Challenges of Software Security in Agile Software Development



Similar documents
Agile Project Management By Mark C. Layton

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

Agile Beyond The Team 1

Agile Overview. 30,000 perspective. Juha Salenius CSPO CSM PMI-ACP PMP SCGMIS Workshop January 23 rd, 2013

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

How to manage agile development? Rose Pruyne Jack Reed

Agile Development Overview

Agile Project Management

USCIS/SPAS: Product Backlog Items and User Stories 4/16/2015. Dr. Patrick McConnell

26 May 2010 CQAA Lunch & Learn Paul I. Pazderski (CSM/CSP, OD-CM, CSQA) spcinc13@yahoo.com Cell: AGILE THROUGH SCRUM

Gothenburg 2015 Jan Marek com CA Technologies Introducing Agile development methodologies to Session S601 mainframe development teams

Introduction to Agile and Scrum

Agile-Waterfall Hybrid Jessica LaGoy, MS, PMP

Comparing Scrum And CMMI

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

Applying Lean on Agile Scrum Development Methodology

Processes in Software Development. Presented by Lars Yde, M.Sc., at Selected Topics in Software Development, DIKU spring semester 2008

Threat modeling. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Rapid Threat Modeling Techniques

Agile Project Management with Scrum

Certified Scrum Master Workshop

Waterfall to Agile. DFI Case Study By Nick Van, PMP

LEAN AGILE POCKET GUIDE

Threat Modeling. 1. Some Common Definition (RFC 2828)

Testing in Scrum Projects

Agile Projects 7. Agile Project Management 21

Governments information technology

Agile Information Management Development

Would you like to have a process that unlocks ability to learn and produce faster?

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

PMBOK? You Can Have Both! June 10, Presented by:

Roles: Scrum Master & Project Manager

Secure Code Development

2015 Defense Health Information Technology Symposium Implementation of Agile SCRUM Software Development Methodology

Bottlenecks in Agile Software Development Identified Using Theory of Constraints (TOC) Principles

PLM - Agile. Design Code Test. Sprints 1, 2, 3, 4.. Define requirements, perform system design, develop and test the system. Updated Project Plan

How To Understand The Limitations Of An Agile Software Development

Taking the first step to agile digital services

Scaling Scrum. Colin Bird & Rachel Davies Scrum Gathering London conchango

Comparative Study of Agile Methods and Their Comparison with Heavyweight Methods in Indian Organizations

WE ARE FOCUSED ON HELPING OUR CLIENTS WORK SMARTER AND MORE EFFICIENTLY SO THAT TOGETHER, WE CAN EMPOWER PEOPLE TO DELIVER GREAT RESULTS.

TSG Quick Reference Guide to Agile Development & Testing Enabling Successful Business Outcomes

SCM & Agile Business Intelligence. Anja Cielen

AGILE & SCRUM. Revised 9/29/2015

THE BUSINESS VALUE OF AGILE DEVELOPMENT

Secure By Design: Security in the Software Development Lifecycle

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Strategy. Agility. Delivery.

Software Processes. Agile Methods

From Agile by Design. Full book available for purchase here.

Atomate Development Process. Quick Guide

Mitigating Risk with Agile Development. Rich Mironov CMO, Enthiosys

Lean Agile Scrum Business Value Development and Delivery using Agility. Brenden McGlinchey Software Done Right, Inc.

The Basics of Scrum An introduction to the framework

Lean QA: The Agile Way. Chris Lawson, Quality Manager

Lean Software Development and Kanban

Agile. Framework & Standards

This handbook is meant to be a quick-starter guide to Agile Project Management. It is meant for the following people:

Agile and Secure: Can We Be Both?

Business Analysis In Agile A Differentiated Narrative

Adapting Agile Software Development to Regulated Industry. Paul Buckley Section 706 Section Event June 16, 2015

Models of Software Development

When is Agile the Best Project Management Method? Lana Tylka

Microsoft STRIDE (six) threat categories

CS435: Introduction to Software Engineering! " Software Engineering: A Practitioner s Approach, 7/e " by Roger S. Pressman

Agile Contracts. NK Shrivastava, PMP, RMP, ACP, CSM, SPC CEO/Consultant - RefineM. Agenda

Issues in Internet Design and Development

Answered: PMs Most Common Agile Questions

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Development. Lecture 3

Role of the Business Analyst in an Agile Project

Traditional SDLC Vs Scrum Methodology A Comparative Study

Agile on huge banking mainframe legacy systems. Is it possible?

Certified ScrumMaster Workshop

Managing the Agile Process of Human-Centred Design and Software Development. Peter Forbrig & Michael Herczeg. Universität Rostock & Universität Lübeck

Quality Assurance in an Agile Environment

The Team... 1 The Backlog... 2 The Release... 4 The Sprint... 5 Quick Summary Stakeholders. Business Owner. Product Owner.

Jukka Mannila KEY PERFORFORMANCE INDICATORS IN AGILE SOFTWARE DEVELOPMENT

Agile Extension to the BABOK Guide

Cisco Advanced Services for Network Security

Scrum. in five minutes

The Truth About Agile Software Development with Scrum, The Facts You Should Know

Enterprise Security Architecture

Threat Modeling: Lessons from Star Wars. Adam

Course Title: Managing the Agile Product Development Life Cycle

Scrum methodology report

Agile Fundamentals, ROI and Engineering Best Practices. Rich Mironov Principal, Mironov Consulting

Transitioning from Waterfall: The Benefits of Becoming Agile. ASPE Web Seminar Friday, February 27 th, 2015

Agile Scrum Workshop

Introduction to Agile

When User Experience Met Agile: A Case Study

Security and Privacy in Cloud Computing

Certified ScrumMaster (CSM) Content Outline and Learning Objectives January 2012

Transcription:

Challenges of Software Security in Agile Software Development Dr. Panayotis Kikiras INFS133 March 2015

Agenda Lean Principles and Agile Development Usable Security Secure software development in Agile environment Prioritizing Security Conclusions

Lean Thinking in Agile Development Eliminate Waste Amplify Learning does it add end user value? validated learning Decide as Late as Possible real options Deliver as Fast as Possible Empower the Team Build Integrity In See the Whole fast learning mastery, autonomy, purpose perceived and conceptual integrity simplify structure, optimize behaviour Nordic Reading: http://www.fokkusu.fi/agile-security

Definition of Secure Secure product is one that protects the confidentiality, integrity, and availability of the customers information, and the integrity and availability of processing resources under control of the system s owner or administrator. -- Source: Writing Secure Code (Michael Howard, David LeBlanc)

Security is mainly a software problem Depending on the source, an estimated 70% to 92% of security breaches result from vulnerabilities in software. Network Security Layer is adequately addressed (firewalls, IDS, IPS, Antivirus). A new star is rising though The end user

Incentives to Improve Source: Fundamentals of Secure Architecture online available at https://knowledge.elementk.com

Where is Scrum now? Early and continuous delivery of valuable software Welcome changing requirements, even late in development Build projects around motivated individuals and trust them to get the job done. Working software as the primary measure of progress Continuous attention to technical excellence and good design Simplicity maximizing the amount of work not done The best architectures, requirements, and designs emerge from self-organizing teams At regular intervals, the team reflects on, tunes, and adjusts its behavior

Where are you now? You trust that your teams are doing their best for security. Do they? No specific care being taken in designing for security unless the customer requires that Does this happens now? How a PO prioritizes security if it is not required by the customer?

Usable Security to Eliminate Waste Customers in general never ask for security directly The product is expected to be secure As a service to protect the business case Sometimes customers and security specialists are overexaggerating Teams should provide built-in solutions based on thorough Risk Analysis and Threat Assessment UX: simplify structure, enrich functionality

Security User Stories Securing Scrum Data Flow & Threat Analysis Sprint Sprint Planing Product Backlog Backlog Grooming Assets & Threat Assessment Sprint Retrospective Threats & Risks Internal Release Requirements Product Implementation Continuous Security Tests Sprint Review Release Response

Prioritizing Security: Risk Adjusted Backlog Project Risks security threats are like anti-value If a risk occurs, takes time and resources away from activities that deliver value. Therefore not only plan to deliver high value early but plan to execute risk avoidance and mitigation activities early too! Risk management great fit in Agile development Through iterations we can tackle high-risk areas sooner than later Deal with threats when still exists time and budget to work with them Reduces the amount of effort invested in work that may end up scraped.

A security risk can be prioritized like any other feature Prioritized Feature list with ROI Values Must 5000 Must 4000 Prioritized Risk list Ordered by Severity Risk 1i (Risk(9000 X50%=4500 ) Impact (in,points)xrisk Propability (in %)) Risk 2 (8000 X50%=4000 ) Should Should 3000 2000 Risk 3 (3000 X25%=1500 ) Risk 4 (2500 X25%=625 ) Could 1000 Risk 5 (500 X20%=100 )

Risk-adjusted Backlog Prioritized risk list Prioritized requirements list Risk Adjusted Backlog Risk 1 (9000 X50%=4500 ) Requirement 1 5000 Requirement 1 5000 Risk 2 (8000 X50%=4000 ) Requirement 2 4000 Risk 1 (9000 X50%=4500 ) Risk 3 (3000 X25%=1500 ) Requirement 3 3000 Requirement 2 4000 Risk 4 (2500 X25%=625 ) Requirement 4 2000 Risk 2 (8000 X50%=4000 ) Risk 5 (500 X20%=100 ) Requirement 5 1000 Requirement 3 3000

Analyze the Dataflow Realization of User Stories whose acceptance criteria requires detailed look on potential threats Dataflow and STRIDE Analysis support identification of threats S T M R M M E M STRIDE Spoofing of Identity Tampering Repudiation Information Disclosure Denial of Service Elevation of privilege

Conclusions Also part of the Security Scrum process Continuous Integration Testing Explicit regression for acceptance criteria Code Analysis (SAN 25) Fuzzy Testing Secure Coding Guidelines Adding Security to Scrum process is necessary and possible Backlog Prioritization based on identified Risks Modeling threats in user stories (business and technical) Integrated security testing Incorporating experiences from Scrum teams (incl. explicit vs. implicit stories)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information