We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byEzra Bigwood
Modified about 1 year ago
©2013 Reduce Security Risk in Your Development Part II: Creating an Agile SSDLC #SecureDev Trent R. Hein, CCIE, CISSP, ISSMP, ISSAP, CSSA
©2013 What We’ll Cover Today How is secure Agile development different? Creating a User Story with integrated security Security Tasks and Testing Managing security Defects Security architecture Agile Threat Map #SecureDev
©2013 Quick Recap of Session 1 Information security overview What are the most common threats? How to protect sensitive data, both from a methodology and technology standpoint Standards and tools –NIST SP A, OpenSAMM, OWASP
©2013 How is Secure Agile Development Different? Distinct security-focused project phases, often at beginning and end of project Security skills brought in from outside project, often disconnected from dev/test resources Specific security testing phase, often at end of project. Agile Traditional/ Waterfall Every iteration considers security, but is not limited by it. Every team member is responsible for security. Security skills are embedded in the team. Hybrid security and functionality testing, throughout project. Security Timing Security Resources Security Validation
©2013 Secure Agile Development Guiding Principles Product value improves with security. Security is integral to the product, not an afterthought. Outside security resources (standards, threats, experts) provide background, not a cage.
©2013 Agile security myths - 1 Myth: I’m a developer / product owner / scrum master. Security is someone else’s job. –Reality: The complex threats facing applications today requires everyone to be thinking about security. –Secure business logic –Secure coding practices –Secure test methods –Secure data architecture –Secure deployment environment
©2013 Agile security myths - 2 Myth: Compliance with an Information Security Standard isn’t Agile –Reality: Compliance with an Information Security Standard, such as NIST SP A, is actually easier in an Agile environment, because “baking in” security in smaller pieces allows for simple compliance test cases and less backtracking
©2013 Secure User Stories The #1 tenet of secure Agile development is to “bake” security into every user story Remember: Stories should be defined such that the lowest level child story can be implemented and accepted in a single iteration –Any security component(s) of the story, therefore, must be lightweight –What is the most basic security functionality required for the story to be compliant? –Don’t let security define the user story. Let the user story define the security.
©2013 Great, Secure User Stories (from Write a Great User Story, by Ronica Roth)
©2013 VIDEO DEMO 1 VIDEO DEMO – Creating a great user story with security elements included in Acceptance Criteria and Definition of Done
©2013 Secure User Story DON’Ts DON’T change the user story template “As a, I want to so that ” NOT “As a, I want to so that and ” DON’T create “Security Epics” DON’T assign secure user story creation to “the security guy/gal” DON’T put technical security tasks in the user story itself.
©2013 Security Tasks For each user story, the Developer should create tasks necessary to meet security acceptance criteria Developer should also detail any security testing tasks, as part of defining all the testing tasks for the story Security review may also be added as a task, assigned to a security specialist
©2013 VIDEO DEMO 2 VIDEO DEMO – Adding security related tasks and testing to a user story
©2013 Security Defects Security defects may be identified –As part of iteration testing –After product deployment Tagging security defects makes them easier to identify and prioritize Once defined, security defects are managed along with other defects as part of iteration acceptance and scheduling
©2013 VIDEO DEMO 3 VIDEO DEMO – Security defect management
©2013 Security Architecture From The Principles of Agile Architecture by Alex Yakyma and Dean Leffingwell, with contributions from Ryan Martens and Mauricio Zamora
©2013 Security Architecture [..] in the context of secure Agile enterprise software systems, we need both: fast, local control of emergent design so that teams react appropriately to changing security requirements without excessive attempts to future risk proof the system, and global control of Intentional Architecture, the guidance needed to assure that the system as a whole has conceptual integrity and efficacy security. Achieving the right balance of emergent design and intentional architecture drives effective secure evolution of the system [..] From The Principles of Agile Architecture by Alex Yakyma and Dean Leffingwell, with contributions from Ryan Martens and Mauricio Zamora
©2013 Agile Threat Mapping Assessment of key threats to business value, process, or data set Tied to real-world, known threats – not “theoretical” Communicated to all team members Completed by team, not by “security guy/gal”
©2013 Agile Threat Mapping Template or Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure or or or Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure
©2013 Checking Our Work
©2013 Questions? Contact me: #SecureDev
©2013 #SecureDev Up Next: Agile Secure Code Review July 24 th | 10am ET Trent R. Hein, CCIE, CISSP, ISSMP, ISSAP, CSSA
©2013 Go Agile. Go Rally. #SecureDev
Basic SDLC Models. Agenda SDLC definition Waterfall SDLC V-Shape SDLC Spiral SDLC RUP SDLC Agile methods.
Software Development QA Best Practices May 20, 2010 Suzette Hackl, CSM Senior Project Manager Skyline Technologies, Inc.
Chapter:4 Principles That Guide Practice Unit II.
1 Note content copyright © 2004 Ian Sommerville. NU-specific content copyright © 2004 M. E. Kabay. All rights reserved. Software Re-use IS301 – Software.
A Practical Guide To Unit Testing John E. Boal TestDrivenDeveloper.com.
Lecture 4 Process and Method: An Introduction to the Rational Unified Process.
Principles of Information Security, 3rd Edition 2 Explain what contingency planning is and how incident response planning, disaster recovery planning,
NM DWS Enterprise UI System Project Sue Anne Athens, CIO May 21, 2014.
CSE 6324: Advanced Topics in Software Engineering Paper Presentation on An Overview of Security Practices in Agile Software Development - Naieem Khan.
Extreme Programming Patrick Mattis Alana Trafford Akarsh Sakalaspur.
Nick Coblentz OWASP CLASP Overview.
1 Systems Engineering A Way of Thinking A Way of Doing Business Enabling Organized Transition from Need to Product August 1997 Systems Engineering Technical.
Software Reuse and Component-Based Software Engineering CIS 376 Bruce R. Maxim UM-Dearborn.
Recall The Team Skills 1. Analyzing the Problem (with 5 steps) 2. Understanding User and Stakeholder Needs 3. Defining the System 4. Managing Scope 1.
1 Film Project Management Olga A. Burukina, PhD Associate Professor Project Management Department NRU HSE Moscow, March 2014.
Architecture in an Agile Organization Managing our Software as a Valuable Asset while Delivering Incrementally Chris Sterling Principal Consultant, Certified.
Unified process(UP) UP is an OO system development methodology offered by Rational(Rational Rose) s/w, now a part of IBM Developed by Booach,Rambaugh,Jacobson--
Leverage MarkITS for agile solutions delivery that balances strategic thinking with tactical execution for “Business & Technology Convergence” MarkITS.
Lecture 6: Software Design (Part I) Dr Valentina Plekhanova University of Sunderland, UK
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
2010 Foster Business School Acctg. 320 AIS L.DuCharme 1 AIS Development Strategies Chapter 19.
Presentation by Prabhjot Singh V-Model. Wikipedia ISTQB Exam Certification.com Resources.
Agile and Open Development Neil Chue Hong, OMII-UK Ross Gardler, OSS-Watch JISC e-Infrastructure Programme Meeting Birmingham, 7 Feb 2008.
1 Note content copyright © 2004 Ian Sommerville. NU-specific content copyright © 2004 M. E. Kabay. All rights reserved. Rapid Software Development IS301.
© John Beveridge CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge September 27, 2007.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 14Slide 1 Chapter 14 Design with Reuse.
An HML white paper: Agile IT A value-driven approach to IT delivery.
Project Management From the Classroom to the Boardroom.
Microsoft Solutions Framework Executive Overview Microsofts Best Practices For IT Solutions Success Kyle Korzenowski Product Planner Microsoft Business.
Software Development Practices and Methodologies Svetlin Nakov Telerik Corporation
© 2016 SlidePlayer.com Inc. All rights reserved.