How to make the agile team work with security requirements? To get secure coding practices into agile development is often hard work. A security functional requirement might be included in the sprint, but to get secure testing, secure architecture and feedback of security incidents working is not an easy talk for many agile teams. In my role as Scrum Master and security consultant I have developed a recipe of 7 steps that I will present to you. Where we will talk about agile secure development, agile threat modelling, agile security testing and agile workflows with security. Many of the steps can be made without costly tools, and I will present open source alternatives for all steps. This to make a test easier and to get a lower startup of your teams security process.
1. SARAJEVO, 27.10.2014
Agile Secure Development
Petter Sandholdt
-How to make the agile team work with security requirements
2. Who am I?
Petter Sandholdt
-Senior Developer
-Senior Security Consultant
-Java, C, C++, C#, Cocoa, Erlang, PHP, Pike, Ruby, Cobol, Fortran, Lisp
-Security in R&D for last 6 years
... in agile teams the last 5 years
3. Easy targets
Verizon Enterprise’s 2013 Data Breach Investigations Report
●47,000reported security incidents,
●621confirmed data security breaches
●companies of all sizes.
http://www.verizonenterprise.com/DBIR/2013/
78% of successful security intrusions were simple to pull off
4. What do Dev and SO think?
http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy
Developers
Security Officers
Security of applications is not addressed
There is no build security in process SSDLC
Application had a security breach during the past 2 years
Did not receive software and application security training
Application meets security regulations
70%
50%
80%
64%
68%
47%
50%
50%
15%
12%
5. Agile application ≠ Secure?
Agile moto:
●Do what’s in the sprint
XP moto:
●Never do more that what’s required
TDD moto:
●Code until its green
8. When is an application secure?
●Requires hard-to-guess passwords?
●Has input validation?
●Has up-to-date and hardened 3rd-party libraries?
●The one that fulfills the security requirementsof the application
9. How can the POs know about security?
POs are OWNERSin that role decide what is important for this application.
●Deployability (Architects or Operations)
●Performance (Architects,Testers & DBA)
●How to code it (Developers)
11. Secure Coding in 5 minutes
1.Take Responsibility
2.Never trust data
3.Create a threat model
4.Keep yourself updated
5.Make a fuzz
6.Stay proud of your code
7.Use the best tools
http://bit.ly/1dZ6fwA
12. Recipe that works!
1.Architecture Overview
2.Have threat modelling sessions
3.Review all new requirements/stories
4.Fix your tools to help you
5.Add YOUR activities to sprint
20. 3. Backlog Review
Look at the backlog from a security perspective
Security Expert (from team) and PO
Create checklist to facilitate
21. 3. Checklist Example
●How will this new functionality be accessed?
●Can this affect “protected identites”?
●New entites in theatmodel require adding a new theatmodel session
●New role of users needs new validations on each resource
●Validations needed to be updated if property changes
22. 4. Fix your tools to help you
●Continuous Integration
●Static code analyzers
●Dynamic code analyzers
●Penetration tests tools
27. Recipe that works!
1.Architecture Overview
2.Have threat modelling sessions
3.Review all new requirements/stories
4.Fix your tools to help you
5.Add YOUR activities to sprint
28. Q & A
-This won’t work in my team since…
petter.sandholdt@softhouse.se