Managing Security in Agile Culture by Rendra Perdana, CISSP - Head IT Infrastructure & Security at mataharimall.com
@SARCCOM MEETUP
http://sarccom.org
https://www.meetup.com/Software-Architect-Indonesia
6. Agile Goal:
1. Working code
2. Release Often
3. Quickly responding to change
Agile Framework
Security Expectation:
1. Features are well documented & security tested
2. Changes require retest
3. Cost benefit analysis & Risk assessment
What strategy to combine both fast and secure development ?
8. Secure Platform vs. Speedy Development
Design-Assess-Build-Verify
Threat
Modeling
Build
Assessment
Overall
Security
Assessment
Monitor
Business
Requirement
9. Secure Platform vs. Speedy Development
Threat Modeling
Assess all foreseeable threat, objectives,
method
Treat assets as objectives
Rank the risk of threats
Probability of attack (methods)
Vulnerability is part of infosec infrastructure that
represent weakness to an attack in absence of
control
http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf
10. Secure Platform vs. Speedy Development
Assessment: Application Security Level
Againts easy-to-find and easy-to-exploit
vulnerability
https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf
Againts highly trained attackers and
effective tools (e.g. b2b or healthcare
application)
Reserved for app that REQUIRE
significant levels of security verification
11. Secure Platform vs. Speedy Development
Assessment: Application Security Level
https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf
12. Secure Platform vs. Speedy Development
All features must be tested according to ASVS level
needed for that particular features/modules
Security Engineer have rights to put objections/concerns
in any development phase (plan, build, verify). However,
the decision should be made by product team with
adequate information on the risk.
Agile vs Secure Compromises
Vulnerability that mitigated by external control (eg. WAF)
must be treated as technical debt
13. Secure Platform vs. Speedy Development
Scenario:
You found critical vulnerability in your apps H-1 from launch
date.
OR
Zero-day on SSH has been made public. It’s Saturday.
How do you respond?
14. Secure Platform vs. Speedy Development
Confidentiality
AvailabilityIntegrity
15. Secure Platform vs. Speedy Development
Triage
(in medical use) the assignment of degrees of urgency to wounds or
illnesses to decide the order of treatment of a large number of
patients or casualties.
16. Secure Platform vs. Speedy Development
Triage Sequence & Requirement
Verification
• Checking Log (SIEM, Tripwire)
• Transaction Anomaly (Attacking on what transaction/platform ?)
• System Behaviour Anomaly (System Metrics)
Severity Assessment
• What’s being attacked ? (IP L3/L7, OS, Platform, Features)
• Potential Damage (if possible financially)
Prioritization
• Mitigating the most damaging attack
• Alerting other technical team (Eg. DevOps, Fraud Team)
18. Infrastructure
“Flame was a failure for the antivirus industry. We really should
have been able to do better. But we didn’t. We were out of our
league, in our own game.“
MIKKO HYPPONEN
Chief Research Officer of F-Secure
https://www.wired.com/2012/06/internet-security-fail/
Security: Development vs. Operations
19. Infrastructure
To be secure in infrastructure, cutting edge is the only way
Security: Development vs. Operations
20. Infrastructure
Now contains > 5 million IP addr blocked
Including from botnets
1300 req/s @2.4 GHz per CPU Core
(54 bytes response)
Latency: 40-60 ms
Security: Development vs. Operations