How We Implemented Security in Agile for 20 SCRUMs- and Lived to Tell

Transcription

1 How We Implemented Security in Agile for 20 SCRUMs- and Lived to Tell SESSION ID: ASEC-R03 Yair Rovek Security Specialist

2 Challenged by Agile

3 In the Next 45 Min LivePerson and Application Security Where did it all Began LivePerson And Agile Security Checkpoints in the Process Bringing it All Together in the Continuous Integration Summarize the Challenges Key Success Factors 3

4 LivePerson ID What we do? How it works? SaaS platform for creation of meaningful connections through real-time engagement Monitor web visitor s behavior (Over 1.5 B visits each month) Conduct behavioral ranking Provide the engagement platform (Over 10 M chats each month) SaaS & Cloud only Security is NOT optional

5 5

6 From Pen-Testing to SDLC # New Bugs/Year 150 Secure Coding Baseline 3 rd Party Pen-Testing Hand-On Training (R&D vs. QA) 100 Dynamic Testing < > LP Tools Static Code Analysis Open Source Coverage Enforcement 50 Platform Tests Simplify & Scale - ESAPI

7 Who are the Key Players? Sales & Product Software Architects R&D Scrum Teams System Architects CI environment Artifact Production

8 Agile Framework

9 Agile Framework RETROSPECTIVE

10 Add Security to the Agile Process Scrum Actions Release Planning Sprint Planning Coding Code Freeze Q&A Regression Tests Release

11 Add Security to the Agile Process Scrum Actions Release Planning Security Control Security High-Level Design Sprint Planning Coding Code Freeze Q&A Regression Tests Release

12 Add Security to the Agile Process Scrum Actions Release Planning Security Control Security High-Level Design Sprint Planning Guide-in the teams On-Demand Coding Code Freeze Q&A Regression Tests Release

13 Add Security to the Agile Process Scrum Actions Release Planning Security Control Security High-Level Design Sprint Planning Coding Guide-in the teams On-Demand ESAPI & SCA checks for each build Code Freeze Q&A Regression Tests Release

14 Add Security to the Agile Process Scrum Actions Release Planning Security Control Security High-Level Design Sprint Planning Coding Code Freeze Guide-in the teams On-Demand ESAPI & SCA checks for each build Automated Security Tests Q&A Regression Tests Release

15 Add Security to the Agile Process Scrum Actions Release Planning Security Control Security High-Level Design Sprint Planning Coding Code Freeze Q&A Regression Tests Guide-in the teams On-Demand ESAPI & SCA checks for each build Automated Security Tests Automated Security Tests Release

16 Add Security to the Agile Process Scrum Actions Release Planning Sprint Planning Security Control Security High-Level Design Q&A On-Demand Coding Code Freeze Q&A Regression Tests Release ESAPI & SCA checks for each build Automated Security Tests Automated Security Tests External Pen-Test

17 Add Security to the Agile Process Scrum Actions Release Planning Security Control Security High-Level Design Sprint Planning Coding Code Freeze Q&A Regression Tests Release Guide-in the teams On-Demand ESAPI & SCA checks for each build Automated Security Tests Automated Security Tests External Pen-Test

18 Screening Code in 3D Delivered Dependencies and Open Source Developer Code

19 ESAPI Building Blocks Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration

20 Where Do I Put my Validation? Any Interpreter Any Encoding Controller Web Service Database User Business Functions Data Layer Mainframe Etc User Interface File System

21 Where Do I Put my Validation? Specific Validate Any Interpreter Any Encoding Controller Web Service Database User Business Functions Data Layer Mainframe Etc User Interface File System Encode For HTML Validate

22 API Example Define Relevant Filters

23 Automated Test Example Black/ White Listing Filter Integrating Automated Testing: Example Preventing RegEx DoS and Performance Issues

24 LivePerson ESAPI Implementation Live Person Security API (LPSAPI) - In-House Security Package based on ESAPI project For Each Product Imports LPSAPI Enforces correct usage via Source Code Analysis (SCA) Enforce Open Source Policy Test your infra BB

25 CI Environment Develop Code Commit Source Control (SVN) TeamCity (Build Trigger) Maven Build Process (Unit tests) Deploy to Test Env Report & Notify Publish to release repository Deploy to Production

26 Security in CI Environment Develop Code Commit Source Control (SVN) TeamCity (Build Trigger) Deploy to Test Env Maven Build Process (Unit tests) SCA, Dynamic, OS Report & Notify Publish to Release Repositor y Deploy to Production

27 One Dashboard Results are Integrated within TeamCity

28 Dive into the Results Results are integrated within CI environment Developer has all required info. No need to involve the Security Team

29 Challenges Management Developers Technology HR Formal Training VS Coaching and Continues Education Scale PenTest Quality 30

30 Key Success Factor Secure Agile Development

31 Key Success Factors Identify the process within R&D and set a plan to become part of it Set Security Package API to be consumed with each code (ESAPI AntiSamy CSRF Guard) Screen and enforce your policy on your code Open Source and platform Use automation to collaborate with the security dynamic test Allow customer to run a pen test and work as a community to succeed

32 Key Success Factors Engage tech leaders as security champions by showing them the value Train developers on a regular basis Create a knowledge base and discussions around security Break the build for any High or Medium findings Start small but think big

33 Contact

34

35 Links to Resources OWASP AGILE & SDLC - MS SDLC