When Software Security Meet Agile (Ant) yftzeng@gmail.com - - PowerPoint PPT Presentation
When Software Security Meet Agile (Ant) yftzeng@gmail.com 2019-03-21 Introduction & Research interest 13 4
When Software Security Meet Agile 曾義峰 (Ant)
yftzeng@gmail.com 2019-03-21
2/78
13 年互聯網研發經驗, 4 年顧問資歷。 時而編程,時而沉浸於法律領域、倘洋於資訊安全世界中。 Web Security ( 網頁安全 ) Data(base) Security ( 資料安全 ) Agile Way ( 敏捷方法 ) Compliance ( 法遵 / 合規 )
3/78
引言 角色 文化 實踐
4/78
引言
5/78 Requirements Design Code Test Deploy
6/78 Requirements Design Code Test Deploy
Risk Assessment Design Review & Threat Modeling Static Analysis Code Review & Penetration Testing Secure Configuration & Security Assessment
7/78 Requirements Design Code Test Deploy
Risk Assessment Design Review & Threat Modeling Static Analysis Code Review & Penetration Testing Secure Configuration & Security Assessment
E V E R Y T H I N G WO R K WE L L
8/78
Credit: https://medium.com/innodev/agile-development-for-dummies-dd161da253c7
9/78
Credit: https://www.kisspng.com/png-scrum-sprint-agile-software-development-systems-de-4949713/
Scrum
10/78
Credit: https://sanzubusinesstraining.com/how-to-create-a-kanban-board-to-manage-your-to-do-list/
Kanban
11/78
Credit: https://dilbert.com/strip/2007-11-26
我們將嘗試一種稱為敏捷開發的模式。 意味著不需計畫,不需文檔。只要寫程式和發牢騷就好。
12/78
Prejudices
推動 Agile 後造成一團混亂 (Chaos) 。 Agile 過於複雜。 Agile 只是把待辦清單 (Todo) 用便利貼或數位的方式貼在牆上。 Agile 會產出不安全的軟體。 Agile 太浪費時間,例如每日站立會議、回顧 (retrospective) 。
13/78
Prejudices
推動 Agile 後造成一團混亂 (Chaos) 。 Agile 過於複雜。 Agile 只是把待辦清單 (Todo) 用便利貼或數位的方式貼在牆上。 Agile 會產出不安全的軟體。 Agile 太浪費時間,例如每日站立會議、回顧 (retrospective) 。
14/78
Credit: http://www.commitstrip.com/en/2017/06/19/security-too-expensive-try-a-hack/
15/78
16/78
17/78
很多公司都有推動各種敏捷專案管理流程。 例如 Scrum 或 Kanban 。 但其中有具備資安 (Security) 思維的只有一小部分。 更不用論更大範圍的法遵 / 合規 (Compliance) ,例如 GDPR 等。
18/78
Agile Injection
頻繁安插的無理需求、急件
19/78
Agile XSS Injection
頻繁安插的無理需求、急件 從其他團隊來的跨組扔包
20/78
Agile XSS StackOverflow Injection
頻繁安插的無理需求、急件 從其他團隊來的跨組扔包 我是 Full-Stack Developer 指的是如果再給我一個工作 我的工作 (Stack) 就會溢出
21/78
Agile God Injection XSS StackOverflow Injection
頻繁安插的無理需求、急件 從其他團隊來的跨組扔包 我是 Full-Stack Developer 指的是如果再給我一個工作 我的工作 (Stack) 就會溢出 老闆一聲令下 搖身變為隕石開發法
22/78
Credit: http://eiki.hatenablog.jp/entry/meteo_fall
Waterfall
23/78
Credit: http://eiki.hatenablog.jp/entry/meteo_fall
Agile
24/78
Credit: http://eiki.hatenablog.jp/entry/meteo_fall
Agile
25/78
角色
26/78
“The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的唯一人員。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。”
Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
27/78
“The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的唯一人員。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。”
Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
28/78
“The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的唯一人員。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。”
Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
29/78
Product Backlog Item (PBI) :
30/78
Scenario: User are able to register Given the user is on “/users/register” When the user types the email “yftzeng@gmail.com” When the user types the password “xxx” When the user clicks the register button Then the response should contains “Password must be at least 8 characters long” ...
BDD
31/78
Scenario: The application should not contain SQL injection vulnerabilities And the SQL-Injection policy is enabled And the attack strength is set to High And the alert threshold is set to Low When the scanner is run And the following false positives are removed | url | parameter | cweId | wascId | And the XML report is written to the file output/security/sql_injection.xml Then no Medium or Higher risk vulnerabilities should be present
Credit: https://continuumsecurity.net/bdd-security/
BDD
32/78
Scenario: Present the login form itself over an HTTPS connection Given a new browser instance And the client/browser is configured to use an intercepting proxy And the proxy logs are cleared And the login page is displayed And the HTTP request-response containing the login form Then the protocol should be HTTPS And ...
Credit: https://continuumsecurity.net/bdd-security/
BDD
33/78
BDD
34/78
文化
35/78
《 Dev Ops ⋅ 》 同 Agile / Lean ,具備自身核心,更快的執行速度和更快的學習速度。 這就是為什麼它經常被描述為一種文化。
36/78
《 Dev Ops ⋅ 》 同 Agile / Lean ,具備自身核心,更快的執行速度和更快的學習速度。 這就是為什麼它經常被描述為一種文化。
37/78
38/78
SecDevOps—sometimes called “Rugged DevOps” or “security at speed”—as a set of best practices designed to help
their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent
Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/
39/78
SecDevOps—sometimes called “Rugged DevOps” or “security at speed”—as a set of best practices designed to help
their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent
Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/
40/78
The hinge to success for DevOps security lies in changing the underlying DevOps culture to embrace security—with no
built into DevOps.
Credit: https://techbeacon.com/devsecops-foundations
41/78
The hinge to success for DevOps security lies in changing the underlying DevOps culture to embrace security—with no
built into DevOps.
Credit: https://techbeacon.com/devsecops-foundations
42/78
43/78
44/78
45/78
Credit: https://www.owasp.org/index.php/OWASP_AppSec_Pipeline#tab=Pipeline_Design_Patterns
46/78
Credit: https://www.linkedin.com/in/LarryMaccherone/
47/78
實踐
48/78
《 Dev Ops ⋅ & CI ⋅ CD 》 DevOps 非商業口號,是以工具為中心的哲學,支持持續交付價值鏈。 持續交付採用自動部署流水線,以便可靠、快速地將軟體發佈的方法。 持續交付和 DevOps 擁有敏捷和精益的共同背景:小而快速的變化。 DevOps 關乎文化、開發和運營之間、明確的流程。關乎敏捷。 你可以在不實施持續交付的情況下接受並實踐 DevOps 理念。
49/78
《 Dev Ops ⋅ & CI ⋅ CD 》 DevOps 非商業口號,是以工具為中心的哲學,支持持續交付價值鏈。 持續交付採用自動部署流水線,以便可靠、快速地將軟體發佈的方法。 持續交付和 DevOps 擁有敏捷和精益的共同背景:小而快速的變化。 DevOps 關乎文化、開發和運營之間、明確的流程。關乎敏捷。 你可以在不實施持續交付的情況下接受並實踐 DevOps 理念。
50/78
Credit: https://www.linkedin.com/in/LarryMaccherone/
51/78
Credit: https://www.linkedin.com/in/LarryMaccherone/
52/78
《 Pen testing 》 滲透測試 (Penetration testing) 有時長達兩個月。 每一次的提交與改變,是否會影響之前滲透測試的結果? 《 Compliance validation 》 如果發布需要通過外部審核機構 ( 法務 / 會計 / 稽核 ) , 如何能實現快速循環實驗?
53/78
Credit: https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700
54/78
Credit: https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700
55/78
Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/
以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例
The Scaled Agile Framework (abbreviated as SAFe)
56/78
Credit: https://www.scaledagileframework.com/release-on-demand/
Develop on Cadence. Release on Demand.
57/78
Credit: https://www.scaledagileframework.com/release-on-demand/
Develop on Cadence. Release on Demand.
58/78
Credit: https://twitter.com/deanleffingwell/status/612425925515317248
59/78
Credit: https://www.scaledagileframework.com/release-on-demand/
Develop on Cadence. Release on Demand.
Develop on Cadence ( 技術流程 ) Release on Demand ( 商業決策 )
60/78
Credit: https://www.scaledagileframework.com/release-on-demand/
Develop on Cadence. Release on Demand.
Develop on Cadence ( 技術流程 ) Release on Demand ( 商業決策 ) 解耦
(decoupling)
61/78
Credit: https://martinfowler.com/books/continuousDelivery.html
Continuous delivery is about putting the release schedule in the hands of the business, not in the hands of IT.
62/78
Credit: https://martinfowler.com/books/continuousDelivery.html
Continuous delivery is about putting the release schedule in the hands of the business, not in the hands of IT.
63/78
Credit: https://martinfowler.com/bliki/ContinuousDelivery.html
Continuous Delivery is sometimes confused with Continuous Deployment. Continuous Deployment means that every change goes through the pipeline and automatically gets put into production, resulting in many production deployments every day. Continuous Delivery just means that you are able to do frequent deployments but may choose not to do it, usually due to businesses preferring a slower rate of deployment. In
Continuous Delivery.
Martin Fowler
64/78
Credit: https://martinfowler.com/bliki/ContinuousDelivery.html
Continuous Delivery is sometimes confused with Continuous Deployment. Continuous Deployment means that every change goes through the pipeline and automatically gets put into production, resulting in many production deployments every day. Continuous Delivery just means that you are able to do frequent deployments but may choose not to do it, usually due to businesses preferring a slower rate of deployment. In
Continuous Delivery.
Martin Fowler
65/78
Credit: https://www.scaledagileframework.com/release-on-demand/
Develop on Cadence. Release on Demand.
Develop on Cadence ( 技術流程 ) Release on Demand ( 商業決策 ) 解耦
(decoupling)
66/78
Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/
以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例
The Scaled Agile Framework (abbreviated as SAFe)
67/78
Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/
以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例
The Scaled Agile Framework (abbreviated as SAFe)
(decoupling)
68/78
Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/
以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例
The Scaled Agile Framework (abbreviated as SAFe) 商業決策 技術流程 商業決策
69/78
Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/
商業決策 技術流程 商業決策
C
l i a n c e S e c u r i t y 滲透測試 (Penetration testing) / 紅隊演練 (Red Team Assessment) 。 外部審核機構 ( 法務 / 會計 / 稽核 ) 。
70/78
S e c u r i t y Ma r k e t i n g C
l i a n c e needs pen testing red team regulations controls standards unit / integration / performance test unit / integration / performance test scheduling unit / integration / performance test scheduling schedule pipeline D e v e l
71/78
S e c u r i t y Ma r k e t i n g C
l i a n c e D e v e l
needs pen testing red team regulations controls standards unit / integration / performance test unit / integration / performance test scheduling unit / integration / performance test scheduling schedule pipeline
72/78
Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/
73/78
Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/
74/78
Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/
75/78
Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/
76/78 Password Policy SQL Injection XSS Information Disclosure StackOverflow Insider Threat
77/78
Agile ≠ Fast 產品負責人必須將資安官納入主要利益相關人 借鏡 DevOps/SAFe ,引入 DevSecOps 文化 利用軟體工程的手法 , 將複雜的流程解耦、分段 階段性實施 DevSecOps ( 小跑步法 ) 確認團隊所有成員認同資安對於客戶的價值 持續投入資安訓練及演練
78/78
yftzeng@gmail.com https://www.facebook.com/yftzeng.tw https://twitter.com/yftzeng