Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations


Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Agile + SDL Concepts and Misconceptions Avi Douglen Aware Security (972) Nir Bregman Senior Project Manager, HP (972) /09/2011

2 OWASP 2 Agenda  Introduction  Misconceptions  Problems  Concepts  Solution

3 OWASP INTRODUCTION 3

4 OWASP “Agile” – A Definition “… a group of software development methodologies based on iterative development, where requirements and solutions evolve through collaboration between self-organizing cross-functional teams.” – Wikipedia 4

5 OWASP Agile Methodology – Key Features  Early feedback  Prioritized “backlog”  Inherent improvement process  Adaptive to changes  Short, incremental iterations or sprints  ‘Release like’ version every iteration  Team selects “user stories” 5

6 OWASP “SDL” – A Definition “A Security Development Lifecycle is a software development process to reduce software maintenance costs and increase reliability of software concerning software security.” - Wikipedia 6

7 OWASP SDL – Microsoft Model 7

8 OWASP SDL – OWASP Model (CLASP) 8

9 OWASP SDL – Key Features  Activities for each development phase  Relatively formal process  Carefully controlled development 9

10 OWASP SDL – Main Activities  General  Designing SDLC model  Policies & guidelines  Training & education  Tools & products  Requirements Analysis  Classification  Security planning  Security requirements  Architecture  Initial Threat Modeling  Secure Architecture  Design  Detailed Threat Modeling  Mitigation of threats  Secure Design  Formulating security guidelines  Security Design Review  Coding  Secure Coding  Unit security tests  Initial security code review  Security push  Testing  Regression testing  Final security code review  Deployment inspection  Black box penetration tests  Final Security Review  Maintenance  Security response  Secure change management  Security bug tracking  Metrics  Process improvement 10

11 OWASP MISCONCEPTIONS 11

12 OWASP Agile is… … really just “Waterfall”, repeated over and over again 12

13 OWASP SDL is… Only good for “Waterfall” process 13

14 OWASP Agile is… Like the “Wild West” of programming 14

15 OWASP SDL is… Control freaks 15

16 OWASP Agile is… Inconsistent 16

17 OWASP SDL is… Not flexible 17

18 OWASP Agile is… Out of control 18

19 OWASP SDL is… Very heavy process 19

20 OWASP Agile means… No documentation 20

21 OWASP SDL means… lots of boring documents 21

22 OWASP Agile is… 22 An excuse to take shortcuts

23 OWASP SDL is… Full of duplicate activities 23

24 OWASP Agile means… No planning 24

25 OWASP SDL is… Unnecessary, for good programmers 25

26 OWASP Agile is… Never ending 26

27 OWASP SDL is… Slowing down real development 27

28 OWASP Agile is… a set of ceremonies and disconnected techniques 28

29 OWASP SDL is… a set of ceremonies and disconnected tasks 29

30 OWASP PROBLEM 30

31 OWASP Agile + SDL = FAIL! SDL  Heavy Agile  Light 31

32 OWASP Agile + SDL = FAIL! SDL  Strict process Agile  Adaptive process 32

33 OWASP Agile + SDL = FAIL! SDL  Structured phases Agile  Short iterations 33

34 OWASP Agile + SDL = FAIL! SDL  Lots of activities Agile  “Just enough” 34

35 OWASP Agile + SDL = FAIL! SDL  Predefined checkpoints Agile  Predefined priorities 35

36 OWASP Agile + SDL = FAIL! SDL  Centralized control Agile  Independent teams 36

37 OWASP Agile + SDL = FAIL! SDL  Lots o’ docs Agile  Not so much 37

38 OWASP Agile + SDL = FAIL! SDL  Assurance Agile  Responsibility 38

39 OWASP Agile + SDL = …? Putting SDL on top of Agile kind of feels like… 39

40 OWASP 40

41 OWASP We’ve been doing it wrong! 41

42 OWASP CONCEPTS 42

43 OWASP Agile Philosophy For SDL  “Early Feedback” already built in  Add Security to cross-functional team  Always do “just enough” work  Focus on the current sprint backlog  Prioritize, don’t micro-manage 43

44 OWASP Training Independent developers: Just teach them how to do things right 44

45 OWASP Mapping SDL to Agile Discovery Security planning 45

46 OWASP Mapping SDL to Agile Acceptance Tests Security requirements 46

47 OWASP Mapping SDL to Agile Non-functional stories Security features 47

48 OWASP Mapping SDL to Agile Integration QA Security testing 48

49 OWASP Mapping SDL to Agile  UserStory “Done definition”  Sprint entry criteria  Release completion criteria Security tasks 49

50 OWASP Mapping SDL to Agile “Abuser” stories Countermeasures 50

51 OWASP Frequency-based “Wedges” 51

52 OWASP SUGGESTED SOLUTION 52

53 OWASP Ramp-up / Prerequisites  Security advisor  Coding guidelines  Regulations and policies  Training 53

54 OWASP First Discovery  Security plan  Baseline Threat Model  Security response plan 54

55 OWASP Discovery  Design review for User Stories  User Stories for security features  Review changes to Tech.Spec  Update Threat Model for features 55

56 OWASP Sprint Entry Criteria  Automated static code analysis  Fix all High+ security bugs 56

57 OWASP UserStory Done Definition  Secure coding  Focused manual code reviews (via “eXtreme Programming”)  Build security Unit Tests  Pass security user story tests 57

58 OWASP Integration QA  In-depth manual code review  Penetration testing  Review default configuration 58

59 OWASP Release Completion Criteria  Ensure recent training  Response plan is updated  High-level security review (FSR) 59

60 OWASP “Bucket” Requirements  Verification bucket  Design bucket  Planning bucket  Security bug bar  Privacy test plan  DRP / BCP 60  Review crypto design  Strong names  Privacy review  Fuzzing  Binary analysis  COM object testing

61 OWASP Security “Spike”  Entire Sprint focused on security  Handle “Security Debt”  Intensive search for vulnerabilities  Do cross-feature requirements 61

62 OWASP Summary  “Classic” SDL was about external control  Agile SDL is about internal control  Change from prescriptive to descriptive  Teams are expected to do the right thing  Can be even stronger than “Classic” SDL 62

63 OWASP Questions? 63


Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations


Ads by Google