Download as PDF, PPTX
Uploaded byRaphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
This document proposes adapting a secure software development lifecycle (SDLC) to agile methodologies like Scrum. It discusses how security activities could fit within a Scrum process, with some performed each sprint and others done periodically or independently of sprints. For example, threat modeling could run in parallel with development, while manual security testing may occur every few months. The document also considers how roles like a "Security Owner" or dedicated "Security Chapter" could help prioritize security work. While not a perfect solution, integrating security practices into each phase of an agile process could help organizations better manage application security.
More Related Content
Similar to Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
- 1. Click to editMaster title style Click to edit Master subtitle style Motion for Secure Agile SDLC RAPHAEL DENIPOTTI May, 2017
- 2. CONTENT WHOAMI Introduction SDLC – SoftwareDevelopment Lifecycle Agile SCRUM Process (Agile) Secure SDLC Secure SDLC – Agile Secure SDLC - SCRUM Conclusion References
- 3. WHO AM I?? ./ Hello, CyberSecurity Specialist Web Application Security Stuff; Mobile Application Security Stuff; Python 3.5 Enthusiast; 24/7 Curious Guy; https://www.linkedin.com/in/raphael-denipotti-2714a276/ Raphael Denipotti
- 4. Introduction What SDLC standsfor? SDLC stands for Software (or System) Development Lifecycle and comprises… Plan Support Deploy Design Build Testing This phase comprises inputs from the customer, sales department, etc. After receiving all the information required it is established the quality requirements as also the risks of the project. Based on user feedback may be suggested some improvements or later remediations. After the important testing phase, software is ready to be deployed (at least it should be) and it is deployed accordingly with business strategy (A/B Testing, Canary Rollout, etc). With the SRS (Software Requirements Specification) coming from the last phase and being used as a reference to produce the DDS (Design Document Specification). This document contains design approaches of communication and data flows with an architecture outlook. Where the magic happens and the software is developed. Depending on the size of the Project this phase is divided into more than one step. One of the most important phases, it seeks to identify bugs in the software before its release, in order to prevent a software defect.
- 5. SDLC – SoftwareDevelopment Lifecycle Approaches/Models Some examples of approaches/models of SDLCs Plan Design Build Test Deploy WATERFALL AGILE XP SCRUM KANBAN LEAN CRYSTAL FDD DSDM ASD SPIRAL Analysis Evaluation DevelopmentPlanning
- 6. AGILE Methodologies Delving in someAgile Methodologies XP SCRUM KANBANCRYSTAL FDD ASD LEAN DSDM XP (Extreme Programming) Features Granular Tasks Small Iterations 1-2 week Lean (No Waste) Elimination of waste and unnecessary Accelerate Learning Deliver Fast Dynamic Systems Development Method Tight Schedules Features are the variables to achieve the target date 80%(first of the scope)-20%(by iteration) Deliver Kanban Prioritized backlog Work-in-Progress Focus in Efficiency Scrum (Collaboration) Small Iterations Sprints Feedback Loop Collaboration Feature-Driven Development Organization & Report Not good for small projects Features direct the plan of development
- 7. AGILE What the heckis SCRUM?? Source: http://agilecomplexificationinverter.blogspot.com.br/2013/11/elements-of-effective-scrum-task-board.html Typical Scrum board presented below
- 8. Finished Work SCRUM PROCESS(AGILE) SPRINT LIFECYCLE Software Development Sponsor Product Owner Sprint Backlog 1-4 Week SprintSprint Planning Meeting Product Backlog User Stories Sprint Retrospective Sprint Review SQUADSQUAD Scrum Product Owner (PO) feeds Product Backlog with User Stories (features) to be developed as prioritization. Scrum process depicted below as Sprint lifecycle
- 9. Secure SDLC How itwas sold to the world Secure SDLC for a long time was proposed as this… Training Requirements Design Verification (Test) Usually it is performed by a workshop of security of anything else related to security ministered to developers. Establishment of security requirements and creation of the acceptable patterns of quality. Equipe de ZZZZZZZZZZZZZZZZZZZZZ ZZZZZZZZZZZZZZZZZZ Implementation (Code) Release (Deploy) Definition of design requirements, including reducing attack surface based on the functional spec. Never forget to Threat Modeling the software in this phase. Comprises static analysis of the code as well as remove of unsafe functions. In this phase you should perform dynamic analysis, vulnerability analysis, fuzz testing and last but not least attack surface review. In this phase it is performed the final security review, preparation of an incident response plan
- 10. Implementation (Code) Plan Design Build Test Deploy WATERFALL Training Requirements Secure SDLC Howit was sold to the world Secure SDLC for a long time was proposed as this… Design Verification (Test) Release (Deploy) Secure SDLC
- 11. Product Backlog Sprint Planning Secure SDLC –Agile How to apply the good and known model to Agile Methodology (Scrum Approach) Doesn’t seem to fit. Definitely not friends for ever!! Sprint Backlog Software Development Sprint Retrospective Sprint Review Product Owner Shippable Product
- 12. How I havealready seen in this crazy world The Frankenstein it becomes… well sometimes reality sucks. Secure SDLC – Agile Implementation (Code) Training Requirements Design Verification (Test) Release (Deploy) Workshop of 1 day Checklist Threat Modelling SAST EHT ???? GOAL ATTEMPT GAP When??? Not Enough Lack of Check During a Sprint??? When??? Release (Deploy)
- 13. How Microsoft proposessecurity into SDLC It is more like an adaptation of Secure SDLC Waterfall. Secure SDLC – Agile Bucket PracticesEvery-Sprint Practices One-Time Practices ResponseReleaseVerificationImplementationDesignRequirementsTraining Core Security Training Establish Security Requirements Execute Incident Plan Create Quality Gates/Bug Bars Perform Security and Privacy Risk Assessments Establish Design Requirements Perform Attack Surface Analysis/ Reduction Threat Modelling Approved Tools Deprecate Unsafe Functions Static Analysis Dynamic Analysis Fuzz Testing Attack Surface Review Create an Incident Plan Conduct Final Security Review Certify Release and Archive Source: https://www.microsoft.com/en-us/SDL/discover/sdlagile-onetime.aspx REALLY???? Must be done several times during lifecycle and spread across sprints As the name suggests Only once during the whole project
- 14. How Microsoft proposessecurity into SDLC I mean, some parts are well thought and adapted, but you know the issue is not solved yet. Secure SDLC – Agile
- 15. Logging Authentication Security Requirements How S-SDLCcould be adapted to SCRUM In my opinion.. Secure SDLC - SCRUM Security Activities/Tasks Vulnerability Management Security Stories (Security Features) Must generate a backlog feature with an acceptance criteria It could be or not within a sprint It is executed forever Attacker Stories (Abuse Cases) Authorization Cryptography Session Management Error Handling Encrypted Transmission Business Abuses Sensitive Data Handling Data Input & Output Sprint-Dependent Static Analysis Fuzz Testing Dynamic Analysis Sprint-Independent Threat Modelling Security Testing Classify Prioritize Creation of a Security Requirement Identification Remediation The output of these tasks must be handled by the Vulnerability Management process.
- 16. Finished WorkSoftware Development Product Owner Sprint Backlog 1-4 Week Sprint Sprint Planning Meeting Product Backlog UserStories Sprint Retrospective Sprint Review SQUADSQUAD The figure of Security Owner should be created to raise the Security and Attacker Stories OR The Product Owner could be taught security concerns.... I’m not quite a fan of this idea but who knows?? Security Owner SECURITY CHAPTER Security Stories Attacker StoriesAnd what about the idea of creating a Security Chapter dedicated for security? How S-SDLC could be adapted to SCRUM Secure SDLC - SCRUM In my opinion..
- 17. Finished WorkSoftware DevelopmentSprint Backlog 1-4 Week Sprint Sprint Planning Meeting Sprint Retrospective SprintReview Threat Modelling Periodically according to the size of sprints and running in parallel to the software development Security Requirements & Documentation Product Backlog How S-SDLC could be adapted to SCRUM Secure SDLC - SCRUM Security Activities – Sprint Independent
- 18. Finished Work Manual SecurityTesting Adoption Software Development Sprint Backlog 1-4 Week Sprint Sprint Planning Meeting Sprint Retrospective Sprint Review Manual Security Testing Performed after a consistent application, with several functional features, for instance, each 3 months. Vulnerability Management Secure SDLC - SCRUM Security Activities – Sprint Independent
- 19. SOURCE REPOSITORY ARTIFACT REPOSITORY Build Master Workstation Continuous Delivery Server Application Server User Acceptance Environment Dynamic Analysis Testing FuzzTesting Static Analysis Testing Daily or per commit Run by Automation Run by Automation How S-SDLC could be adapted to SCRUM Secure SDLC - SCRUM Automation for Security Activities – Sprint Dependent DEVELOPERS
- 20. Identify Classify Prioritize Remediate/ Mitigate Attacker Story The Vulnerability Managementprocess must occur independent of the Project. There must be cautious during the Classification and Prioritization phases, since there is likelihood of releasing software with vulnerabilities to be patched after some accepted period Secure SDLC - SCRUM Vulnerability Management Backlog I mean, some parts are well thought and adapted , but the issue is not solved yet.
- 21. Conclusion of thisproposal Security Management for Application Development Conclusion Many organizations nowadays rely merely on Vulnerability Management during the process of SDLC. The implementation of this idea or at least part of it, could aid the achievement (in my humble opinion) of a better security management for application development, comprising not only Vulnerability Management, Compliance Management and Threat Management, but also improve the maturity of Security Management of the applications of a company as a whole. Vulnerability Management Threat Management Compliance Management
- 22. References & Sources Articles,Books and Websites used to elaborate this idea Secure SDLC – Agile • http://www.full-stackagile.com/2016/02/14/team-organisation-squads-chapters-tribes-and-guilds/ • https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet#Session_Management • http://www.n4s.fi/2014magazine/article2/assets/guidebook_handbook.pdf • https://www.microsoft.com/en-us/SDL/discover/sdlagile-bucket.aspx • https://www.experts-exchange.com/articles/18378/The-Agile-Umbrella-What-development-method-is-right-for-you.html
- 23. Conclusion Thank you Secure SDLC– Agile Contato Raphael Denipotti E. raphaeldenipotti@gmail.com G. github.com/humblepoti L. www.linkedin.com/in/raphael- denipotti-2714a276/ Thank you! Feel free to improve this idea and to contact me.