implementing security into agile sdlc
play

Implementing Security into Agile SDLC Anderson Dadario, CISSP, CSSLP - PowerPoint PPT Presentation

Mar 06, 2024 •133 likes •523 views

Implementing Security into Agile SDLC Anderson Dadario, CISSP, CSSLP Flare Security Globalcode O pen4education # whoami Anderson Dadario Consultant at Flare Security 5+ years working with development & infosec Globalcode

  1. Implementing Security into Agile SDLC Anderson Dadario, CISSP, CSSLP Flare Security Globalcode – O pen4education

  2. # whoami • Anderson Dadario • Consultant at Flare Security • 5+ years working with development & infosec Globalcode – O pen4education

  3. What you will learn • Motivations for Secure SDLC • A little about Waterfall SDLC Security • Agile SDLC Security • Security Resources Allocation • Risk Management • How to scale security resources • Software Assurance Maturity Model Globalcode – O pen4education

  4. What’s your security program? • Nothing but a scan after release? • Automated? • Looking for a badge or seal? • Manual? • Ad hoc ? Globalcode – O pen4education

  5. Motivations for Secure SDLC (1-2) http://www.microsoft.com/security/sdl/about/benefits.aspx Globalcode – O pen4education

  6. Motivations for Secure SDLC (2-2) https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf Globalcode – O pen4education

  7. Waterfall Methodology Globalcode – O pen4education

  8. Waterfall Characteristics • Well-defined sequential phases; • Significant part of the project must be planned upfront; • Stresses the importance of requirements; • Changes are controlled. Major changes are only allowed if the CCB (Change Control Board) approves them. Globalcode – O pen4education

  9. Waterfall in the Real World Development Manager Business Analyst Project Manager Developer Product Manager Offshoring Globalcode – O pen4education

  10. It’s time to ... INJECT SECURITY Globalcode – O pen4education

  11. Waterfall Security Awareness Globalcode – O pen4education

  12. Waterfall in the Real World Development Manager Business Analyst Project Manager Developer Product Manager Offshoring Globalcode – O pen4education

  13. Waterfall Security Characteristics • Bundled within each phase; • Few or no meetings at all with the Security team; • Bureaucratic as Waterfall demands to be. Globalcode – O pen4education

  14. Let’s Talk Agile Globalcode – O pen4education

  15. Scrum Roles Globalcode – O pen4education

  16. Scrum Artifacts Burndown Chart Globalcode – O pen4education

  17. Scrum Ceremonies Globalcode – O pen4education

  18. It’s time to …. INJECT SECURITY Globalcode – O pen4education

  19. But first keep these points in mind • Understand the methodologies currently in use at your company; • Maximize the efficiency of security injection; • Avoid Single Point of Failure (absence of a security expert); • There will be multiple products for limited security experts; • Your company may hire more developers than security experts; • The software must be rugged ( Rugged Software Manifesto ). Globalcode – O pen4education

  20. The Rugged Manifesto Globalcode – O pen4education

  21. Strategy #1 Participate in everything Globalcode – O pen4education

  22. Strategy #1 Analysis Pros: Cons: • Security Expert is complete • Security Expert’s time got too aware of the project and can much consumed; rapidly inject security: • Single Point of Failure; • in the sprint backlog stories; • Planning participation is most of • doing security awareness the part a waste of time; during the ceremonies. • Too much daily become troublesome. Globalcode – O pen4education

  23. Strategy #2 Post-Planning, ‘Dailyless’ Post-Planning Globalcode – O pen4education

  24. Strategy #2 Analysis Pros: Cons: • Security Expert’s time is used • You are messing up with Scrum wisely. methodology because stories cannot change after planning; • Single Point of Failure persists; • Less security awareness. Globalcode – O pen4education

  25. Strategy #3 Grooming, Security Roles Security Architect Security Engineer Grooming Globalcode – O pen4education

  26. Strategy #3 Analysis Pros: Cons: • Security Expert’s time is used • More people are involved, then wisely; the security injection become • No Single Point of Failure; more complex. • Security injection that respects the development process. Globalcode – O pen4education

  27. This ain’t over. What about ... • Stories that are created after the planning? • Security stories negotiation? • Risk Management? • Maximize even more the security injection? Globalcode – O pen4education

  28. Stories that are created after the planning • It should not be common, but it can happen; • Define a process to handle it; • The Information Security team must be aware and perform its assessment . Globalcode – O pen4education

  29. Security stories negotiation • It will always be a challenge, no matter what; • Focus on the risk ; • Define the Quality Gates before publish and agree these gates with the Product Owner. Globalcode – O pen4education

  30. Risk Management (1-3) • Perform Threat Modeling on Grooming; • Inject Security on: • Acceptance Criteria for specific requirements; • Definition of Done for generic requirements. • Automate Security Acceptance Criteria tests; Globalcode – O pen4education

  31. Risk Management (2-3) • Take advantage of the agile tools: • Put labels on Jira stories; • Extract the labeled stories using JQL (Jira Query Language) API; • Integrate the extracted risks to your company risks platform / dashboard; Globalcode – O pen4education

  32. Risk Management (3-3) Threat Model Case #ID 05 Asset User Credentials Threat Threat action aimed to illegally access and use another user's credentials, such as username and password. Risk High Threat Agent External Attacker Threat Type (STRIDE) Spoofing Security Control Authentication Mitigation Controls ● Appropriate authentication ● Protect secret data ● Don't store secrets Incident Response Procedures Block user account, revoke password, etc Globalcode – O pen4education

  33. Maximize even more the Security Injection • Extreme Programming (XP) practices • Continuous Processes • Continuous Integration • Design Improvement • Shared Understanding • Coding Standard • Collective Code Ownership • Simple Design • DevOps Security, Security Champions • Mailing Lists, Tech Talks, Software Assurance Maturity Model Globalcode – O pen4education

  34. OpenSAMM (1-2) Globalcode – O pen4education

  35. OpenSAMM (2-2) Globalcode – O pen4education

  36. Final Thoughts • The more you respect the developers process, the more they will respect yours; • Scrum is about constant learning so always be thinking how you can tweak your process to make it better; • Apply the concepts to the way of your company builds software since there is no silver bullet . Globalcode – O pen4education

  37. References & Resources • Scrum.org: https://www.scrum.org/ • Extreme Programming: http://www.extremeprogramming.org/ • Veracode Webinars: • https://info.veracode.com/webinar-secure-agile-through-an-automated-toolchain-how-veracode-rd-does-it.html • https://info.veracode.com/webinar-building-security-into-the-agile-sdlc.html • RSA Conference Europe: http://www.rsaconference.com/writable/presentations/file_upload/asec-107.pdf • Gotham: http://pt.slideshare.net/SOURCEConference/are-agile-and-secure-development-mutually-exclusive-source-2011 • Microsoft SDL: http://microsoft.com/sdl • OWASP: https://www.owasp.org • OpenSAMM: http://www.opensamm.org/ • Flare Security: http://flaresecurity.com • Anderson Dadario’s blog: http://dadario.com.br • Rugged Software: https://www.ruggedsoftware.org/ Globalcode – O pen4education

  38. Thank You Anderson Dadario, CISSP, CSSLP http://dadario.com.br http://flaresecurity.com Globalcode – O pen4education

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Application Security The source code perspective Authors: Francesco Consiglio Marco Borza

Application Security The source code perspective Authors: Francesco Consiglio Marco Borza

Application Security The source code perspective Authors: Francesco Consiglio Marco Borza Implementation Challenges Iron Triangle Security as an afterthought The Secure SDLC in the Waterfall Model SDLC vs Secure SDLC Cost Reduction

1.3k views • 11 slides
Move left in the SDLC z - Jaswinder Kaur z Jaswinder Kaur Senior Security Engineer at

Move left in the SDLC z - Jaswinder Kaur z Jaswinder Kaur Senior Security Engineer at

Move left in the SDLC z - Jaswinder Kaur z Jaswinder Kaur Senior Security Engineer at T-Mobile, Washington Worked previously in DC government and Bank of America Expertise in web application security testing, architecture

286 views • 16 slides
Lessons From Implementing Agile Across the Entire Product Lifecycle About Me Larry Cummings

Lessons From Implementing Agile Across the Entire Product Lifecycle About Me Larry Cummings

Lessons From Implementing Agile Across the Entire Product Lifecycle About Me Larry Cummings larry.cummings@isostech.com Atlassian Certified Professional Product Developer Agile practitioner Interested in teams, process and

527 views • 48 slides
1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN

1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN

1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN SECURITY CONCEPT According to the human security principles PROTECTION OBJECTIVE TOP-DOWN Support the formulation of public policies (gender,

1.15k views • 14 slides
1 A SDLC Software Development Lifecycle Its a set of tools, artifacts, and work

1 A SDLC Software Development Lifecycle Its a set of tools, artifacts, and work

1 A SDLC Software Development Lifecycle Its a set of tools, artifacts, and work practices an organization uses to create software. That SDLC is integrated into a workflow process within the organization to get the requirements

330 views • 30 slides
The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme TOC How did I get here What is CivicActions What is compliance Making compliance fun Culture

1.24k views • 89 slides
SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R

SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R

SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R A C K Vendor? Customer? In-house team? New to agile? Some agile? 100% agile? Questions, feedback on Twitter #SellingAgile The Story 1.

918 views • 54 slides
Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current:

Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current:

Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places

906 views • 32 slides
Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Pole Vaulting over Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places Consulting, Research,

581 views • 32 slides
Implementing Lean and Agile Approaches An organization Journey Case study Waffa Karkukly,

Implementing Lean and Agile Approaches An organization Journey Case study Waffa Karkukly,

happy projects12 Implementing Lean and Agile Approaches An organization Journey Case study Waffa Karkukly, Ph.D, MIT, PMP April 25, 2013 happy projects12 Outline About the Organization The Situation Why Lean and Agile PMO as the

720 views • 34 slides
Implementing Agile Everywhere End User Computings Service/Support teams SITE SERVICES

Implementing Agile Everywhere End User Computings Service/Support teams SITE SERVICES

Implementing Agile Everywhere End User Computings Service/Support teams SITE SERVICES CARE4CUSTOMER SUPPORT` Global Team Team provides innovative infrastructure support that enables Business capabilities: Customer Relationship

502 views • 33 slides
The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE Collaboration 2009 Fermi Symposium 2 - 5 November 2009, Washington AGILE on PSLV-C8 Sriharikota, India The AGILE April 15, 2007 Payload: the most

853 views • 38 slides
SDLC Lessons Learned By Vincent Liu Agenda Know what to look for Understand what you

SDLC Lessons Learned By Vincent Liu Agenda Know what to look for Understand what you

SDLC Lessons Learned By Vincent Liu Agenda Know what to look for Understand what you find And learn from the mistakes of others. App Sec Assurance Program Support Requirements Design Development QA Test Release &

467 views • 23 slides
AGILE PUB brusselspictures.com Andrea Tomasini Andrea trained and coached a diverse range of

AGILE PUB brusselspictures.com Andrea Tomasini Andrea trained and coached a diverse range of

AGILE PUB brusselspictures.com Andrea Tomasini Andrea trained and coached a diverse range of teams and helped many companies in various industries: finance, telecommunication and automotive in implementing agile methods like Scrum. His

435 views • 19 slides
Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without Increasing the Headcount Anderson Maranho Ventura Dadario Information Security Flare Security, So Paulo, Brazil anderson@dadario.com.br

428 views • 3 slides
Bibliography [Agile Alliance2001] Agile Alliance, Principles: The Agile Alliance (2001),

Bibliography [Agile Alliance2001] Agile Alliance, Principles: The Agile Alliance (2001),

Bibliography [Agile Alliance2001] Agile Alliance, Principles: The Agile Alliance (2001), http://www.agilealliance.org/ . [Alexander2002] I. Alexander, Initial Industrial Experience of Misuse Cases in Trade-Off Analysis, pp. 1113 in

503 views • 12 slides
ADSP- -BF533 Peripherals BF533 Peripherals ADSP Advisor: Prof. Andy Wu 2004/10/14 ACCESS IC

ADSP- -BF533 Peripherals BF533 Peripherals ADSP Advisor: Prof. Andy Wu 2004/10/14 ACCESS IC

Graduate Institute of Electronics Engineering, NTU ADSP- -BF533 Peripherals BF533 Peripherals ADSP Advisor: Prof. Andy Wu 2004/10/14 ACCESS IC LAB ACCESS IC LAB Graduate Institute of Electronics Engineering, NTU Outline Outline

512 views • 24 slides
Project INEL 4206 Fall 2018 Project Description Ultimate objective: build an arithmetic

Project INEL 4206 Fall 2018 Project Description Ultimate objective: build an arithmetic

Project INEL 4206 Fall 2018 Project Description Ultimate objective: build an arithmetic operations server that receives an ASCII string (through a serial port) that describes the desired operations. The server performs the math calculations and

418 views • 11 slides
CPSC 875 CPSC 875 John D McGregor John D. McGregor C10 Error Design Uncertainty Uncertainty

CPSC 875 CPSC 875 John D McGregor John D. McGregor C10 Error Design Uncertainty Uncertainty

CPSC 875 CPSC 875 John D McGregor John D. McGregor C10 Error Design Uncertainty Uncertainty Make uncertainty a first class entity in design Make uncertainty a first class entity in design Assume things fail Watchdog timers check

590 views • 24 slides
Another approach to runtime checking Typical runtime checking is by duplicating entire CPU

Another approach to runtime checking Typical runtime checking is by duplicating entire CPU

Another approach to runtime checking Typical runtime checking is by duplicating entire CPU Expensive in power, area No protection from design errors Does not survive permanent faults Last time we saw an approach that leveraged

246 views • 7 slides
Making the Enterprise Agile Applying DevOps and Agile Principles at Scale

Making the Enterprise Agile Applying DevOps and Agile Principles at Scale

Making the Enterprise Agile Applying DevOps and Agile Principles at Scale Gary Gruver September 3, 2014 - FW no longer a bottleneck for the business - Development costs reduced from $100M/yr. to $55M/yr. - ~140%

545 views • 25 slides
Which Methodology is Best for You? Laura Pietromica Customer Advisor & Consultant HIMSS

Which Methodology is Best for You? Laura Pietromica Customer Advisor & Consultant HIMSS

Agile or Waterfall Which Methodology is Best for You? Laura Pietromica Customer Advisor & Consultant HIMSS Certified Consultant Overview Agenda Which to Choose Hybrid Overview Waterfall Sequential or linear stages

725 views • 17 slides
Softw are Engineering for Em bedded System s Software Engineering for Embedded Systems Mohammad.

Softw are Engineering for Em bedded System s Software Engineering for Embedded Systems Mohammad.

Softw are Engineering for Em bedded System s Software Engineering for Embedded Systems Mohammad. Abdullah Al Faruque Talal Bonny CES - C hair for E mbedded S ystems (Prof. Dr. Jrg Henkel) Department of Computer Science University of Karlsruhe

580 views • 42 slides
Case: update Health Scrutiny Committee 15 May 2019 Running order 1. Introduction & purpose

Case: update Health Scrutiny Committee 15 May 2019 Running order 1. Introduction & purpose

Item 3 Appendix A Strategic Outline Case: update Health Scrutiny Committee 15 May 2019 Running order 1. Introduction & purpose 2. Overview and wider infrastructure development 3. Group discussions group one Q & A safety and

427 views • 18 slides

More recommend