently uploaded

PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PPTX
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
PDF
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
PPTX
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
PDF
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PPTX
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 

Agile Secure Development

  • 1.
    SARAJEVO, 27.10.2014 AgileSecure Development Petter Sandholdt -How to make the agile team work with security requirements
  • 2.
    Who am I? Petter Sandholdt -Senior Developer -Senior Security Consultant -Java, C, C++, C#, Cocoa, Erlang, PHP, Pike, Ruby, Cobol, Fortran, Lisp -Security in R&D for last 6 years ... in agile teams the last 5 years
  • 3.
    Easy targets VerizonEnterprise’s 2013 Data Breach Investigations Report ●47,000reported security incidents, ●621confirmed data security breaches ●companies of all sizes. http://www.verizonenterprise.com/DBIR/2013/ 78% of successful security intrusions were simple to pull off
  • 4.
    What do Devand SO think? http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy Developers Security Officers Security of applications is not addressed There is no build security in process SSDLC Application had a security breach during the past 2 years Did not receive software and application security training Application meets security regulations 70% 50% 80% 64% 68% 47% 50% 50% 15% 12%
  • 5.
    Agile application ≠Secure? Agile moto: ●Do what’s in the sprint XP moto: ●Never do more that what’s required TDD moto: ●Code until its green
  • 6.
    Agile application =Secure? REQS CODE
  • 7.
    Agile application =Secure? CODE REQS NOT TESTED
  • 8.
    When is anapplication secure? ●Requires hard-to-guess passwords? ●Has input validation? ●Has up-to-date and hardened 3rd-party libraries? ●The one that fulfills the security requirementsof the application
  • 9.
    How can thePOs know about security? POs are OWNERSin that role decide what is important for this application. ●Deployability (Architects or Operations) ●Performance (Architects,Testers & DBA) ●How to code it (Developers)
  • 10.
    Secure Software DevelopmentLife Cycles ●Microsoft SDL ●Adobe SPLC ●CLASP ●Cigital Touchpoints
  • 11.
    Secure Coding in5 minutes 1.Take Responsibility 2.Never trust data 3.Create a threat model 4.Keep yourself updated 5.Make a fuzz 6.Stay proud of your code 7.Use the best tools http://bit.ly/1dZ6fwA
  • 12.
    Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
  • 13.
  • 14.
    1. Architecture overview Image from: http://msdn.microsoft.com/en-us/library/ff649779.aspx
  • 15.
  • 16.
    Agile??? WTF! Moreartifacts! Not on my watch! -Helps collaboration-Find discrepancies-Creates ONE terminology
  • 17.
    2. Threat Modelingsession ●First session ○Brainstorming ●Following sessions ○Discussions aroundadded entities
  • 18.
    2. Threat Modelingsession Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidenciality Denial of Service Authentification Elevation of Privilege Authorization
  • 19.
    Threat Modeling session Elevation of Privilege (EoP) Card Game
  • 20.
    3. Backlog Review Look at the backlog from a security perspective Security Expert (from team) and PO Create checklist to facilitate
  • 21.
    3. Checklist Example ●How will this new functionality be accessed? ●Can this affect “protected identites”? ●New entites in theatmodel require adding a new theatmodel session ●New role of users needs new validations on each resource ●Validations needed to be updated if property changes
  • 22.
    4. Fix yourtools to help you ●Continuous Integration ●Static code analyzers ●Dynamic code analyzers ●Penetration tests tools
  • 23.
    4 Continuous Integration ●Find compile errors in configuration ●Automate robustness testing ○Unit ○Integration ○System ○Fuzz
  • 24.
    4 Analyze thecode ●Evaluate state of code checked in ○Complexity ○Rule breaking ●Tools ○SonarQube ○Coverity ○Fortify
  • 25.
    5. Add activitiesto sprints ●Update high level diagram ●Keep updated ●Fuzz-testing
  • 26.
    Buckets ●Verification ○Fuzz ○Data-flow ●Design ○Cryptology ○Privacy ●Planning ○Privacy tests ○Internal symbols
  • 27.
    Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
  • 28.
    Q & A -This won’t work in my team since… petter.sandholdt@softhouse.se
  • 30.