when software security meet agile ant yftzeng gmail com
play

When Software Security Meet Agile (Ant) yftzeng@gmail.com - PowerPoint PPT Presentation

Feb 22, 2024 •168 likes •964 views

When Software Security Meet Agile (Ant) yftzeng@gmail.com 2019-03-21 Introduction & Research interest 13 4

  1. 當軟體安全遇上敏捷 When Software Security Meet Agile 曾義峰 (Ant) yftzeng@gmail.com 2019-03-21

  2. Introduction & Research interest 13 年互聯網研發經驗, 4 年顧問資歷。 時而編程,時而沉浸於法律領域、倘洋於資訊安全世界中。 Web Security ( 網頁安全 ) Data(base) Security ( 資料安全 ) Agile Way ( 敏捷方法 ) Compliance ( 法遵 / 合規 ) 2/78

  3. Agenda 1 SDLC & Agile 引言 2 Product Owner & Stakeholders 角色 3 DevOps & Security 文化 4 CI/CD & Pipeline 實踐 3/78

  4. Agenda 1 SDLC & Agile 引言 2 Product Owner & Stakeholders 3 DevOps & Security 4 CI/CD & Pipeline 4/78

  5. Software Development Life Cycle (SDLC) Requirements Design Code Test Deploy 5/78

  6. Secure Software Development Life Cycle (SSDLC) Requirements Risk Assessment Design Review Design & Threat Modeling Code Static Analysis Code Review Test & Penetration Testing Secure Configuration Deploy & Security Assessment 6/78

  7. Secure Software Development Life Cycle (SSDLC) Requirements Risk Assessment Design Review Design & Threat Modeling Code Static Analysis Wa t e r f a l l E V E R Y T H I N G WO R K WE L L Code Review Test & Penetration Testing Secure Configuration Deploy & Security Assessment 7/78

  8. Agile 8/78 Credit: https://medium.com/innodev/agile-development-for-dummies-dd161da253c7

  9. Agile Scrum 9/78 Credit: https://www.kisspng.com/png-scrum-sprint-agile-software-development-systems-de-4949713/

  10. Agile Kanban 10/78 Credit: https://sanzubusinesstraining.com/how-to-create-a-kanban-board-to-manage-your-to-do-list/

  11. Agile 我們將嘗試一種稱為敏捷開發的模式。 意味著不需計畫,不需文檔。只要寫程式和發牢騷就好。 11/78 Credit: https://dilbert.com/strip/2007-11-26

  12. Agile Prejudices 推動 Agile 後造成一團混亂 (Chaos) 。 Agile 過於複雜。 Agile 只是把待辦清單 (Todo) 用便利貼或數位的方式貼在牆上。 Agile 會產出不安全的軟體。 Agile 太浪費時間,例如每日站立會議、回顧 (retrospective) 。 12/78

  13. Agile Prejudices 推動 Agile 後造成一團混亂 (Chaos) 。 Agile 過於複雜。 Agile 只是把待辦清單 (Todo) 用便利貼或數位的方式貼在牆上。 Agile 會產出不安全的軟體。 Agile 太浪費時間,例如每日站立會議、回顧 (retrospective) 。 13/78

  14. Agile 14/78 Credit: http://www.commitstrip.com/en/2017/06/19/security-too-expensive-try-a-hack/

  15. Agile 15/78

  16. Agile A g i l e ≠ F a s t 16/78

  17. Agile 很多公司都有推動各種敏捷專案管理流程。 例如 Scrum 或 Kanban 。 但其中有具備資安 (Security) 思維的只有一小部分。 更不用論更大範圍的法遵 / 合規 (Compliance) ,例如 GDPR 等。 17/78

  18. 誰說 Agile Coach 不需要懂資安 !? Injection 頻繁安插的無理需求、急件 Agile 18/78

  19. 誰說 Agile Coach 不需要懂資安 !? Injection XSS 頻繁安插的無理需求、急件 從其他團隊來的跨組扔包 Agile 19/78

  20. 誰說 Agile Coach 不需要懂資安 !? Injection XSS 頻繁安插的無理需求、急件 從其他團隊來的跨組扔包 Agile StackOverflow 我是 Full-Stack Developer 指的是如果再給我一個工作 我的工作 (Stack) 就會溢出 20/78

  21. 誰說 Agile Coach 不需要懂資安 !? Injection XSS 頻繁安插的無理需求、急件 從其他團隊來的跨組扔包 Agile StackOverflow God Injection 老闆一聲令下 我是 Full-Stack Developer 搖身變為隕石開發法 指的是如果再給我一個工作 我的工作 (Stack) 就會溢出 21/78

  22. 隕石開發法 Waterfall 22/78 Credit: http://eiki.hatenablog.jp/entry/meteo_fall

  23. 隕石開發法 Agile 23/78 Credit: http://eiki.hatenablog.jp/entry/meteo_fall

  24. 隕石開發法 Agile 無論什麼方法,在神面前, 都無用 24/78 Credit: http://eiki.hatenablog.jp/entry/meteo_fall

  25. Agenda 1 SDLC & Agile 2 Product Owner & Stakeholders 角色 3 DevOps & Security 4 CI/CD & Pipeline 25/78

  26. Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的 唯 一人 員 。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責 與客戶 和利 益相關者 合作 以了解 他們的需求。” 26/78 Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team

  27. Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的 唯 一人 員 。” Who are your stakeholders ? 誰是 你 們的利 益相關者 “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責 與客戶 和利 益相關者 合作 以了解 他們的需求。” 27/78 Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team

  28. Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的 唯 一人 員 。” Security officer should start taking up the role of security stakeholders “The PO role is responsible for working with the customers and 資安 官應該 開 始擔任 利 益相關者 的角色 stakeholders to understand their needs.” “ 產品負責人負責 與客戶 和利 益相關者 合作 以了解 他們的需求。” 28/78 Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team

  29. Product Backlog Product Backlog Item (PBI) : ● Features ● Bugs ● Refactoring ● Spike ● … ● Security Features ● Security Stories ● Attacker Stories ● Ab- U se U ser Stories 29/78

  30. Product Backlog BDD Scenario : U ser are able to register Given the user is on “ /users/register ” When the user types the email “ yftzeng@gmail.com ” When the user types the password “ xxx ” When the user clicks the register button Then the response should contains “ Password must be at least 8 characters long ” ... 30/78

  31. Product Backlog BDD Scenario : The application should not contain S QL in j ection vulnerabilities And the S QL -In j ection policy is enabled And the attack strength is set to H igh And the alert threshold is set to L ow When the scanner is run And the following false positives are removed | url | parameter | cweId | wascId | And the XML report is written to the file output/security/s q l _ in j ection. x ml Then no M edium or H igher risk vulnerabilities should be present 31/78 Credit: https://continuumsecurity.net/bdd-security/

  32. Product Backlog BDD Scenario : Present the login form itself over an H TTPS connection Given a new browser instance And the client/browser is configured to use an intercepting pro x y And the pro x y logs are cleared And the login page is displayed And the H TTP re q uest-response containing the login form Then the protocol should be H TTPS And ... 32/78 Credit: https://continuumsecurity.net/bdd-security/

  33. Tools BDD SpecFlow (. NE T) ● Cucumber (Ruby) ● J Behave ( J ava) ● Behat (P H P) ● J est ( J avaScript) ● Godog (Go) ● … ● 33/78

  34. Agenda 1 SDLC & Agile 2 Product Owner & Stakeholders 3 DevOps & Security 文化 4 CI/CD & Pipeline 34/78

  35. DevOps & Security ⋅ 《 Dev Ops 》 同 Agile / L ean ,具備 自 身 核心 ,更 快 的 執行速度 和更 快 的 學習速度 。 這 就是為什麼 它 經 常被描述 為一種文化。 從 DevOps 視 角, 探討 Security 35/78

  36. DevOps & Security ⋅ 《 Dev Ops 》 同 Agile / L ean ,具備 自 身 核心 ,更 快 的 執行速度 和更 快 的 學習速度 。 這 就是為什麼 它 經 常被描述 為一種文化。 36/78

  37. DevOps & Security 37/78

  38. DevOps & Security SecDevOps—sometimes called “ Rugged DevOps ” or “ security at speed ” —as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches. 38/78 Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/

  39. DevOps & Security “SecDevOps seeks to embed security inside the development process as deeply as DevOps has done with operations” (SecDevOps 旨 在將開發過程中的資訊安全 深入到 DevOps 的 操 作中 ) SecDevOps—sometimes called “ Rugged DevOps ” or “ security at speed ” —as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches. 39/78 Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Agile Software Development Venkat Subramaniam svenkat@cs.uh.edu Agile Software Development - 1

Agile Software Development Venkat Subramaniam svenkat@cs.uh.edu Agile Software Development - 1

Agile Software Development Venkat Subramaniam svenkat@cs.uh.edu Agile Software Development - 1 Agile Software Development State of Softw are Developm ent Agility Planning Daily Activity Conclusion Agile Software

744 views • 23 slides
Agile Software Development 1 / 26 Agile Processes Agile Manifesto (http://agilemanifesto.org/)

Agile Software Development 1 / 26 Agile Processes Agile Manifesto (http://agilemanifesto.org/)

Agile Software Development 1 / 26 Agile Processes Agile Manifesto (http://agilemanifesto.org/) value: Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over

694 views • 26 slides
S t r e t c h i n g the Agile Envelope Agile Software Development Meets Corporate Deployment

S t r e t c h i n g the Agile Envelope Agile Software Development Meets Corporate Deployment

XP07 S t r e t c h i n g the Agile Envelope Agile Software Development Meets Corporate Deployment Procedures: Stretching the Agile Envelope David Leip Olly Gotel ibm.com Chief Innovation Dude Department of Computer Science Agile Methods

123 views • 10 slides
Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without Increasing the Headcount Anderson Maranho Ventura Dadario Information Security Flare Security, So Paulo, Brazil anderson@dadario.com.br

428 views • 3 slides
The case for agile methods (or: the Cubicle Strikes Back) Software Engineering, lecture 8:

The case for agile methods (or: the Cubicle Strikes Back) Software Engineering, lecture 8:

Three cultures of software development Chair of Software Engineering Three cultures: Software Engineering Prof. Dr. Bertrand Meyer Process Agile Software development: Object Process vs agile The first two are usually

467 views • 13 slides
Agile Software Testing Strategies Agile Software Testing Strategies Presented by: Jared

Agile Software Testing Strategies Agile Software Testing Strategies Presented by: Jared

W17 Concurrent Session Wednesday 06/11/2008 2:45 PM 4:15 PM Agile Software Testing Strategies Agile Software Testing Strategies Presented by: Jared Richardson 6 th Sense Analytics Presented at: Better Software Conference & EXPO June

1.92k views • 33 slides
The case for 3. Towards a combination agile methods (or: the Cubicle Strikes Back) Software

The case for 3. Towards a combination agile methods (or: the Cubicle Strikes Back) Software

Three cultures of software development Chair of Softw are Engineering Three cultures: Software Engineering Prof. Dr. Bertrand Meyer Process March 2007 June 2007 Agile Object Software development: Process vs agile

374 views • 16 slides
Leveraging Kanban to Create the Agile Organization As Agile is more accepted as the way to

Leveraging Kanban to Create the Agile Organization As Agile is more accepted as the way to

Leveraging Kanban to Create the Agile Organization As Agile is more accepted as the way to develop software in organizations, some software teams and groups within IT are also becoming Agile, but with using Kanban as their chosen Agile

458 views • 27 slides
The Agile Advantage: How Agile Integration Improves Outcomes for Software as a Service (SaaS) in

The Agile Advantage: How Agile Integration Improves Outcomes for Software as a Service (SaaS) in

The Agile Advantage: How Agile Integration Improves Outcomes for Software as a Service (SaaS) in the Corporate Environment By Greg Spehar MBA, PMP, PMI-ACP 1 The Need Acceleration of Migration of Applications to Cloud Based Solutions

475 views • 19 slides
Agile in 3 Minutes The simplest podcast that could possibly work. Amitai Schlair Meet two

Agile in 3 Minutes The simplest podcast that could possibly work. Amitai Schlair Meet two

Agile in 3 Minutes The simplest podcast that could possibly work. Amitai Schlair Meet two people! [30 seconds] 1 Great series of micro-podcasts on agile topics. Michael D. GeePaw Hill Discuss! [2 minutes] Share! [1 minute]

504 views • 9 slides
Why Does Agile Software Development Why Does Agile Software Development Not Require the TSP

Why Does Agile Software Development Why Does Agile Software Development Not Require the TSP

TSP Symposium 2012 2012/9/18 TSP Symposium 2012 TSP Symposium 2012 Why Does Agile Software Development Why Does Agile Software Development Not Require the TSP Disciplines? Yoshihiro Akiyama Next Process Institute (NPI) September 18 th , 2012

558 views • 10 slides
Developing Multilingual Web Services in Agile Software Teams The Software-Cluster. Software made

Developing Multilingual Web Services in Agile Software Teams The Software-Cluster. Software made

Developing Multilingual Web Services in Agile Software Teams The Software-Cluster. Software made in Germany for the Future Economy Alexandra Weissgerber Software AG MultilingualWeb Workshop 2011, 05 April 2011 Project Context 5 Projects

338 views • 12 slides
Supplementing Agile Practices with Decision Support Methods for Military Software Development

Supplementing Agile Practices with Decision Support Methods for Military Software Development

Supplementing Agile Practices with Decision Support Methods for Military Software Development SEDA 2015 Luigi Benedicenti Agile Development Disciplined process Empowerment Courage Autonomy Innovation Decisions Agile

326 views • 19 slides
Agile Development emmet labs David Verba david@adaptivepath.com Agile Introduction Agile

Agile Development emmet labs David Verba david@adaptivepath.com Agile Introduction Agile

Agile Development emmet labs David Verba david@adaptivepath.com Agile Introduction Agile Manifesto Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract

582 views • 31 slides
Agile Software Design 19 February, 2020 Software Design Early decisions Modular design Agile

Agile Software Design 19 February, 2020 Software Design Early decisions Modular design Agile

Agile Software Design 19 February, 2020 Software Design Early decisions Modular design Agile design Source: http://www.xkcd.com Agile Software Design Software Design Early decisions Modular design Agile design What can design mean?

1.22k views • 93 slides
Agile Development and Project Management CogSci 121 - HCI Programming Studio Adapted from

Agile Development and Project Management CogSci 121 - HCI Programming Studio Adapted from

Agile Development and Project Management CogSci 121 - HCI Programming Studio Adapted from slides by Mountain Got Software, Shahid N. Shah Agile Software Development https://www.youtube.com/watch?v=OJflDE6OaSc 2 Manifesto for Agile

801 views • 53 slides
D ISTRIBUTED S YSTEMS [COMP9243] B UILDING A D ISTRIBUTED S YSTEM Lecture 3: System Architecture

D ISTRIBUTED S YSTEMS [COMP9243] B UILDING A D ISTRIBUTED S YSTEM Lecture 3: System Architecture

D ISTRIBUTED S YSTEMS [COMP9243] B UILDING A D ISTRIBUTED S YSTEM Lecture 3: System Architecture Two questions: Slide 1 Slide 3 System Architectures Where to place the hardware? Client-server (and multi-tier) Where to place the

745 views • 11 slides
Crossing the chasm with {"no":"SQL"} Akmal B. Chaudhri ( )

Crossing the chasm with {"no":"SQL"} Akmal B. Chaudhri ( )

Crossing the chasm with {"no":"SQL"} Akmal B. Chaudhri ( ) Abstract This presentation will discuss the reasons for the rise and development of NoSQL technology, and compare and contrast the alternative

1.62k views • 137 slides
Software Design, Modelling and Analysis in UML Lecture 1: Introduction 2013-10-21 1

Software Design, Modelling and Analysis in UML Lecture 1: Introduction 2013-10-21 1

Software Design, Modelling and Analysis in UML Lecture 1: Introduction 2013-10-21 1 2013-10-21 main Prof. Dr. Andreas Podelski, Dr. Bernd Westphal Albert-Ludwigs-Universit at Freiburg, Germany Contents & Goals This

954 views • 44 slides
Python microservices on PaaS done right Micha Bultrowicz About me Work at Intel

Python microservices on PaaS done right Micha Bultrowicz About me Work at Intel

Python microservices on PaaS done right Micha Bultrowicz About me Work at Intel Technology Poland. I do backend services. Sadly, mainly in Java. I did some C++ security... ...and multiplatform distributed automated

606 views • 32 slides
Introduction Couchbase Server 2.0 Tugdual Grall TechnicalEvangelist @tgrall {about :

Introduction Couchbase Server 2.0 Tugdual Grall TechnicalEvangelist @tgrall {about :

Introduction Couchbase Server 2.0 Tugdual Grall TechnicalEvangelist @tgrall {about : me} Tugdual Tug Grall Web Couchbase @tgrall Technical Evangelist http://blog.grallandco.com eXo Tgrall

620 views • 38 slides
Internal DSLs from API design to languages SoftLang Team, University of Koblenz-Landau Prof. Dr.

Internal DSLs from API design to languages SoftLang Team, University of Koblenz-Landau Prof. Dr.

Internal DSLs from API design to languages SoftLang Team, University of Koblenz-Landau Prof. Dr. Ralf Lmmel Msc. Johannes Hrtel Msc. Marcel Heinz (C) 2018, SoftLang Team, University of Koblenz-Landau Fluent Interfaces from

375 views • 34 slides
Best Practices Nils Adermann - @naderman - n.adermann@packagist.com Package Repositories Third

Best Practices Nils Adermann - @naderman - n.adermann@packagist.com Package Repositories Third

Developing and Deploying Magento with Composer: Best Practices Nils Adermann - @naderman - n.adermann@packagist.com Package Repositories Third Parties - Packagist - https://packagist.org - Magento Marketplace -

721 views • 59 slides
Understanding Waste in Software Chris B. Behrens SOFTWARE ARCHITECT @chrisbbehrens The Seven

Understanding Waste in Software Chris B. Behrens SOFTWARE ARCHITECT @chrisbbehrens The Seven

Understanding Waste in Software Chris B. Behrens SOFTWARE ARCHITECT @chrisbbehrens The Seven Wastes of Manufacturing 1. Delay 2.Overproduction 3.Overprocessing 4.Transportation 5.Unnecessary movement 6.Inventory 7.Defects Partially Done

553 views • 32 slides

More recommend