Microsoft SDL: Agile Development

Similar documents
Secure Development Lifecycle. Eoin Keary & Jim Manico

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Secure Development LifeCycles (SDLC)

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Security Development Lifecycle for Agile Development

Beyond ISO Intel's Product Security Maturity Model (PSMM)

The Security Development Lifecycle

Agile Security Successful Application Security Testing for Agile Development

Starting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden

! Resident of Kauai, Hawaii

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

IBM Rational AppScan: Application security and risk management

MIS Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

Developing secure software A practical approach

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

IT-Risk-Management. Secure Software Design Secure Development Lifecycle

Building Security into the Software Life Cycle

89 Fifth Avenue, 7th Floor New York, NY White Paper

Software Application Control and SDLC

Software Development: The Next Security Frontier

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Adobe Systems Incorporated

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Agile and Secure: Can We Be Both?

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Enterprise Application Security Program

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

PLM - Agile. Design Code Test. Sprints 1, 2, 3, 4.. Define requirements, perform system design, develop and test the system. Updated Project Plan

Revision History Revision Date Changes Initial version published to

elearning for Secure Application Development

WHITEPAPER Executive Summary Fortify Software

Stories From the Front Lines: Deploying an Enterprise Code Scanning Program

MICROSOFT SECURITY DEVELOPMENT LIFECYCLE (SDL)

Development Processes (Lecture outline)

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

SAFECode Security Development Lifecycle (SDL)

Intel Security Software / Product Security Practices

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

112 BSIMM Activities at a Glance

HP Application Security Center

Agile Development for Application Security Managers

Software Quality Testing Course Material

WebGoat for testing your Application Security tools

A Practical Guide to implementing Agile QA process on Scrum Projects

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Building a Corporate Application Security Assessment Program

JOB DESCRIPTION APPLICATION LEAD

Software Security Touchpoint: Architectural Risk Analysis

DEVELOPING SECURE SOFTWARE

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Development Testing for Agile Environments

Integrigy Corporate Overview

The SDL Progress Report. Progress reducing software vulnerabilities and developing threat mitigations at Microsoft

SECURITY AND RISK MANAGEMENT

How to Build a Trusted Application. John Dickson, CISSP

Securing the Application Layer

Secure Code Development

Web Application Remediation. OWASP San Antonio. March 28 th, 2007

Cyber Security & Data Privacy. January 22, 2014

Using TechExcel s DevSuite to Achieve FDA Software Validation Compliance For Medical Software Device Development

Best Overall Use of Technology. Jaspersoft

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Amadeus Shaping the future of travel

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

OpenSAMM Software Assurance Maturity Model

Lean Software Configuration Management Using 'Process Increments' Software Engineering Competence Center

Fuzzing in Microsoft and FuzzGuru framework

Learning objectives for today s session

Cybersecurity through Secure Software Development

Software Testing Lifecycle

Improving RoI by Using an SDL

Security Automation in Agile SDLC Real World Cases

Enabling Continuous Delivery by Leveraging the Deployment Pipeline

Introduction to Agile and Scrum

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Building More Secure Commercial Software: The Trustworthy Computing Security Development Lifecycle

Requirements Management

Leveraging OWASP to Reduce Web App Data Breach Risk

Manager Domain Experts. Delivery Team. C h ic a g o

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Project Lifecycle Management (PLM)

Process Increments: An Agile Approach to Software Process Improvement

What is a life cycle model?

Improving Project Governance Using Agile and Metrics. Kevin Aguanno PMP, IPMA-B, MAPM, Cert.APM

Application Security Testing How to find software vulnerabilities before you ship or procure code

Software Development. Overview.

Cyber Security nei prodotti di automazione

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web Application Security

Integrating Security Testing into Quality Control

!"#$%&'(%)*$+ :%;$)*%<&%6 4.7&68'9"/6")& 0)1.%$2.3*%./'4"55*)6 ,&+-%$+./ !"#$%&##'()*+&## Figure 1: Five OSP Dimensions

Designing and Developing Microsoft SharePoint Server 2010 Applications Course Outline

ALM Solutions using Visual Studio TFS 2013 ALMI13; 5 Days, Instructor-led

Security Considerations for the Spiral Development Model

Whitepaper: How to Add Security Requirements into Different Development Processes. Copyright 2013 SD Elements. All rights reserved.

Transcription:

Microsoft SDL: Agile Development June 24, 2010 Nick Coblentz, CISSP Senior Security Consultant AT&T Consulting Nick.Coblentz@gmail.com http://nickcoblentz.blogspot.com http://www.twitter.com/sekhmetn Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Bio AT&T Consulting: Application Security Penetration testing Code review Architecture and design reviews Application security program development Secure development methodology improvement Research ISSA Journal: Web Application Security Portfolios SAMM Interview Template Reducing Info Disclosure in ASP.NET Web Services and WCF Data Services Turn Application Assessment Reports into Training Classes Observed Secure Software Development Stages Vulnerability Tracking, Workflow, and Metrics with Redmine Using Microsoft's AntiXSS Library 3.1

Agile hurts secure code development. Adrian Lane: http://securosis.com/blog/agile-development-and-security/

Microsoft SDL For Agile Released Source: http://blogs.msdn.com/sdl/archive/2009/11/10/announcing-sdl-for-agile-development-methodologies.aspx

Microsoft SDL

Microsoft Security Development Lifecycle (SDL) Components: Best Practices Processes Standards Security Activities Tools Goal: minimize security-related vulnerabilities in the design, code, and documentation and to detect and eliminate vulnerabilities as early as possible in the development life cycle.

Which Software? SDL applies to software that: Is used in Business environments Stores or transmits PII Communicates over the Internet or other networks Source: Microsoft s Product Website

SDL Principles and Process SD3+C Secure by Design Secure by Default Secure in Deployment Communications PD3+C Privacy by Design Privacy by Default Privacy in Deployment Communications

What is Agile Development? Source: http://www.scrumalliance.org/pages/what_is_scrum

SDLC (Waterfall Methodology) January February March April May June Training Requirements Design Implementation July August September October November December Implementation (cont.) Verification Release Response

This Is NOT Agile Development January Training Requirements Design Implementation Implementation (cont.) Verification Release Response Training Requirements Design Implementation Implementation (cont.) Verification Release Response

Sprint 2 Sprint 1 Agile Development January User Story 1 User Story 2 User Story 4 User Story 3 User Story 5 User Story 6 User Story 8 User Story 7 User Story 5 (Cont.) User Story 1 User Story 2 User Story 4 User Story 3 User Story 5 User Story 6 User Story 8 User Story 7 User Story 5 (Cont.)

Agile Development Source: http://www.scrumalliance.org/pages/what_is_scrum Cross-functional, selforganizing teams Short, time-boxed development iterations Delivery of small functional stories No extensive up front design or documentation

Planning and Design http://www.flickr.com/photos/acarlos1000

Planning and Design (cont.) http://www.flickr.com/photos/acarlos1000

User Stories and Documentation http://www.flickr.com/photos/fmcamargo

SDL SECURITY ACTIVITIES Source: Simplified Implementation of the Microsoft SDL

SDL Security Activities Training Requirements Security Requirements Quality Gates/Bug Bars Security and Privacy Risk Assessment Design Design Requirements Attack Surface Reduction Threat Modeling Implementation Use Approved Tools Deprecate Unsafe Functions Static Analysis Verification Dynamic Program Analysis Fuzz Testing Threat Model and Attack Surface Review Release Incident Response Plan Final Security Review Release/Archive Optional Activities Manual Code Review Penetration Testing Vulnerability Analysis of Similar Applications

Traditional SDL Pain Points for Agile Can t complete all SDL activities in each sprint Requirements, architecture, and design evolves over time Threat model/documentation becomes dated quickly Data sensitivity, protection, and connections to third parties may not be immediately known Teams don t include application security specialists

Microsoft SDL For Agile Development SDL Requirement Categories: Every-Sprint Bucket Verification Tasks Design Review Tasks Response Planning Tasks One-Time Source: Microsoft SDL v4.1a

Every-Sprint SDL Requirements so essential to security that no software should ever be released without these requirements being met. Examples: Update the threat model Communicate privacyimpacting design changes to the team s privacy advisor Fix all issues identified by code analysis tools for unmanaged code Follow input validation and output encoding guidelines to defend against cross-site scripting attacks

Bucket SDL Requirements Teams prioritize the pool of tasks over many sprints Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks Run fuzzing tools Manual and automated code review Design Review Tasks Conduct privacy review In-depth threat model Response Planning Tasks Define security/privacy bug bar Create support documents

One-Time Requirements Why? Repetition not necessary Must occur at the beginning of the project Not possible at the beginning of the project Examples: Configure bug tracking system (3 months) Identify security/privacy experts (1 month) Baseline threat model (3 months) Establish a security response plan (6 months)

SDL-Agile Appendix

SDL-Agile Appendix: Deadlines

Final Security Review Occurs at the end of every sprint Checklist: All every-sprint requirements have been completed No one-time requirements have exceeded deadline At least one requirement from each bucket category has been completed No bucket requirements exceed the six month deadline No security or privacy bugs are open that exceed the severity threshold

Backlog Sprint 1 In Progress QA Done User StoryUser StoryUser StoryUser StoryUser Story User StoryUser StoryUser StoryUser StoryUser Story Every Sprint Every Every Every Every Every Every Sprint Sprint Sprint Sprint Sprint Sprint One-Time Verification Sprint 2 In Progress QA Done One- TimeOne- TimeOne- TimeOne- TimeOne- Time Verif. Verif. Verif. Verif. Verif. Every Sprint Every Every Every Every Every Every Sprint Sprint Sprint Sprint Sprint Sprint Design Resp. Plan Sprint 3 In Progress QA Done Design Design Design Design Design Resp. PlanResp. PlanResp. PlanResp. PlanResp. Plan Every Sprint Every Every Every Every Every Every Sprint Sprint Sprint Sprint Sprint Sprint

Backlog Sprint 1 In Progress QA Done User StoryUser Story User User User Story Story Story One- Resp. Verif. Design Time Plan Every Sprint Final Security Review Every Every Every Every Every Every Sprint Sprint Sprint Sprint Sprint Sprint One-Time Verification Sprint 2 In Progress QA Done One- Time Verif. User One- One- One- StoryTimeTimeTime Resp. Verif.Design Plan Final Security Review Every Sprint Every Every Every Every Every Every Sprint Sprint Sprint Sprint Sprint Sprint Design Resp. Plan Sprint 3 In Progress QA Done Design Resp. PlanResp. Plan User User User User Story Story Story Story Resp. Verif. Verif. Design Design Plan Final Security Review Every Sprint Every Every Every Every Every Every Sprint Sprint Sprint Sprint Sprint Sprint

Making SDL-Agile Manageable Documented standards Security training Automation Continuous Integration Secure Configuration Security Unit Tests Automated Secure Code Analysis Automated Deployment and Vulnerability Scanning Process Continuous updates to the threat model SDL Process Templates for VSTS MSF-Agile + SDL Process Template Light on security artifacts/documentati on

Making SDL-Agile Manageable Tooling Code Analysis/Scanning CAT.NET MiniFuzz BinScope Binary Analyzer Fiddler w/ Watcher FxCop MS Threat Modeling Tool

CAT.NET: Cross-site Scripting Vulnerability

Making SDL-Agile Manageable Libraries Web Protection Library (WPL) Encoder/Anti-XSS Library Security Runtime Engine (SRE) Sanitizer.GetSafeHTML

Web Protection Library - Encoder/AntiXSS Microsoft.Security.Application.Encoder

The Security Runtime Engine (SRE) The Security Runtime Engine (SRE) is an HTTP module that acts like a gatekeeper to protect ASP.NET web applications from cross-site scripting (XSS) attacks. It works by inspecting each control that is being reflected by ASP.NET and then automatically encoding data of vulnerable controls in their appropriate context. SRE Configuration Editor GUI Tool

The Security Runtime Engine (SRE)

The Security Runtime Engine (SRE)

Making SDL-Agile Manageable Deployment Web Application Configuration Analyzer (WACA) Microsoft Baseline Security Analyzer Web.config Security Analyzer (WCSA)

Web Application Configuration Analyzer

Web Application Configuration Analyzer

Web Application Configuration Analyzer

Web.config Security Analyzer (WCSA)

Making SDL-Agile Manageable Education, secure coding standards, automation and tools play a significant role in making secure Agile development efficient and economical Don t forget: Periodic manual security activities are also a must All of this must fit within a repeatable, mature process 42/23

Summary and Questions More Information: http://www.microsoft.com/sdl Nick Coblentz, CISSP Senior Consultant, AT&T Consulting Nick.Coblentz@gmail.com http://nickcoblentz.blogspot.com http://www.twitter.com/sekhmetn Microsoft releases SDL- Agile Guidance in Nov. 2009 Treats SDL Activities like team-prioritized User Stories 3 Categories: One-time, Every-time, and Bucket Increased success with the implementation of training, automation, tools, and standards

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information