Agile and Security. Oil and Water? Ron

Similar documents
Secure Development LifeCycles (SDLC)

Beyond ISO Intel's Product Security Maturity Model (PSMM)

SECURITY AND RISK MANAGEMENT

Centralized Secure Vault with Serena Dimensions CM

Activity 3: Observe Psychological First Aid

Secure Development Lifecycle. Eoin Keary & Jim Manico

How To Protect Your Data From Attack

Agile and Secure: Can We Be Both?

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

The Emergence of Security Business Intelligence: Risk

Learning and Coaching Agile Methods. Görel Hedin Computer Science Lund University, Sweden

Agile Development for Application Security Managers

OnX Oracle Cloud Services

Enabling HR service delivery

Session-1: Business Enterprise Applications- Overview

It s Not Called Continuous Integration for Nothing!

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Microsoft SDL: Agile Development

! Resident of Kauai, Hawaii

Introduction to OpenUP (Open Unified Process)

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

AGIL JA, ABER SICHER? , ANDREAS FALK, 34. SCRUM TISCH

5/30/2012 PERFORMANCE MANAGEMENT GOING AGILE. Nicolle Strauss Director, People Services

Participating in a Business Process in Oracle BPM 11g: Narration Script

Product Stack and Corporate Overview

Business Solutions Manager Self and contribution to Team. Information Services

D25-2. Agile and Scrum Introduction

Web Application Remediation. OWASP San Antonio. March 28 th, 2007

Top 10 Considerations for Enterprise Agile Tools.

Kinjal Mody 24 th November Service Design in Practice

Cisco Cloud Assessments. Justin Tang

Transitioning Your Software Process To Agile Jeffery Payne Chief Executive Officer Coveros, Inc.

Agile Scrum Workshop

Agile Security Successful Application Security Testing for Agile Development

Cloud Development Manager Like Tweet 0

STEP 5: Giving Feedback

Session 3: Security in a Software Project

Delivery. Continuous. Jez Humble and David Farley. AAddison-Wesley. Upper Saddle River, NJ Boston Indianapolis San Francisco

The Rap on RUP : An Introduction to the Rational Unified Process

Whitepaper. Security Best Practices for Evaluating Google Apps Marketplace Applications. Introduction. At a Glance

The Cloud-Centric Organization. How organizations realize business benefits with a mature approach to Cloud

Cisco Business Video Solutions Visual Communications Increase Collaboration Effectiveness and Reduce Cost

Agile Requirements And Testing For Continuous Software Delivery

Lesson 4 What Is a Plant s Life Cycle? The Seasons of a Tree

OWASP Spain Barcelona 2014

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

"Testing in the DevOps World of Continuous Delivery"

Cloud Security Fails & How the SDLC could (not?) have prevented them

Application Portfolio Risk Ranking Banishing FUD With Structure and Numbers

EXIN Agile Scrum Foundation. Sample Exam

Digital Marketplace Services Service Definition

Enterprise Application Security Program

The Agile Audit. 2. Requirements & Technical Architecture

Terrace Consulting Services

cloud Development Strategies - Part 1

Adopting Agile Approaches for the Enterprise

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Software Application Control and SDLC

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Why a single source for assets should be. the backbone of all your digital activities

IT Outsourcing: Software Development Vendor Evaluation

Do You Have a Scanner or a Scanning Program?

Cloud Computing and Data Center Consolidation

Enterprise Data Governance

HP Fortify application security

Teradata Marketing Operations. Reduce Costs and Increase Marketing Efficiency

Requirements Elaboration

What We Recommend Recommendations for the website based on interview findings

Cloud Data Management Interface (CDMI) The Cloud Storage Standard. Mark Carlson, SNIA TC and Oracle Chair, SNIA Cloud Storage TWG

Next Generation Strategies for Software Security in Critical Systems & Securing the Supply Chain BSides

How to Develop Cloud Applications Based on Web App Security Lessons

ALM/Quality Center. Software

Increasing Business Productivity and Value in Financial Services with Secure Big Data Architecture

The Structure of a Software Development Team

Development Processes (Lecture outline)

Java/Scala Engineer Internet of Iot Competitors

The Continuous Delivery Tool Chain: So Many Choices!

Simon Brown Software architecture for developers. Follow me on

Addressing Cyber Security in Oracle Utilities Applications

How To Be Successful At An Agile Software Engineering

Basic Unified Process: A Process for Small and Agile Projects

Italy. EY s Global Information Security Survey 2013

Serena Dimensions CM. Develop your enterprise applications collaboratively securely and efficiently SOLUTION BRIEF

Change Management: Adopt and Implement Grant Management Software

When is Agile the Best Project Management Method? Lana Tylka

Guide to Mobile Testing

Implementing Practical Information Security Programs

5 Partner Benefits and Requirements Benefits Requirements... 8

Adobe Systems Incorporated

CODEVUE AMAZING DIGITAL INTERVIEWS. Technical Recruiting Made Easy

Training for IT project managers and team leads

How To Understand The Benefits Of Cloud Computing

Enabling Continuous Delivery by Leveraging the Deployment Pipeline

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

Agile Documentation In practice. Marion Bröer, parson AG

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

112 BSIMM Activities at a Glance

Security-Ausbildung in einem Großunternehmen der Softwareindustrie - Erfahrungen und Herausforderungen

Transcription:

Agile and Security. Oil and Water? Ron Parker @scmunk

This is the condensed version of the presentation. We skip straight to the point and leave out the entertaining story of how salad dressing holds the key to agile security. Please read the notes as you go along. If you would like to hear the whole story please visit YouTube and watch the video. https://www.youtube.com/watch?v=truaylag888 Thanks again to @IronGeek and @BsidesNash for the video production. 2

Some things just don t mix well. Like Oil and Water. 3

4

agile and security 5

Agile Overview Agile Operating Model Coordination Team Other Experts Agile Teams Security Expert Polices Training Tools Support/Infrastructure Attributes Accountable Self organizing Move at their own pace Use their own methods Wait on as little as possible Continuously improving Quality as a goal Delivery as a goal Customer focused 6

Security CIA+AA Privacy Compliance Brand High Level Policy Standard Guideline Task Areas Identity management Access management Vulnerability management Secure coding Security testing Configuration management Disaster recovery Third party integration Mobile Cloud API security 7

Security CIA+AA Privacy Compliance Brand High Level Task Areas Identity management Access management Vulnerability management Secure coding Security testing Believing and Knowing Configuration management Policy Standard Guideline Assurance Disaster recovery Third party integration Mobile Cloud API security 8

Security needs to mix with the agile approach of the business. 9

Mixing security and agile Security Agile 10

Apply effort

More effort

Stop and turn your back

14

Security Agile 15

16

Stuff that really happens Too many meetings with security driving them Development teams wait in frustration Insecure code gets released into the wild No positive or negative security testing Data security issues Data privacy issues Simple things are missed like the OWASP Top 10 The same questions are repeatedly asked regarding security Compliance issues customers don t like how you treat their data The same questions are repeatedly asked regarding security We the same bad things over and over Security and agile not a natural mix. 17

The problem This knowledge Knowledge Issues Different knowledge Not at hand (easy) That knowledge Slow Speed Resource Speed Process speed Timeliness Governance Fast Speed Me Mixed People Different goals Different organizations Numbers of people You 18

Why do we want the mix? We have goals beyond just doing development and just doing basic security. We need secure development. 19

20

What would these goals be? ENABLE with knowledge and process SCALE security with enabled people ASSURE with enablement and scale 21

emulsifier 22

Start again with an emulsifier Emulsifier Security Agile 23

Mix

Science happens

What can bring Security and Agile together? 27

Security Development Lifecycle Security Emulsifier 28

Wait, we have heard this before re hash Verb put (old ideas or material) into a new form without significant change or improvement. "he contented himself with occasional articles in journals, rehashing his own work (not that any infosec analyst would do that) 29

Solution Security Development Lifecycle Enable Work themselves Find it themselves Know it themselves At their pace Scale Knowledge driven Process driven Not Security People driven Assure Remember what is important Check during and after Framework for familiarity 30

Normal Implementation A B C D Agile Teams Work WAIT Tribal Security Knowledge Security

Agile Implementation A B C D Agile Teams Work SDL Checklist q Security Item q Security Item q Security Item q Security Item q Security Info and Tool Repository Security

The SDL is our Security Emulsifier. So how do we get one? 33

Timeout for Checklists Not checklist management Used in complex or high pressure situations Doctors, astronauts, pilots - ScrumMasters Acts as a reminder but also gives you sequence and may also give you alternate paths 34

OpenSAMM Open Software Assurance Maturity Model Four major functions Each function has three practices Each practice has multiple activities Assess the organization s maturity Build a security program Define and measure security activities Built in metrics and measures

SAMM Functions

SAMM Practice

Each Practice has Maturity Levels

Activity SR 1 A

Methodologies may vary 40

Phases Inception At the beginning before creation begins usually once per project Iteration One or more times Release Something is produced, may be production or even preproduction External Outside iterations or releases maybe in parallel 41

Activities Inception Training Vuln management Security contacts Risk assessment Iteration NFR for security Attacker profile Security stories Static code analysis Security architecture Release Document deployment Document DR Penetration testing External Vendor assessment 3 rd -party service creation 42

Atypical SDL Activities Many lifecycles are just concerned with the core security testing/coding. Real security is much larger than that. Role engineering Access Control requests Access Control models Integration of application level security Privacy requirements Customer requirements Disaster Recovery design and documentation Security Poker Security Stories Security Retrospective Security Spikes 43

44

Security Owner Is a single person with a role The contact for security concerns The SDL subject matter expert for the team Keeper of the List Is accountable for security activities and artifacts 45

Wiki You Got What I Need You Need Flexible but smart pages Knowledgebase Easy access and update Searchable Expandable repository Wiki s Got Crowdsourcing driven As many pages as you need Document as you go Easy formatting History/version for each page Categories and tags Easy relationship linking 46

The Real Implementation List Involve stakeholders (developers, Educate your Security Owners (initial product owners, compliance) ones) Read OpenSAMM materials Educate your general population Determine your current assurance Run a pilot project where a security maturity level member is embedded on the team Determine your target level Use feedback from pilot to streamline Determine actions needed to reach your actions target Metric, track number of projects using the Work with your audit/controls department SDL on what they may need Assess through feedback whether the Assign an owner for each action actions are necessary and correct Build your basic Wiki with your primary Add new actions that move you towards actions your assurance target Build a list of current tools Rinse and repeat Build a list of current standards and guidelines Begin a list of missing tools, standards and guidelines Use the Wiki to house knowledgebase items 47

Goals for Agile and Security ENABLE with knowledge and process SCALE security with enabled people ASSURE with enablement and scale Security Development Lifecycle 48

OpenSDL The OpenSDL is an Open Security Development Lifecycle that can be used an example or as a starting point to build out a modern SDL. It is based on OWASP work and sits on top of a community driven platform. Please take a look. The home site has a more detailed explanation. http://www.opensdl.com 49

Agile and Security. Oil and Water? Thanks! Ron Parker @scmunk http://www.secretchipmunk.com 50

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information