Agile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/



Similar documents
Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Agile and Secure: Can We Be Both?

Web Application Remediation. OWASP San Antonio. March 28 th, 2007

Vulnerability Management in an Application Security World. January 29 th, 2009

Vulnerability Management in an Application Security World. AppSec DC November 12 th, The OWASP Foundation

Topics covered. Agile methods Plan-driven and agile development Extreme programming Agile project management Scaling agile methods

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Agile Practitioner: PMI-ACP and ScrumMaster Aligned

How to manage agile development? Rose Pruyne Jack Reed

Vulnerability Management in an Application Security World. March 16 th, 2009

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Contents. 3 Agile Modelling Introduction Modelling Misconceptions 31

Using Sprajax to Test AJAX. OWASP AppSec Seattle Oct The OWASP Foundation

The Agile approach Extreme Programming (XP) Implementing XP into a software project Introducing HCI design into agile software development Summary

Challenges of Software Security in Agile Software Development

Agile with XP and Scrum

Extreme Programming, an agile software development process

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Agile Development Overview

Vragen. Software development model. Software development model. Software development model

Secure By Design: Security in the Software Development Lifecycle

Introduction to Agile Software Development Process. Software Development Life Cycles

CHAPTER 3 : AGILE METHODOLOGIES. 3.3 Various Agile Software development methodologies. 3.4 Advantage and Disadvantage of Agile Methodology

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

PLM - Agile. Design Code Test. Sprints 1, 2, 3, 4.. Define requirements, perform system design, develop and test the system. Updated Project Plan

CSE 435 Software Engineering. Sept 16, 2015

Agile Development for Application Security Managers

Mobile Application Threat Analysis

From Agile by Design. Full book available for purchase here.

AGIL JA, ABER SICHER? , ANDREAS FALK, 34. SCRUM TISCH

Agile Scrum Workshop

Secure Product Development

Software Development Life Cycle Models - Process Models. Week 2, Session 1

ISSECO Syllabus Public Version v1.0

RISK MANAGMENT ON AN AGILE PROJECT

SOFTWARE PROCESS MODELS

Agile Project Management and Agile Practices Training; with a Scrum Project that you will do.

Extreme Programming, an agile software development process

XP & Scrum. extreme Programming. XP Roles, cont!d. XP Roles. Functional Tests. project stays on course. about the stories

Agile Project Management By Mark C. Layton

Agile Software Development Methodologies and Its Quality Assurance

Secure Code Development

Software Engineering and Scientific Computing

In the IEEE Standard Glossary of Software Engineering Terminology the Software Life Cycle is:

Software Development Life Cycle (SDLC)

Agile Software Development

AGILE & SCRUM. Revised 9/29/2015

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

How To Plan A Project

How Product Management Must Change To Enable the Agile Enterprise

Agile Testing and Extreme Programming

10/4/2013. Sharif University of Technology. Session # 3. Contents. Systems Analysis and Design

Water-Scrum-Fall Agile Reality for Large Organisations. By Manav Mehan Principal Agile consultant

Threat modeling. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Agile and PRINCE2 And how they integrate. enterprise.bcs.org

Integrating Software Development Security Activities with Agile Methodologies

Software Development Methodologies

When is Agile the Best Project Management Method? Lana Tylka

Introduction to Agile

Bottlenecks in Agile Software Development Identified Using Theory of Constraints (TOC) Principles

WHITE PAPER. Distributed agile and offshoring antagonism or symbiosis?

Testing in an Agile Environment

Mariusz Chrapko. Before: Software Quality Engineer/ Agile Coach, Motorola, Poland. My Public Profile:

How can I be agile and still satisfy the auditors?

Building Security into the Software Life Cycle

CS435: Introduction to Software Engineering! " Software Engineering: A Practitioner s Approach, 7/e " by Roger S. Pressman

Agile So)ware Development

Agile Scrum Training. Nice to meet you. Erik Philippus. Erik Philippus (1951)

Agile So6ware Development

EXTREME PROGRAMMING AGILE METHOD USED IN PROJECT MANAGEMENT

Agile Testing. What Students Learn

Agile processes. Extreme Programming, an agile software development process. Extreme Programming. Risk: The Basic Problem

Applying Agile Project Management to a Customized Moodle Implementation

Agile and lean methods for managing application development process

Agile Software Project Management Methodologies

Getting Started with Agile Project Management Methods for Elearning

CMMI - The AGILE Way By Hitesh Sanghavi

Introduction to Agile and Scrum

Agile project management: A magic bullet?

Ingegneria del Software Corso di Laurea in Informatica per il Management. Agile software development

Using Simulation to teach project management skills. Dr. Alain April, ÉTS Montréal

AGILE SOFTWARE DEVELOPMENT. BY Sysop Technology Aurangabad

Agile Requirements Generation Model: A Soft-structured Approach to Agile Requirements Engineering. Shvetha Soundararajan

IBM Innovate AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance

Getting Business Value from Agile

Software Development Process

Agile Methodologies and Its Processes

Whitepaper: How to Add Security Requirements into Different Development Processes. Copyright 2013 SD Elements. All rights reserved.

Lean and Agile in Safety-critical Software Development Research and Practice. Henrik Jonsson

A Capability Maturity Model (CMM)

SECC Agile Foundation Certificate Examination Handbook

CSSE 372 Software Project Management: More Agile Project Management

Development Processes (Lecture outline)

Course Title: Planning and Managing Agile Projects

Strategy. Agility. Delivery.

TSG Quick Reference Guide to Agile Development & Testing Enabling Successful Business Outcomes

The traditional project management uses conventional methods in software project management process.

Transitioning Your Software Process To Agile Jeffery Payne Chief Executive Officer Coveros, Inc.

Agile in Financial Services A Framework in Focus

Transcription:

Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Dan Cornell, OWASP San Antonio Leader Principal, Denim Group Ltd. dan@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.owasp.org/

The Agile Practitioner s Dilemma Agile Forces: More responsive to business concerns Increasing the frequency of stable releases Secure Forces: More aggressive regulatory environment Increasing focus on need for security Decreasing the time it takes to deploy new features Traditional approaches are top-down, document centric OWASP AppSec Seattle 2006 2

Objectives Background Goals of Agile Methods Goals of Secure Development Lifecycle (SDL) Review the Momentum of Agile Methods Look at An Integrated Process Challenges & Compromises OWASP AppSec Seattle 2006 3

Background Dan Cornell Principal Pi i lof fdenim Group, Ltd. MCSD, Java 2 Certified Programmer Challenges facing our own agile teams Deliver projects in an economically-responsible manner Uphold security goals OWASP AppSec Seattle 2006 4

Notable Agile Methods extreme Programming (XP) Feature Driven Development (FDD) SCRUM MSF for Agile Software Development Agile Unified Process (AUP) Crystal Clear Dynamic Systems Development Method (DSDM) OWASP AppSec Seattle 2006 5

Manifesto for Agile Software Development Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration ation over contract negotiation Responding to change over following a plan Source: http://www.agilemanifesto.org/ OWASP AppSec Seattle 2006 6

Agile s Core Values Communication Simplicity Feedback Courage OWASP AppSec Seattle 2006 7

Principles of Agile Development Rapid Feedback Simple Design Incremental Change Embracing Change The system is appropriate for the intended audience. The code passes all the tests. The code communicates everything it needs to. The code has the smallest number of classes and methods. Quality Work OWASP AppSec Seattle 2006 8

Agile Practices The Planning Game The Driving Metaphor Customer:scope, priorities and release dates Developer: estimates, consequences and detailed scheduling Shared Vision On-Site Customer Small Releases Development iterations or cycles that last 1-4 weeks. Release iterations as soon as possible (weekly, monthly, quarterly). OWASP AppSec Seattle 2006 9

More Agile Practices Collective Ownership Test Driven Continuous Integration Coding Standards ds Pair Programming OWASP AppSec Seattle 2006 10

Definition of Secure A secure product is one that protects the confidentiality, integrity, and availability of the customers information, and the integrity and availability of processing resources under control of the system s owner or administrator. -- Source: Writing Secure Code (Microsoft.com) OWASP AppSec Seattle 2006 11

A Secure Development Process Strives To Be A Repeatable Process Requires Team Member Education Tracks Metrics and Maintains Accountability Sources: Writing Secure Code 2 nd Ed., Howard & LeBlanc The Trustworthy Computing Security Development Lifecycle by Lipner & Howard OWASP AppSec Seattle 2006 12

Secure Development Principles SD 3 : Secure by Design, Secure by Default, and in Deployment Learn From Mistakes Minimize i i Your Attack Surface Assume External Systems Are Insecure Plan On Failure Never Depend on Security Through Obscurity Alone Fix Security Issues Correctly OWASP AppSec Seattle 2006 13

Secure Development Practices Education, Education, Education Threat Modeling Secure Coding Techniques Security Testing Security Code Reviews OWASP AppSec Seattle 2006 14

Microsoft s Secure Development Lifecycle (SDL) Requirements Design Implementation Verification Release (Waterfall!) OWASP AppSec Seattle 2006 15

Observations of the SDL in Practice Threat Modeling is the Highest-Priority Component Penetration Testing Alone is Not the Answer Tools Should be Complementary OWASP AppSec Seattle 2006 16

Threat Modeling STRIDE classify threats Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation of Privilege DREAD rank vulnerabilities Damage Potential Reproducibility Exploitability Affected Users Discoverability OWASP AppSec Seattle 2006 17

Dr. Dobb s says Agile Methods Are Catching On 41% of organizations have adopted an agile methodology Of the 2,611 respondents doing agile 37% using extreme Programming 19% using Feature Driven Development (FDD) 16% using SCRUM 7% using MSF for Agile Software Development Source: http://www.ddj.com/dept/architect/191800169 p OWASP AppSec Seattle 2006 18

Agile Teams are Quality Infected 60% reported increased productivity 66% reported improved quality 58% improved stakeholder satisfaction OWASP AppSec Seattle 2006 19

Adoption Rate for Agile Practices Of the respondents using an agile method 36% have active customer participation 61% have adopted common coding guidelines 53% perform code regression testing 37% utilize pair programming OWASP AppSec Seattle 2006 20

Let s Look at Some Specific Agile Methods extreme Programming (XP) Feature Driven Development (FDD) SCRUM MSF for Agile Software Development OWASP AppSec Seattle 2006 21

extreme Programming (XP) OWASP AppSec Seattle 2006 22

Feature Driven Development (FDD) Develop an Overall Model Startup Phase Build Features List Planning Design by Feature Build by Feature Construction Phase Source: http://featuredrivendevelopment.com/ OWASP AppSec Seattle 2006 23

SCRUM Commonly Used to Enhance Existing Systems Feature Backlog 30 Day Sprints Daily Team Meeting Source: http://www.controlchaos.com/ OWASP AppSec Seattle 2006 24

MSF for Agile Software Development Adapted from the Spiral / Waterfall Hybrid Product definition, development and testing occurs in overlapping iterations Different iterations have a different focus OWASP AppSec Seattle 2006 25

An Integrated Process Making Agile Trustworthy OWASP AppSec Seattle 2006 26

Project Roles Product Manager / Customer Program Manager / Coach Architect Developer Tester Security Adviser OWASP AppSec Seattle 2006 27

Project Setup Education & Training (include Security) Developers Testers Customers User Stories / Use Case Development Architecture Decisions (spikes) Agree on Threat Modeling standards for the project STRIDE priorities DREAD ratings OWASP AppSec Seattle 2006 28

Release Planning User Stories / Use Cases Drive Acceptance Test Scenarios Estimations may affect priorities and thus the composition of the release Inputs for Threat Modeling Security Testing Scenarios Determine the qualitative risk budget Keep the customer involved in making risk tradeoffs Finalize Architecture & Development Guidelines Common Coding Standards (include security) Crucial for collective code ownership Conduct Initial Threat Modeling (assets & threats) Designer s s Security Checklist OWASP AppSec Seattle 2006 29

Iteration Planning 1-4 Weeks in Length (2 weeks is very common) Begins with an Iteration Planning Meeting User Stories are broken down into Development Tasks Developers estimate their own tasks Document the Attack Surface (Story Level) Model the threats alongside the user story documentation Crucial in documentation-light processes Capture these and keep them Code will tell you what decision was made, threat models will tell you why decisions were made Crucial for refactoring in the face of changing security priorities Never Slip the Date Add or Remove Stories As Necessary OWASP AppSec Seattle 2006 30

Executing an Iteration Daily Stand-ups Continuous Integration Code Scanning Tools Security Testing Tools Adherence to Common Coding Standards d and dsecurity Guidelines Crucial for communal code ownership Developer s Checklist OWASP AppSec Seattle 2006 31

Closing an Iteration Automation of Customer Acceptance Tests Include l d negative testing ti for identified d threats t Security Code Review Some may have happened informally during pair programming OWASP AppSec Seattle 2006 32

Stabilizing a Release Schedule Defects & Vulnerabilities Prioritize i iti vulnerabilities with client input based on agreed-upon STRIDE and DREAD standards Security Push Include traditional penetration testing OWASP AppSec Seattle 2006 33

Compromises We ve Made Feature-focus in iterations removes some top down control More documentation than is required in pure Agile development Security coding standards Project-specific STRIDE and DREAD standards User story threat models OWASP AppSec Seattle 2006 34

Values of an Agile and Secure Process Communication Simplicity Feedback Courage Trustworthy OWASP AppSec Seattle 2006 35

Questions Dan Cornell dan@denimgroup.com Website: www.denimgroup.com Blog: www.agileandsecure.com OWASP AppSec Seattle 2006 36

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information