implementing security into agile sdlc
play

Implementing Security into Agile SDLC Anderson Dadario, CISSP, CSSLP - PowerPoint PPT Presentation

Mar 06, 2024 •133 likes •523 views

Implementing Security into Agile SDLC Anderson Dadario, CISSP, CSSLP Flare Security Globalcode O pen4education # whoami Anderson Dadario Consultant at Flare Security 5+ years working with development & infosec Globalcode

  1. Implementing Security into Agile SDLC Anderson Dadario, CISSP, CSSLP Flare Security Globalcode – O pen4education

  2. # whoami • Anderson Dadario • Consultant at Flare Security • 5+ years working with development & infosec Globalcode – O pen4education

  3. What you will learn • Motivations for Secure SDLC • A little about Waterfall SDLC Security • Agile SDLC Security • Security Resources Allocation • Risk Management • How to scale security resources • Software Assurance Maturity Model Globalcode – O pen4education

  4. What’s your security program? • Nothing but a scan after release? • Automated? • Looking for a badge or seal? • Manual? • Ad hoc ? Globalcode – O pen4education

  5. Motivations for Secure SDLC (1-2) http://www.microsoft.com/security/sdl/about/benefits.aspx Globalcode – O pen4education

  6. Motivations for Secure SDLC (2-2) https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf Globalcode – O pen4education

  7. Waterfall Methodology Globalcode – O pen4education

  8. Waterfall Characteristics • Well-defined sequential phases; • Significant part of the project must be planned upfront; • Stresses the importance of requirements; • Changes are controlled. Major changes are only allowed if the CCB (Change Control Board) approves them. Globalcode – O pen4education

  9. Waterfall in the Real World Development Manager Business Analyst Project Manager Developer Product Manager Offshoring Globalcode – O pen4education

  10. It’s time to ... INJECT SECURITY Globalcode – O pen4education

  11. Waterfall Security Awareness Globalcode – O pen4education

  12. Waterfall in the Real World Development Manager Business Analyst Project Manager Developer Product Manager Offshoring Globalcode – O pen4education

  13. Waterfall Security Characteristics • Bundled within each phase; • Few or no meetings at all with the Security team; • Bureaucratic as Waterfall demands to be. Globalcode – O pen4education

  14. Let’s Talk Agile Globalcode – O pen4education

  15. Scrum Roles Globalcode – O pen4education

  16. Scrum Artifacts Burndown Chart Globalcode – O pen4education

  17. Scrum Ceremonies Globalcode – O pen4education

  18. It’s time to …. INJECT SECURITY Globalcode – O pen4education

  19. But first keep these points in mind • Understand the methodologies currently in use at your company; • Maximize the efficiency of security injection; • Avoid Single Point of Failure (absence of a security expert); • There will be multiple products for limited security experts; • Your company may hire more developers than security experts; • The software must be rugged ( Rugged Software Manifesto ). Globalcode – O pen4education

  20. The Rugged Manifesto Globalcode – O pen4education

  21. Strategy #1 Participate in everything Globalcode – O pen4education

  22. Strategy #1 Analysis Pros: Cons: • Security Expert is complete • Security Expert’s time got too aware of the project and can much consumed; rapidly inject security: • Single Point of Failure; • in the sprint backlog stories; • Planning participation is most of • doing security awareness the part a waste of time; during the ceremonies. • Too much daily become troublesome. Globalcode – O pen4education

  23. Strategy #2 Post-Planning, ‘Dailyless’ Post-Planning Globalcode – O pen4education

  24. Strategy #2 Analysis Pros: Cons: • Security Expert’s time is used • You are messing up with Scrum wisely. methodology because stories cannot change after planning; • Single Point of Failure persists; • Less security awareness. Globalcode – O pen4education

  25. Strategy #3 Grooming, Security Roles Security Architect Security Engineer Grooming Globalcode – O pen4education

  26. Strategy #3 Analysis Pros: Cons: • Security Expert’s time is used • More people are involved, then wisely; the security injection become • No Single Point of Failure; more complex. • Security injection that respects the development process. Globalcode – O pen4education

  27. This ain’t over. What about ... • Stories that are created after the planning? • Security stories negotiation? • Risk Management? • Maximize even more the security injection? Globalcode – O pen4education

  28. Stories that are created after the planning • It should not be common, but it can happen; • Define a process to handle it; • The Information Security team must be aware and perform its assessment . Globalcode – O pen4education

  29. Security stories negotiation • It will always be a challenge, no matter what; • Focus on the risk ; • Define the Quality Gates before publish and agree these gates with the Product Owner. Globalcode – O pen4education

  30. Risk Management (1-3) • Perform Threat Modeling on Grooming; • Inject Security on: • Acceptance Criteria for specific requirements; • Definition of Done for generic requirements. • Automate Security Acceptance Criteria tests; Globalcode – O pen4education

  31. Risk Management (2-3) • Take advantage of the agile tools: • Put labels on Jira stories; • Extract the labeled stories using JQL (Jira Query Language) API; • Integrate the extracted risks to your company risks platform / dashboard; Globalcode – O pen4education

  32. Risk Management (3-3) Threat Model Case #ID 05 Asset User Credentials Threat Threat action aimed to illegally access and use another user's credentials, such as username and password. Risk High Threat Agent External Attacker Threat Type (STRIDE) Spoofing Security Control Authentication Mitigation Controls ● Appropriate authentication ● Protect secret data ● Don't store secrets Incident Response Procedures Block user account, revoke password, etc Globalcode – O pen4education

  33. Maximize even more the Security Injection • Extreme Programming (XP) practices • Continuous Processes • Continuous Integration • Design Improvement • Shared Understanding • Coding Standard • Collective Code Ownership • Simple Design • DevOps Security, Security Champions • Mailing Lists, Tech Talks, Software Assurance Maturity Model Globalcode – O pen4education

  34. OpenSAMM (1-2) Globalcode – O pen4education

  35. OpenSAMM (2-2) Globalcode – O pen4education

  36. Final Thoughts • The more you respect the developers process, the more they will respect yours; • Scrum is about constant learning so always be thinking how you can tweak your process to make it better; • Apply the concepts to the way of your company builds software since there is no silver bullet . Globalcode – O pen4education

  37. References & Resources • Scrum.org: https://www.scrum.org/ • Extreme Programming: http://www.extremeprogramming.org/ • Veracode Webinars: • https://info.veracode.com/webinar-secure-agile-through-an-automated-toolchain-how-veracode-rd-does-it.html • https://info.veracode.com/webinar-building-security-into-the-agile-sdlc.html • RSA Conference Europe: http://www.rsaconference.com/writable/presentations/file_upload/asec-107.pdf • Gotham: http://pt.slideshare.net/SOURCEConference/are-agile-and-secure-development-mutually-exclusive-source-2011 • Microsoft SDL: http://microsoft.com/sdl • OWASP: https://www.owasp.org • OpenSAMM: http://www.opensamm.org/ • Flare Security: http://flaresecurity.com • Anderson Dadario’s blog: http://dadario.com.br • Rugged Software: https://www.ruggedsoftware.org/ Globalcode – O pen4education

  38. Thank You Anderson Dadario, CISSP, CSSLP http://dadario.com.br http://flaresecurity.com Globalcode – O pen4education

Recommend

Application Security The source code perspective Authors: Francesco Consiglio Marco Borza

Application Security The source code perspective Authors: Francesco Consiglio Marco Borza

Application Security The source code perspective Authors: Francesco Consiglio Marco Borza Implementation Challenges Iron Triangle Security as an afterthought The Secure SDLC in the Waterfall Model SDLC vs Secure SDLC Cost Reduction

1.3k views • 11 slides
Move left in the SDLC z - Jaswinder Kaur z Jaswinder Kaur Senior Security Engineer at

Move left in the SDLC z - Jaswinder Kaur z Jaswinder Kaur Senior Security Engineer at

Move left in the SDLC z - Jaswinder Kaur z Jaswinder Kaur Senior Security Engineer at T-Mobile, Washington Worked previously in DC government and Bank of America Expertise in web application security testing, architecture

286 views • 16 slides
Lessons From Implementing Agile Across the Entire Product Lifecycle About Me Larry Cummings

Lessons From Implementing Agile Across the Entire Product Lifecycle About Me Larry Cummings

Lessons From Implementing Agile Across the Entire Product Lifecycle About Me Larry Cummings larry.cummings@isostech.com Atlassian Certified Professional Product Developer Agile practitioner Interested in teams, process and

527 views • 48 slides
1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN

1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN

1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN SECURITY CONCEPT According to the human security principles PROTECTION OBJECTIVE TOP-DOWN Support the formulation of public policies (gender,

1.15k views • 14 slides
1 A SDLC Software Development Lifecycle Its a set of tools, artifacts, and work

1 A SDLC Software Development Lifecycle Its a set of tools, artifacts, and work

1 A SDLC Software Development Lifecycle Its a set of tools, artifacts, and work practices an organization uses to create software. That SDLC is integrated into a workflow process within the organization to get the requirements

330 views • 30 slides
The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme TOC How did I get here What is CivicActions What is compliance Making compliance fun Culture

1.24k views • 89 slides
SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R

SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R

SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R A C K Vendor? Customer? In-house team? New to agile? Some agile? 100% agile? Questions, feedback on Twitter #SellingAgile The Story 1.

918 views • 54 slides
Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current:

Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current:

Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places

906 views • 32 slides
Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Pole Vaulting over Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places Consulting, Research,

581 views • 32 slides
Implementing Lean and Agile Approaches An organization Journey Case study Waffa Karkukly,

Implementing Lean and Agile Approaches An organization Journey Case study Waffa Karkukly,

happy projects12 Implementing Lean and Agile Approaches An organization Journey Case study Waffa Karkukly, Ph.D, MIT, PMP April 25, 2013 happy projects12 Outline About the Organization The Situation Why Lean and Agile PMO as the

720 views • 34 slides
Implementing Agile Everywhere End User Computings Service/Support teams SITE SERVICES

Implementing Agile Everywhere End User Computings Service/Support teams SITE SERVICES

Implementing Agile Everywhere End User Computings Service/Support teams SITE SERVICES CARE4CUSTOMER SUPPORT` Global Team Team provides innovative infrastructure support that enables Business capabilities: Customer Relationship

502 views • 33 slides
The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE Collaboration 2009 Fermi Symposium 2 - 5 November 2009, Washington AGILE on PSLV-C8 Sriharikota, India The AGILE April 15, 2007 Payload: the most

853 views • 38 slides
SDLC Lessons Learned By Vincent Liu Agenda Know what to look for Understand what you

SDLC Lessons Learned By Vincent Liu Agenda Know what to look for Understand what you

SDLC Lessons Learned By Vincent Liu Agenda Know what to look for Understand what you find And learn from the mistakes of others. App Sec Assurance Program Support Requirements Design Development QA Test Release &

467 views • 23 slides
AGILE PUB brusselspictures.com Andrea Tomasini Andrea trained and coached a diverse range of

AGILE PUB brusselspictures.com Andrea Tomasini Andrea trained and coached a diverse range of

AGILE PUB brusselspictures.com Andrea Tomasini Andrea trained and coached a diverse range of teams and helped many companies in various industries: finance, telecommunication and automotive in implementing agile methods like Scrum. His

435 views • 19 slides
Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without Increasing the Headcount Anderson Maranho Ventura Dadario Information Security Flare Security, So Paulo, Brazil anderson@dadario.com.br

428 views • 3 slides
Bibliography [Agile Alliance2001] Agile Alliance, Principles: The Agile Alliance (2001),

Bibliography [Agile Alliance2001] Agile Alliance, Principles: The Agile Alliance (2001),

Bibliography [Agile Alliance2001] Agile Alliance, Principles: The Agile Alliance (2001), http://www.agilealliance.org/ . [Alexander2002] I. Alexander, Initial Industrial Experience of Misuse Cases in Trade-Off Analysis, pp. 1113 in

503 views • 12 slides
S t r e t c h i n g the Agile Envelope Agile Software Development Meets Corporate Deployment

S t r e t c h i n g the Agile Envelope Agile Software Development Meets Corporate Deployment

XP07 S t r e t c h i n g the Agile Envelope Agile Software Development Meets Corporate Deployment Procedures: Stretching the Agile Envelope David Leip Olly Gotel ibm.com Chief Innovation Dude Department of Computer Science Agile Methods

123 views • 10 slides
The Rat Race to Deploy AI Models: The Problem of Being on Top of the Gartner Hype Cycle

The Rat Race to Deploy AI Models: The Problem of Being on Top of the Gartner Hype Cycle

The Rat Race to Deploy AI Models: The Problem of Being on Top of the Gartner Hype Cycle Varshanth R Rao CS846 Course Project Agenda 1. Introduction to SDLC 2. GHC and Effects on SDLC 3. Basic Concepts 4. Case Study 5. Post Mortem/Take

530 views • 31 slides
Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra

Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra

Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra SECURITY ENGINEER github.com/zzenonn linkedin.com/in/zzenonn t h s Module Define Elastic Load Balancing Overview Understand different ELB security

666 views • 33 slides
When Software Security Meet Agile (Ant) yftzeng@gmail.com

When Software Security Meet Agile (Ant) yftzeng@gmail.com

When Software Security Meet Agile (Ant) yftzeng@gmail.com 2019-03-21 Introduction & Research interest 13 4

964 views • 78 slides
Implementing Security Control Loops in Security Autonomous Response Networks Hristo Dimitrov SNE

Implementing Security Control Loops in Security Autonomous Response Networks Hristo Dimitrov SNE

Introduction Research Questions Proof of Concept Results Conclusions Questions? Implementing Security Control Loops in Security Autonomous Response Networks Hristo Dimitrov SNE University of Amsterdam & TNO Supervisors: Marc X. Makkes

408 views • 25 slides
Scaling Agile to the Enterprise Enabling the Agile Enterprise Strategically Aligned, Throughput

Scaling Agile to the Enterprise Enabling the Agile Enterprise Strategically Aligned, Throughput

Scaling Agile to the Enterprise Enabling the Agile Enterprise Strategically Aligned, Throughput Focused, Human Powered Dennis Stevens Enterprise Agile Coach www.leadingagile.com OPM3: Deputy Project Manager www.dennisstevens.com PMI Agile

851 views • 71 slides
W6 September 29, 2004 3:00 PM C USTOMER F OCUSED B USINESS M ETRICS THROUGHOUT THE SDLC Steve

W6 September 29, 2004 3:00 PM C USTOMER F OCUSED B USINESS M ETRICS THROUGHOUT THE SDLC Steve

BIO PRESENTATION W6 September 29, 2004 3:00 PM C USTOMER F OCUSED B USINESS M ETRICS THROUGHOUT THE SDLC Steve Wrenn Liberty Mutual Insurance Information Systems Better Software Conference & EXPO September 27-30, 2004 San Jose, CA USA

569 views • 32 slides
Agile Development emmet labs David Verba david@adaptivepath.com Agile Introduction Agile

Agile Development emmet labs David Verba david@adaptivepath.com Agile Introduction Agile

Agile Development emmet labs David Verba david@adaptivepath.com Agile Introduction Agile Manifesto Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract

582 views • 31 slides

More recommend