Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reduce Security Risk in Your Development

Published byEzra Bigwood Modified over 9 years ago

Similar presentations

Presentation on theme: "Reduce Security Risk in Your Development"— Presentation transcript:

1 Reduce Security Risk in Your Development
Part II: Creating an Agile SSDLC Trent R. Hein, CCIE, CISSP, ISSMP, ISSAP, CSSA #SecureDev

2 What We’ll Cover Today How is secure Agile development different?
Creating a User Story with integrated security Security Tasks and Testing Managing security Defects Security architecture Agile Threat Map #SecureDev

3 Quick Recap of Session 1 Information security overview
What are the most common threats? How to protect sensitive data, both from a methodology and technology standpoint Standards and tools NIST SP A, OpenSAMM, OWASP

4 How is Secure Agile Development Different?
Traditional / Waterfall Agile Security Timing Distinct security-focused project phases, often at beginning and end of project Security skills brought in from outside project, often disconnected from dev/test resources Specific security testing phase, often at end of project. Every iteration considers security, but is not limited by it. Every team member is responsible for security. Security skills are embedded in the team. Hybrid security and functionality testing, throughout project. Security Resources Security Validation

5 Secure Agile Development Guiding Principles
Product value improves with security. Security is integral to the product, not an afterthought. Outside security resources (standards, threats, experts) provide background, not a cage.

6 Agile security myths - 1 Myth: I’m a developer / product owner / scrum master. Security is someone else’s job. Reality: The complex threats facing applications today requires everyone to be thinking about security. Secure business logic Secure coding practices Secure test methods Secure data architecture Secure deployment environment

7 Agile security myths - 2 Myth: Compliance with an Information Security Standard isn’t Agile Reality: Compliance with an Information Security Standard, such as NIST SP A, is actually easier in an Agile environment, because “baking in” security in smaller pieces allows for simple compliance test cases and less backtracking

8 Secure User Stories The #1 tenet of secure Agile development is to “bake” security into every user story Remember: Stories should be defined such that the lowest level child story can be implemented and accepted in a single iteration Any security component(s) of the story, therefore, must be lightweight What is the most basic security functionality required for the story to be compliant? Don’t let security define the user story. Let the user story define the security.

9 Great, Secure User Stories (from Write a Great User Story, by Ronica Roth)

10 VIDEO DEMO 1 VIDEO DEMO – Creating a great user story with security elements included in Acceptance Criteria and Definition of Done

11 Secure User Story DON’Ts
DON’T change the user story template “As a <user type>, I want to <function> so that <benefit>” NOT “As a <user type>, I want to <function> so that <benefit> and <yadda yadda yadda security drivel here>” DON’T create “Security Epics” DON’T assign secure user story creation to “the security guy/gal” DON’T put technical security tasks in the user story itself.

12 Security Tasks For each user story, the Developer should create tasks necessary to meet security acceptance criteria Developer should also detail any security testing tasks, as part of defining all the testing tasks for the story Security review may also be added as a task, assigned to a security specialist

13 VIDEO DEMO 2 VIDEO DEMO – Adding security related tasks and testing to a user story

14 Security Defects Security defects may be identified
As part of iteration testing After product deployment Tagging security defects makes them easier to identify and prioritize Once defined, security defects are managed along with other defects as part of iteration acceptance and scheduling

15 VIDEO DEMO 3 VIDEO DEMO – Security defect management

16 Security Architecture
From The Principles of Agile Architecture by Alex Yakyma and Dean Leffingwell, with contributions from Ryan Martens and Mauricio Zamora

17 Security Architecture
[..] in the context of secure Agile enterprise software systems, we need both: fast, local control of emergent design so that teams react appropriately to changing security requirements without excessive attempts to future risk proof the system, and global control of Intentional Architecture, the guidance needed to assure that the system as a whole has conceptual integrity and efficacy security. Achieving the right balance of emergent design and intentional architecture drives effective secure evolution of the system [..] From The Principles of Agile Architecture by Alex Yakyma and Dean Leffingwell, with contributions from Ryan Martens and Mauricio Zamora

18 Agile Threat Mapping Assessment of key threats to business value, process, or data set Tied to real-world, known threats – not “theoretical” Communicated to all team members Completed by team, not by “security guy/gal”

19 Agile Threat Mapping Template
<Business Value> or <Business Process> or <Data Set> <Business Value> or <Business Process> or <Data Set> <Business Value> or <Business Process> or <Data Set> <Business Value> or <Business Process> or <Data Set> Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) Confidentiality: (High, Med, Low) Integrity: (High, Med, Low) Availability: (High, Med, Low) A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure A1 – Injection A3 – Cross-site Scripting A6 – Sensitive Data Exposure

20 Checking Our Work

21 Contact me: trent@appliedtrust.com Twitter: @trenthein
Questions? Contact me: #SecureDev

22 Up Next: Agile Secure Code Review
July 24th | 10am ET Trent R. Hein, CCIE, CISSP, ISSMP, ISSAP, CSSA #SecureDev

23 Go Agile. Go Rally. #SecureDev

Download ppt "Reduce Security Risk in Your Development"

Similar presentations

Iteration Planning.

Iteration Planning.
Prescriptive Process models

Prescriptive Process models
SCRUM basics Julie Rudder & Claire Stewart. What is scrum (Claire) Scrum roles (Claire) Scrum rhythms and processes (Claire) How to write stories (Julie)

SCRUM basics Julie Rudder & Claire Stewart. What is scrum (Claire) Scrum roles (Claire) Scrum rhythms and processes (Claire) How to write stories (Julie)
Reduce Security Risk in Your Development

Reduce Security Risk in Your Development
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Agile Development Primer – Using Roundtable TSMS in an Agile Shop Michael G. Solomon Solomon Consulting Inc.

Agile Development Primer – Using Roundtable TSMS in an Agile Shop Michael G. Solomon Solomon Consulting Inc.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Interoperability. What is testing? Where have we come from? Where are we now? Why is nFocus at MSAIC? Overview.

Interoperability. What is testing? Where have we come from? Where are we now? Why is nFocus at MSAIC? Overview.
Chapter 2 – Software Processes Lecture 1 1Chapter 2 Software Processes.

Chapter 2 – Software Processes Lecture 1 1Chapter 2 Software Processes.
Agile Usability Testing Methods

Agile Usability Testing Methods
Sharif University of Technology Session # 3.  Contents  Systems Analysis and Design Sharif University of Technology MIS (Management Information System),

Sharif University of Technology Session # 3.  Contents  Systems Analysis and Design Sharif University of Technology MIS (Management Information System),
<<replace with Customer Logo>>

<<replace with Customer Logo>>
© 2013 IBM Corporation Tivoli and Maximo Quality Improvement Initiatives March 2014.

© 2013 IBM Corporation Tivoli and Maximo Quality Improvement Initiatives March 2014.
Agile development By Sam Chamberlain. First a bit of history..

Agile development By Sam Chamberlain. First a bit of history..
GAI Proprietary Information

GAI Proprietary Information
05 | Define End Value for the Software Iteration Steven Borg | Co-founder & Strategist, Northwest Cadence Anthony Borton | ALM Consultant, Enhance ALM.

05 | Define End Value for the Software Iteration Steven Borg | Co-founder & Strategist, Northwest Cadence Anthony Borton | ALM Consultant, Enhance ALM.
Computer Engineering 203 R Smith Agile Development 1/2009 1 Agile Methods What are Agile Methods? – Extreme Programming is the best known example – SCRUM.

Computer Engineering 203 R Smith Agile Development 1/ Agile Methods What are Agile Methods? – Extreme Programming is the best known example – SCRUM.
Xtreme Programming. Software Life Cycle The activities that take place between the time software program is first conceived and the time it is finally.

Xtreme Programming. Software Life Cycle The activities that take place between the time software program is first conceived and the time it is finally.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.

Similar presentations

Ads by Google