AGIL JA, ABER SICHER? 29.07.2015, ANDREAS FALK, 34. SCRUM TISCH
Vorstellung: Andreas Falk Langjährige Erfahrungen als Entwickler, Architekt und Tester in verschiedenen Projekten mit Fokus Enterprise-Anwendungen auf Basis von Java, Java EE / Spring in den Branchen Produktion, Logistik, Finance, Telekommunikation und Automotive Senior Consultant Seit 2011 bei der NovaTec Consulting GmbH Experte in der NovaTec Competence Group Agile Quality Engineering" Durchführung von Trainings für Java, Spring, Git, Advanced Unit-Testing und Agile (Security) Testing 2
Who s next to be hacked? 3 U.S. Office of Personnel Management
Who s next to be hacked? 5
Who s next to be hacked? 6 https://haveibeenpwned.com
Web Application Security: OWASP Top 10 (2013) https://www.owasp.org/index.php/category:owasp_top_ten_project 7
Security == Agile? Sprint 1 Sprint 2 Sprint n Story A Story B Story C Story D Story E Story F Story G Story H Security Features Penetrationtest 9
Potentially Releasable Increment? Scrum Guide: The Development Team consists of professionals who do the work of delivering a potentially releasable increment of Done product at the end of each Sprint http://www.scrumguides.org Release potentially unsecure? 10
Attacker Schedule vs. SDLC Security Test Schedule Attacker Schedule: 24h x 7d! Time Software Development Lifecycle Penetrationtest Penetrationtest 11
Microsoft Security Development Lifecycle (SDL) https://www.microsoft.com/en-us/sdl/ 13
Automotive Security Development Lifecycle (V-Model) 15
Next Stop: Secure Agile Development Process 16
Manifesto for Secure Agile Software Development 17
The Rugged Manifesto 18 https://www.ruggedsoftware.org
Microsoft Security Development Lifecycle for Agile Development Agile Process SDLC Tasks One Time Baseline thread model Estabish security response plan Regular Basis Privacy review Manual & automatic security code review Every Sprint Security training Threat modeling Secure coding Code reviews 19
OWASP Open Software Assurance Maturity Model (OpenSAMM) http://www.opensamm.org/ 20
Secure Agile Development with Scrum Daily Scrum Sprint Security Product Backlog Sprint Planning Sprint Backlog Security Sprint Review & Retro Potentially Shippable Increment Regular Security-Trainings 21
Secure Agile Development with Scrum Story A Story B Abuse Story Security Features Product Backlog Update threat model (on-going) Define abuse user stories Plan security features early Security acceptance criteria Extend Definition of Ready with security 23
Abuse (Evil) User Stories Business User Story Evil User Story 1 Evil User Story N As a customer I want to select products and add them to my shopping cart in order to buy these. As an evil user I want to manipulate requests to change prices when adding products to my shopping cart. 24
Secure Agile Development with Scrum Daily Scrum Discuss security risks (Re-)plan security tasks Sprint Update threat model (on-going) Secure coding Pair programming with security expert Security code reviews Security-Aware DoD Security (regression) testing Continuous secure delivery 25
Threat Modeling is Agile Create Production Code Make Tests Pass 6 1 Define Software- Architecture User Stories, UML Diagrams Test Driven Development (TDD) 2 Adapt Threat Model Discussion Basis Write Security Tests First 5 Create Security Testcases and Abuse User Stories 4 3 Identify and Mitigate Threats Elevation of privilege game 26
Playing games Scrum Planning Poker Threat Modeling Game 27
Commit Stage: Feedback Based Development (Static Security Testing) Continuous Integration Build & Tests & Static Code Analysis 3 Check-Out 4 & Dependency Check 2 Trigger Build 5 Report Build Result 7 Push to Stable 1 Pull-Request Developer 2 6 (Security) Code- Review Developer 1 31
Acceptance Stage Dynamic UI- and Security-Testing Security-Pipeline 3 Active Scanning 4 Reporting 1 Deploy 2 UI-Testing Proxy 33
Agile == Security! Sprint 1 Sprint 2 Sprint n Story A Story B Abuse Story Story C Story D Story E Security Features Abuse Story Story F Story G Story H Pen- Test 34
Don t make it that EASY to break software! 35