We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byEzra Bigwood
Modified about 1 year ago
www.rallydev.com ©2013 Reduce Security Risk in Your Development Part II: Creating an Agile SSDLC #SecureDev Trent R. Hein, CCIE, CISSP, ISSMP, ISSAP, CSSA
www.rallydev.com ©2013 What We’ll Cover Today How is secure Agile development different? Creating a User Story with integrated security Security Tasks and Testing Managing security Defects Security architecture Agile Threat Map #SecureDev
www.rallydev.com ©2013 Quick Recap of Session 1 Information security overview What are the most common threats? How to protect sensitive data, both from a methodology and technology standpoint Standards and tools –NIST SP 800-53A, OpenSAMM, OWASP
www.rallydev.com ©2013 How is Secure Agile Development Different? Distinct security-focused project phases, often at beginning and end of project Security skills brought in from outside project, often disconnected from dev/test resources Specific security testing phase, often at end of project. Agile Traditional/ Waterfall Every iteration considers security, but is not limited by it. Every team member is responsible for security. Security skills are embedded in the team. Hybrid security and functionality testing, throughout project. Security Timing Security Resources Security Validation
www.rallydev.com ©2013 Secure Agile Development Guiding Principles Product value improves with security. Security is integral to the product, not an afterthought. Outside security resources (standards, threats, experts) provide background, not a cage.
www.rallydev.com ©2013 Agile security myths - 1 Myth: I’m a developer / product owner / scrum master. Security is someone else’s job. –Reality: The complex threats facing applications today requires everyone to be thinking about security. –Secure business logic –Secure coding practices –Secure test methods –Secure data architecture –Secure deployment environment
www.rallydev.com ©2013 Agile security myths - 2 Myth: Compliance with an Information Security Standard isn’t Agile –Reality: Compliance with an Information Security Standard, such as NIST SP 800-53A, is actually easier in an Agile environment, because “baking in” security in smaller pieces allows for simple compliance test cases and less backtracking
www.rallydev.com ©2013 Secure User Stories The #1 tenet of secure Agile development is to “bake” security into every user story Remember: Stories should be defined such that the lowest level child story can be implemented and accepted in a single iteration –Any security component(s) of the story, therefore, must be lightweight –What is the most basic security functionality required for the story to be compliant? –Don’t let security define the user story. Let the user story define the security.
www.rallydev.com ©2013 Great, Secure User Stories (from Write a Great User Story, by Ronica Roth)
www.rallydev.com ©2013 VIDEO DEMO 1 VIDEO DEMO – Creating a great user story with security elements included in Acceptance Criteria and Definition of Done
www.rallydev.com ©2013 Secure User Story DON’Ts DON’T change the user story template “As a, I want to so that ” NOT “As a, I want to so that and ” DON’T create “Security Epics” DON’T assign secure user story creation to “the security guy/gal” DON’T put technical security tasks in the user story itself.
www.rallydev.com ©2013 Security Tasks For each user story, the Developer should create tasks necessary to meet security acceptance criteria Developer should also detail any security testing tasks, as part of defining all the testing tasks for the story Security review may also be added as a task, assigned to a security specialist
www.rallydev.com ©2013 VIDEO DEMO 2 VIDEO DEMO – Adding security related tasks and testing to a user story
www.rallydev.com ©2013 Security Defects Security defects may be identified –As part of iteration testing –After product deployment Tagging security defects makes them easier to identify and prioritize Once defined, security defects are managed along with other defects as part of iteration acceptance and scheduling
www.rallydev.com ©2013 VIDEO DEMO 3 VIDEO DEMO – Security defect management
www.rallydev.com ©2013 Security Architecture From The Principles of Agile Architecture by Alex Yakyma and Dean Leffingwell, with contributions from Ryan Martens and Mauricio Zamora
www.rallydev.com ©2013 Security Architecture [..] in the context of secure Agile enterprise software systems, we need both: fast, local control of emergent design so that teams react appropriately to changing security requirements without excessive attempts to future risk proof the system, and global control of Intentional Architecture, the guidance needed to assure that the system as a whole has conceptual integrity and efficacy security. Achieving the right balance of emergent design and intentional architecture drives effective secure evolution of the system [..] From The Principles of Agile Architecture by Alex Yakyma and Dean Leffingwell, with contributions from Ryan Martens and Mauricio Zamora
www.rallydev.com ©2013 Agile Threat Mapping Assessment of key threats to business value, process, or data set Tied to real-world, known threats – not “theoretical” Communicated to all team members Completed by team, not by “security guy/gal”
www.rallydev.com ©2013 Agile Threat Mapping Template or Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure or or or Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure
www.rallydev.com ©2013 Checking Our Work
www.rallydev.com ©2013 Questions? Contact me: email@example.com Twitter: @trenthein #SecureDev
www.rallydev.com ©2013 #SecureDev Up Next: Agile Secure Code Review July 24 th | 10am ET Trent R. Hein, CCIE, CISSP, ISSMP, ISSAP, CSSA
www.rallydev.com ©2013 Go Agile. Go Rally. #SecureDev
©2013 Reduce Security Risk in Your Development Part III: Secure Code Review #SecureDev Trent R. Hein, CCIE, CISSP, ISSMP, ISSAP, CSSA.
Informed Traveler Program and Applications Agile / Scrum Overview Jerry Inberg.
IT Services SDLC, Peer and Gate Review Approach September 2011.
Gaining Support for a Sustainable Agile Transformation Dennis Stevens, VP Enterprise Engagements LeadingAgile November 12, 2013.
Computer Engineering 203 R Smith Agile Development 1/ Agile Methods What are Agile Methods? – Extreme Programming is the best known example – SCRUM.
+ Agile Usability Testing Methods Glenn Teneycke.
Agile Development Primer – Using Roundtable TSMS in an Agile Shop Michael G. Solomon Solomon Consulting Inc.
05 | Define End Value for the Software Iteration Steven Borg | Co-founder & Strategist, Northwest Cadence Anthony Borton | ALM Consultant, Enhance ALM.
Release and Iteration Planning September 13, 2008.
Process Asad Ur Rehman Chief Technology Officer Feditec Enterprise.
Sri Lanka Institute of Information Technology Software Engineering Project – I Clone of Rally GROUP NO : WD-SEP-002 | PROJECT NO :25 PROJECT : CLONE OF.
> Blueprint Kickoff >. Introductions Customer Vision & Success Criteria Apigee Accelerator Overview Blueprint Schedule Roles & Responsibilities Communications.
Successful Software Practice How to successfully work as a team to create software Chris Mendes, Chief Technology Officer Sirca Limited March 2012.
How To Build a Testing Project 1 Onyx Gabriel Rodriguez.
Agile development By Sam Chamberlain. First a bit of history..
SCRUM basics Julie Rudder & Claire Stewart. What is scrum (Claire) Scrum roles (Claire) Scrum rhythms and processes (Claire) How to write stories (Julie)
© 2013 IBM Corporation Tivoli and Maximo Quality Improvement Initiatives March 2014.
Session 1: Customer Solutions with Sure Step Created by: Aditya Mohan Director, Partner Product Management Microsoft Corporation SURE STEP INTRODUCTION.
Certified Software Tester How To Build a Testing Project, Part 1.
-Nikhil Bhatia 28 th October What is RUP? Central Elements of RUP Project Lifecycle Phases Six Engineering Disciplines Three Supporting Disciplines.
5 Levels of Planning Adapted from 5 Levels of Agile Planning by Hubert Smits Daily Standup Iteration Plan Release Plan Product Roadmap Product Vision.
Chapter 2 – Software Processes Lecture 1 1Chapter 2 Software Processes.
Software Testing Software Testing – is a process of software analysis and defect detecting. Actions of defect detecting are directed to defining as many.
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Deeper Dive Into: User Stories.
Describing Methodologies PART II Rapid Application Development* Systems Analysis and Design II.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Testing Challenges in an Agile Environment Biraj Nakarja Sogeti UK 28 th October 2009.
Designing a System 4 October Beyond the Technology What will be implemented – external view –“glossy” brochure –Use cases and user types Translation.
Information Security Antipatterns in Software Requriements Engineering Miroslav Kis Presented by Liping Cai.
Xtreme Programming. Software Life Cycle The activities that take place between the time software program is first conceived and the time it is finally.
Object Oriented Analysis and Design Introduction.
CSE Senior Design I Building a Plan Instructor: Mike O’Dell Several of the slides in this module are a modification and amplification of slides prepared.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Project Management An Overview John Mulhall MIICM; LIB International Credit & Process Management Professional.
Slide 1 Course: e-Governance Project Lifecycle Day 1 Session 3 e-Governance Project Development LifeCycle.
Copyright © 2012 Accenture All rights reserved. 1 Living Requirements using Behavior Driven Development May 8, 2015
1 Software Engineering: A Practitioner’s Approach, 7/e Chapter 2 Process: A Generic View Software Engineering: A Practitioner’s Approach, 7/e Chapter 2.
Delivering Enterprise Projects Using Agile Methods Brent Barton May 23, 2006.
Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.
Extreme Programming (XP). Agile Software Development Paradigm Values individuals and interactions over processes and tools. Values working software over.
PRJ566 Project Planning & Management Software Architecture.
RATIONAL UNIFIED PROCESS PROCESS FRAMEWORK OVERVIEW.
1 Chapter 2 SW Process Models. 2 Objectives Understand various process models Understand the pros and cons of each model Evaluate the applicability.
Formality, Agility, Security, and Evolution in Software Development Cody Ronning 2/16/2015.
WATERFALL DEVELOPMENT MODEL. Waterfall model is LINEAR development lifecycle. This means each phase must be completed before moving onto the next!!! WHAT.
E-COMMERCE & MOBILE COMPUTING. On Technicals… Considerations for evaluating platform Ecommerce Applications Development Process Integration Options Middlewares.
(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation.
Let’s Play Poker: Effort and Software Security Risk Estimation in Software Engineering Laurie Williams 1 Picture from
© 2017 SlidePlayer.com Inc. All rights reserved.