AGIL JA, ABER SICHER? , ANDREAS FALK, 34. SCRUM TISCH

Transcription

1 AGIL JA, ABER SICHER? , ANDREAS FALK, 34. SCRUM TISCH

2 Vorstellung: Andreas Falk Langjährige Erfahrungen als Entwickler, Architekt und Tester in verschiedenen Projekten mit Fokus Enterprise-Anwendungen auf Basis von Java, Java EE / Spring in den Branchen Produktion, Logistik, Finance, Telekommunikation und Automotive Senior Consultant Seit 2011 bei der NovaTec Consulting GmbH Experte in der NovaTec Competence Group Agile Quality Engineering" Durchführung von Trainings für Java, Spring, Git, Advanced Unit-Testing und Agile (Security) Testing 2

3 Who s next to be hacked? 3 U.S. Office of Personnel Management

4 Who s next to be hacked? 5

5 Who s next to be hacked? 6

6 Web Application Security: OWASP Top 10 (2013) 7

7 Security == Agile? Sprint 1 Sprint 2 Sprint n Story A Story B Story C Story D Story E Story F Story G Story H Security Features Penetrationtest 9

8 Potentially Releasable Increment? Scrum Guide: The Development Team consists of professionals who do the work of delivering a potentially releasable increment of Done product at the end of each Sprint Release potentially unsecure? 10

9 Attacker Schedule vs. SDLC Security Test Schedule Attacker Schedule: 24h x 7d! Time Software Development Lifecycle Penetrationtest Penetrationtest 11

10 Microsoft Security Development Lifecycle (SDL) 13

11 Automotive Security Development Lifecycle (V-Model) 15

12 Next Stop: Secure Agile Development Process 16

13 Manifesto for Secure Agile Software Development 17

14 The Rugged Manifesto 18

15 Microsoft Security Development Lifecycle for Agile Development Agile Process SDLC Tasks One Time Baseline thread model Estabish security response plan Regular Basis Privacy review Manual & automatic security code review Every Sprint Security training Threat modeling Secure coding Code reviews 19

16 OWASP Open Software Assurance Maturity Model (OpenSAMM) 20

17 Secure Agile Development with Scrum Daily Scrum Sprint Security Product Backlog Sprint Planning Sprint Backlog Security Sprint Review & Retro Potentially Shippable Increment Regular Security-Trainings 21

18 Secure Agile Development with Scrum Story A Story B Abuse Story Security Features Product Backlog Update threat model (on-going) Define abuse user stories Plan security features early Security acceptance criteria Extend Definition of Ready with security 23

19 Abuse (Evil) User Stories Business User Story Evil User Story 1 Evil User Story N As a customer I want to select products and add them to my shopping cart in order to buy these. As an evil user I want to manipulate requests to change prices when adding products to my shopping cart. 24

20 Secure Agile Development with Scrum Daily Scrum Discuss security risks (Re-)plan security tasks Sprint Update threat model (on-going) Secure coding Pair programming with security expert Security code reviews Security-Aware DoD Security (regression) testing Continuous secure delivery 25

21 Threat Modeling is Agile Create Production Code Make Tests Pass 6 1 Define Software- Architecture User Stories, UML Diagrams Test Driven Development (TDD) 2 Adapt Threat Model Discussion Basis Write Security Tests First 5 Create Security Testcases and Abuse User Stories 4 3 Identify and Mitigate Threats Elevation of privilege game 26

22 Playing games Scrum Planning Poker Threat Modeling Game 27

23 Commit Stage: Feedback Based Development (Static Security Testing) Continuous Integration Build & Tests & Static Code Analysis 3 Check-Out 4 & Dependency Check 2 Trigger Build 5 Report Build Result 7 Push to Stable 1 Pull-Request Developer 2 6 (Security) Code- Review Developer 1 31

24 Acceptance Stage Dynamic UI- and Security-Testing Security-Pipeline 3 Active Scanning 4 Reporting 1 Deploy 2 UI-Testing Proxy 33

25 Agile == Security! Sprint 1 Sprint 2 Sprint n Story A Story B Abuse Story Story C Story D Story E Security Features Abuse Story Story F Story G Story H Pen- Test 34

26 Don t make it that EASY to break software! 35