The document discusses identifying risks in an agile security process for web developers. It outlines steps like asset identification, risk identification, countermeasures, risks caused by solutions, and costs/tradeoffs. Specific risks covered include injection attacks, TLS downgrades, DDoS attacks, weak passwords, spoofing, spear phishing, and infectious media. The document also discusses agile practices like test-driven development, security regression testing, code reviews, and establishing a security champion to help integrate security practices into the development process.

1. Agile Security for Web Developers
Kim Carter
Technologist – BinaryMist
Ltd

2. 5: Identify Risks?
Agile Security
for Web Developers
IoTPhysical People MobileCloudVPS Networ Web AppNetwork

3. @binarymist
Evalute me -> https://goo.gl/nmkRZ3

6. 5: Identify Risks?
https://leanpub.com/b/holisticinfosecforwebdevelopers

7. IoTPhysical People MobileCloudVPS Web AppNetwork
1: Asset Identification
2: Identify Risks
3: Countermeasures
4: What risks does solution cause?
5: Costs and Trade-offs

8. 5: Identify Risks?
30,000’ View

9. 5: Identify Risks?
People
App
IoTMobile
VPS
Network
Cloud
Physical
Web

10. 5: Identify Risks?
Injection
TLS
Downgrade
D-DOS?
Easy to execute.
Tricky to mitigate
People in
need of
education
Buffer
Overflows

11. 5: Identify Risks?
1. Deeply technical (developer/engineer)
2. Network expert(s)
3. Domain expert(s)
4. Person solely responsible for product
delivery
5. Person(s) with security specialisations in
the areas involved in the finished product

12. 5: Identify Risks?
Asset Identification

13. 5: Identify Risks?
Risk Identification

14. Risk Identification

15. 5: Identify Risks?
Risk Identification

16. 5: Identify Risks?
Risk = Likelihood * Impact
Risk Identification

17. Countermeasures

18. Product Backlog Sprint Backlog
Product Backlog items pulled into
Sprint to form Increment Forecast

19. ● Avoid Commercial
●
● Use Public-Domain
●
Risks that Solution Causes

20. New Mitigated
Risks that Solution Causes

21. Establish Value
Loss of Convenience
Costs and Trade-offs

22. Costs and Trade-offs

23. 5: Identify Risks?
30,000’ View
10,000’ View

24. 5: Identify Risks?
Injection
TLS
Downgrade
D-DOS?
Easy to execute.
Tricky to mitigate
People in
need of
education
10,000’ View

25. Tooling

26. Processes
&
Practises

27. Red Team
Penetration Testing

28. Reconnaissance
Penetration Testing

29. https://inteltechniques.com/links.html
Reconnaissance
Penetration Testing

30. Vulnerability Scanning
Penetration Testing

31. NMAP
Decoy host (-D)
Idle scan (-sI)
Vulnerability Scanning
Penetration Testing

32. scanner/ssh/ssh_enumusers SSH Username Enumeration
scanner/ssh/ssh_identify_pubkeys SSH Public Key Acceptance Scanner
scanner/ssh/ssh_login SSH Login Check Scanner
scanner/ssh/ssh_login_pubkey SSH Public Key Login Scanner
scanner/ssh/ssh_version SSH Version Scanner
Vulnerability Scanning
Penetration Testing

33. Vulnerability Scanning
Penetration Testing

34. Vulnerability Scanning
Penetration Testing

35. https://github.com/offensive-security/exploit-database
Vulnerability Searching
Penetration Testing

36. https://www.exploit-db.com/
Vulnerability Searching
Penetration Testing

40. Penetration Testing

41. Penetration Testing

42. https://nodesecurity.io/advisories
https://web.nvd.nist.gov/view/vuln/search
Vulnerability Searching
Penetration Testing

43. https://bitbucket.org/t0x0/threatcrawler

44. Exploitation
Penetration Testing

45. Red Team
Penetration Testing

46. Evil Test Conditions
Security Focussed TDD
Security Regression Testing
Hand-crafted Penetration Testing
Establish a Security Champion
Pair Programming
Code Review
Techniques for Asserting Discipline
Essentials for Creating & Maintaining High Perf Dev Team
Forming Habits and Sharpening Skills

47. Blue Team
Agile Dev and Practices

48. Red Team -> Blue Team
Agile Dev and Practices

49. Pen testing @ go live -> within each Sprint
Agile Dev and Practices

50. The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Evil Test Conditions
Security Focussed TDD
Security Regression Testing
Hand-crafted Penetration Testing
Establish a Security Champion
Pair Programming
Code Review
Techniques for Asserting Discipline
Essentials for Creating & Maintaining High Perf Dev Team
Forming Habits and Sharpening Skills

51. 5: Identify Risks?
Agile Dev and Practices

52. 5: Identify Risks?
Agile Dev and Practices

53. The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Evil Test Conditions
Security Focussed TDD
Security Regression Testing
Hand-crafted Penetration Testing
Establish a Security Champion
Pair Programming
Code Review
Techniques for Asserting Discipline
Essentials for Creating & Maintaining High Perf Dev Team
Forming Habits and Sharpening Skills

54. The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Evil Test Conditions
Security Focussed TDD
Security Regression Testing
Establish a Security Champion
Pair Programming
Code Review
Techniques for Asserting Discipline
Essentials for Creating & Maintaining High Perf Dev Team
Forming Habits and Sharpening Skills
Hand-crafted Penetration Testing

55. The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Evil Test Conditions
Security Focussed TDD
Security Regression Testing
Pair Programming
Code Review
Techniques for Asserting Discipline
Essentials for Creating & Maintaining High Perf Dev Team
Forming Habits and Sharpening Skills
Hand-crafted Penetration Testing
Establish a Security Champion

56. Agile Dev and Practices

57. The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Evil Test Conditions
Security Focussed TDD
Security Regression Testing
Code Review
Techniques for Asserting Discipline
Essentials for Creating & Maintaining High Perf Dev Team
Forming Habits and Sharpening Skills
Hand-crafted Penetration Testing
Establish a Security Champion
Pair Programming

58. Code Review, Static & Dynamic Analysis
Agile Dev and Practices

59. The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Evil Test Conditions
Security Focussed TDD
Security Regression Testing
Techniques for Asserting Discipline
Essentials for Creating & Maintaining High Perf Dev Team
Forming Habits and Sharpening Skills
Hand-crafted Penetration Testing
Establish a Security Champion
Pair Programming
Code Review

60. Techniques for Asserting Discipline
Static Type Checking
DbC
Agile Dev and Practices

61. The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Security Focussed TDD
Security Regression Testing
Evil Test Conditions
Essentials for Creating & Maintaining High Perf Dev Team
Forming Habits and Sharpening Skills
Hand-crafted Penetration Testing
Establish a Security Champion
Pair Programming
Code Review
Techniques for Asserting Discipline

62. Agile Dev and Practices

63. 5: Identify Risks?
Agile Dev and Practices
5: Identify Risks?
Given When Then
There are no items in
the shopping cart
Customer clicks
“Purchase” button for a
book which is in stock
1 x book is added to
shopping cart. Book is
held - preventing
selling it twice.
“ Customer clicks
“Purchase” button for a
book which is not in
stock
Dialog with “Out of
stock” message is
displayed and offering
customer option of
putting book on back
order.

64. 5: Identify Risks?
Agile Dev and Practices
Given When Then
There are no items in
the shopping cart
User tries to downgrade
TLS and the HSTS
header is not sent by
the server
User should be
redirected (response
301 status code) to the
HTTPS site from the
server
“ User tries to downgrade
TLS and the HSTS
header is sent by the
server
User should be
redirected to the HTTPS
site from the browser
(no HTTP traffic for
sslstrip to tamper with)

65. The Sprint
Sprint Planning
Daily Scrum
Sprint Review
Retrospective
Product Backlog
Sprint Backlog
Sprint Increment
Definition of Done
Security Focussed TDD
Security Regression Testing
Essentials for Creating & Maintaining High Perf Dev Team
Forming Habits and Sharpening Skills
Hand-crafted Penetration Testing
Establish a Security Champion
Pair Programming
Code Review
Techniques for Asserting Discipline
Evil Test Conditions

66. Requirements or design defect found via
Product Backlog Item (PBI) collaboration
Length of Feedback Cycle
Cost
Requirements or design defect
found in Test Conditions Workshop
Programming or design defect
found via Pair Programming
Programming defect found
via Continuous Integration
Programming or design defect found via
Test Driven Development (T(B)DD)
Requirements or design defect
found via Stakeholder Participation
Defect found via pair
Developer Testing
Defect found via
Independent Review
Requirements defect found via
traditional Acceptance Testing
Programming or design defect
found via Pair Review
Design defect found via
traditional System Testing
Programming defect found via
traditional System Testing
Security defect found via
traditional external Penetration Testing

67. Requirements or design defect found via
Product Backlog Item (PBI) collaboration
Length of Feedback Cycle
Cost
Requirements or design defect
found in Test Conditions Workshop
Programming or design defect
found via Pair Programming
Programming defect found
via Continuous Integration
Programming or design defect found via
Test Driven Development (T(B)DD)
Requirements or design defect
found via Stakeholder Participation
Defect found via pair
Developer Testing
Defect found via
Independent Review
Requirements defect found via
traditional Acceptance Testing
Programming or design defect
found via Pair Review
Design defect found via
traditional System Testing
Programming defect found via
traditional System Testing
Security defect found via Security Test
Driven Development (STDD) or regression testing

68. 5: Identify Risks?Zap-Api & NodeGoat
https://youtu.be/DrwXUOJWMoo
Agile Dev and Practices
Security Regression Testing

69. People

70. 5: Identify Risks?
Asset Identification

71. 5: Identify Risks?
Identify Risks

72. Identify Risks
Employee Snatching

73. 5: Identify Risks?
https://youtu.be/zevpMvQwWOU
Identify Risks
Weak Password Strategies

74. 5: Identify Risks?
Identify Risks
Spoofing Caller Id,
SMiShing

75. https://youtu.be/tb4o5UCHzSA
Identify Risks
Spear Phishing

76. 5: Identify Risks?
Identify Risks
Infectious Media

77. 5: Identify Risks?

78. 5: Identify Risks?
/opt/usb-rubber-ducky/ java -jar encoder.jar
-i inject.txt
-o /media/kim/B4AD-3FC1/inject.bin
Unmount -> Swap SD
Identify Risks
Infectious Media

79. 5: Identify Risks?

80. 5: Identify Risks?
Identify Risks
Infectious Media

81. 5: Identify Risks?
We also have Teensy

82. 5: Identify Risks?
Countermeasures

83. Product Backlog Sprint Backlog
Product Backlog items pulled into
Sprint to form Increment Forecast

84. 5: Identify Risks?
Risks that Solution Causes

85. 5: Identify Risks?
Costs and Trade-offs

86. 5: Identify Risks?
Defence in Depth

87. 5: Identify Risks?
https://leanpub.com/b/holisticinfosecforwebdevelopers

88. @binarymist
Evalute me -> https://goo.gl/nmkRZ3

89. 5: Identify Risks?
Identify Risks
Infectious Media

91. Thanks for listening
Any Questions?