Agile & Secure SDLC

SDLC – Agile & Secure SDLC
/Paul 20160511

Agenda
1. SDLC
2. Agile
3. Secure SDLC

I believe folks will help me to build that

But it turns out or even worse

That’s what I want Though I explained it at first

What’s SDLC
A process to cook system/application

Why uses SDLC
Manage the constraints of the “Golden Triangle”

Why uses SDLC (cont)
I want to make it quicker!

I want to make it cheaper!

I want to make it bigger!

68% of SDLC Projects fail
McKinsey – 17% of large IT Projects fail miserably
Geneca - Large IT Projects run 45% over budget, 7%
over time, delivering 56% less value 75% Project
participants lack confidence in their project

No “Silver Bullet” method that would solve project
problems for everyone, everywhere
Selecting SDLC

Selecting SDLC (cont)
Core Activities
AnalysisPlanning Implementation Test DeploymentRequirement Maintain
Appoach/Type
Sequential Design Iterative Design
Models
AgileWaterfall SpiralV-model More..
Frameworks/Methodologies
SCRUM XPTDD BDD
Compiler Debugger Profiler GUI designer IDE Build automation
DDD RUP
Tools
CMMI, IEEE, ISO 9001..more
Standards
More..

Waterfall Model
Assumptions:
• big requirements up front (BRUF),
• small enough change at reqs (no revisit),
• SI goes well,
• sw innovation and the research can work on predictable schedule…more

Issues With Waterfall Method
it is difficult to react to changes
Iterations are expensive

AGILEIterative
AdaptableRapid
Cooperative
Quality-driven
Not a process, it's a philosophy or set of values

Agile Umbrella
Agile
Crystal
XPScrum
DSDM
FDD
Kanban RUP
RUP (120+)
XP (13)
Scrum (9)
Kanban (3)
Do Whatever!! (0)
More Prescriptive
More Adaptive
and few more…
* Check wikipedia for list of all Agile methods
RUP has over 30 roles, over 20
activities, and over 70 artifacts
more rules to follow
fewer rules to follow

Scrum
A light-weight agile process tool
Split your work
Split your organization
Scrum Team
Scrum Master
Product/ Project
Owner
Split time (usually 2 – 4 weeks)
Jan May
Optimize the release plan and priority
Optimize the process

Scrum in a nutshell
So instead of a large group spending a long time building a
big thing, we have a small team spending a short time
building a small thing.

“Better-Than-Not-Doing-It” Results
• 88% of respondents to the VersionOne State of Agile
Development Survey 2013 said that their organizations were
practicing agile development. 92% of the respondents
reported year-over-year improvements in all areas measured
by the survey, with the leading categories being the ability
to manage changing priorities (92%), increased
productivity (87%), improved project visibility
(86%), improved team morale (86%), and enhanced
software quality (82%).

“Better-Than-Not-Doing-It” Results (cont)
A Fractured Perspective, people only see what they want to see

How Scrum really works
collective commitment and self-organization

Security is a MUST-DO for your SW

Security Assurance
Discover and Avoid Vulnerability
Attack detection and elimination
Exposure limitation and recovery

Code Vulnerability - SQLI
SQL injection (SQLI) is considered one of the top 10 web application vulnerabilities of
2007 and 2010
If the web code doesn’t treat input well before
sending SQL query to database

SQL Injection Based on 1=1 or ""=""
Attacker can smuggle to change app behaviour
For example, bypass login authentication
Code Vulnerability – SQLI (cont)

Percentage of Total Infections

why vulnerability is so matter but code
is still unsecured
I know when I’m writing code I’m not
thinking about evil, I’m just trying to think
about functionality» (с) Scott Hanselman
Developer
May Know bout OWASP Top 10
but only care about 1 threat (DEADLINE fail)

Risks are for managers, not developers

Common way in security audit
Than start process of re-Coding, re-Building, re-Testing, re-Auditing
3rd party or internal audit
Tone of
security
defects
BACK to re-Coding, re-Building, re-Testing, re-Auditing
Security should be designed into a system, difficult
to make secured afterward

Large time you need to fix security
issue in app?

How it should look – secure SDLC
Automated
security
Tests
CI
integrated
Manual
security
Tests
OWASP methodology
Secure
Coding
trainings
Regular
Vulnerability
Scans
security defects should decrease from phase to phase

Microsoft SDL
Lifecycle Model / frameworks/ Standards
NIST SP 800-64 Rev. 2
NIST SP 800-53 Rev 4,
NIST Cybersecurity Framework

Additional tools
Software Engineering Institute Carnegie Mellon - CERT
Open Software Assurance Maturity Model (OpenSAMM)
Software Assurance Metrics and Tool Evaluation (SAMATE)
Open Source Security Testing Methodology Manual (OSSTMM 3)
More…

Reference
http://online.husson.edu/software-development-cycle/
https://uk.pinterest.com/pin/266064290462173346/
http://www.infoq.com/resource/articles/scaling-software-agility/en/resources/ch02.pdf
http://www.slideshare.net/hareshkarkar/overview-of-agile-
methodology?from_action=save
http://resources.infosecinstitute.com/
http://www.slideshare.net/TjylenVeselyj/intro-to-security-in-sdlc
http://www.slideshare.net/NazarTymoshyk/agile-and-secure-sdlc
https://ics-cert.us-cert.gov/Standards-and-References
http://www.albany.edu/acc/courses/ia/acc661/NIST-SP800-64.pdf
https://www.bsimm.com
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Planning
• 3 days
• 1 day readout for points (5/9?)
• 1 day prepare slide (5/10?)
• 1 day practice (當天?)
• May 11 – 4 day = May 7 ~ 8
No – prepare no latter than 5/8
• ME – 2 pages
• What’s SDLC? - 1
• Why Agile SDLC? -2
• HowTo -2
• What -1
• Why security? - 2
• How -2
• What - 1
• 2 thing together – 2
• Extends – standard -3
Conclusion – 1
19 pages

Outline
• SDLC
• What’s – core activities/people
• Why’s that
• How – sequence/interative, incremental / doc driven (Waterfall, RUP, Sprial,
Agileze…more )
• for comparision, must mention waterfall
• Explain what/how
• However, the problems it create
• Problem -> Impacts
• Agile way
• Benefits  problems but there’s also problem there
• Expalin how it fix
• Problem 有座跟沒做好一點?
• Why: 重形不重義
• What SCRUM really is – sefl org /
• Why each
• 只是 why Agile coach doesn’t tell – time and also is caused by betacuy issue
• Conclusion Agile coach actually changes DNA of company - self-org / collective commitment

Outline
• SECURITY in SDLC
• What/WHY’s that
• Secure code/DDD /XXX /XXXX/ XXXX/… more
• Why: IMPACT
• WHY: ppl don’t know
• Awareness by geo and biz --- analogy (like sick will you locked the door in city / culture)
• Why put it into the process?
• Beforehand ppl Bolt it and treat it especial -> cause problem (recode, retest redo…)
• HOW
• The strategy to do ABC
• The product(flow/standard) to do, MS, SDD, DWQDQW
• The infrastructure to do
• Conclusion: depend company budget
• Synergy between Agile and security
• Embedded security’s DNA into Agile component,
• Q&A

Synergy between Agile and Security

What’s SDLC
Process to create SW/SYS stuffs

Scrum vs. Waterfall
REQUIREMENTS
DESIGN
DEVELOPMENT
TESTING
MAINTENANCE

What’s – core activities/people
systems development life cycle (SDLC)
Core actoivities
Requirements Design
Construction Testing Debugging
Deployment Maintenance
Engineering Process
- Core Activities
- Paradigms (set of methods and methodologies)
- Philosophy & Values
- Methodologies (frameworks)
- Principles
- Roles
- WorkFlows
- Artifacts
- Tools
- Standards

What’s – core activities/people
• control points
• Sos
• Sprint review
• Daily Scrum
• activities
• Approach
• Cycle
• Planning: formal
• Scope
• Artifacts
• Type of Project/Product: Recommed

Additional tools
Open Software Assurance Maturity Model (OpenSAMM)
Open Source Security Testing Methodology Manual (OSSTMM 3)
The Open Web Application Security Project (OWASP)
Secure-SDLC
Software Assurance Metrics and Tool Evaluation (SAMATE)
Software Engineering Institute Carnegie Mellon - CERT
Systems Security Engineering Capability Maturity Model (SSE-CMM)

PRE SDL TRAINING:
• Introduction to Microsoft SDL
• Essential Software Security Training for the
Microsoft SDL
• Basics of Secure Design, Development and Test
• Introduction to Microsoft SDL Threat Modeling
• SDL Quick Security References
• SDL Developer Starter Kit
Training

• SDL Practice #2: Establish Security and Privacy
Requirements (one time practice)
• SDL Practice #3: Create Quality Gates/Bug Bars
• SDL Practice #4: Perform Security and Privacy
Risk Assessments (one time practice)
Requirements Phase

• Establish Design Requirements (one time
practice)
• Attack Surface Analysis/Reduction (one time
practice)
• Use Threat Modeling
• Mitigation of threats
• Secure Design
• Formulating security guidelines
• Security Design Review
Design

• SDL Practice #8: Use Approved Tools
• SDL Practice #9: Deprecate Unsafe Functions
• SDL Practice #10: Perform Static Analysis
Implementation

Bucket practices:
• SDL Practice #11: Perform Dynamic Analysis
• SDL Practice #12: Fuzz Testing
• SDL Practice #13: Attack Surface Review
Verification Phase

• SDL Practice #14: Create an Incident Response
Plan (one time practice)
• SDL Practice #15: Conduct Final Security Review
• SDL Practice #16: Certify Release and Archive
Release Phase

• SDL Practice #17: Execute Incident Response Plan
• Analysis vulnerability information
• Risk calculation
• Patch release
• Clients notification
• Information publishing
Response Phase

Agile & Secure SDLC

More Related Content

What's hot

Viewers also liked

Similar to Agile & Secure SDLC

More from Paul Yang

Recently uploaded

In this document

Agile & Secure SDLC