HOW TO EMBED SECURITY INTO AGILE? Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1
PRESENTED BY: (A.K.A. THE “WHO AM I” SLIDE) Momchil Karov, MSc., CISSP Principal Security Architect Enterprise Risk and Compliance Best Buy Canada Ltd. (100% owned subsidiary of Best Buy Co., Inc.) 2
WHY DO WE NEED IT, WHAT DO WE NEED AND HOW TO IMPLEMENT IT SUCCESSFULLY? A SIMPLIFIED APPROACH ALIGNED WITH AGILE’S PHILOSOPHY. 3
WHY CHANGE? REASON #1 – THE ENEMY Our enemy is already Agile and has been for a long time! • It’s highly flexible and adapting quickly to change. • It adopts new skills and technologies extremely fast. • It’s very focused and determined following its goals. So why can’t we be like our enemy? 4
TRADITIONAL SECURITY – THE ENFORCEMENT WAY Enforcing security policies, standards and requirements, usually working in silos has been the traditional way of security for a long time. This approach creates waste in the business processes, sometimes even bad cross-team relationships. 5
SECURITY INSIDE WALLS, REASON #2 – TEAMS Proces ses & Security surrounded by walls does not proce Techno allow the flow of knowledge and dures logy awareness through the organization and also breeds shadow IT. People are afraid of security to say “No”. People 6
OK, GOT IT, WE HAVE TO CHANGE • A new paradigm shift • Transformation of culture and mindset. • Security – responsibility of everyone. • No more silos. • Information security as a competitive advantage. 7
REASON #3 – THE CUSTOMER … OR DURABLE COMPETITIVE ADVANTAGE A very important concept by the greatest investor of our time – Warren Buffett. The main question is – for a company with a business based on a technological competitive advantage, can this advantage be durable without a strong information security program to protect it? Here’s where security interconnects deeply with business and becomes part of the durable competitive advantage! 8
WHAT IS AGILE? • Common name for a group of iterative and incremental methodologies. • Specific mindset and style of work, following a set of values and principles, where requirements and solutions can evolve through team collaboration. • Time-fixed, repeatable and self-adjusting process. 9
REALLY, WHAT IS AGILE? AGI GILE DEVELOP LOP WORKING NG SOFTW TWAR ARE VALUES ES & PRINCIPL CIPLES ES DECISION SIONS 10
WHAT IS AGILE – A PENCIL ANALOGY Watch the YouTube video “Agile Explained... with a PENCIL!” https://www.youtube.com/watch?v=k_ndH7B-IS4 11
WATERFALL VS. AGILE Agile Waterfall Fixed Functionality Time Cost Quality Quality Functionality Time Cost Variable 12
HISTORY OF WATERFALL Waterfall methodology - first described back in 1970 by Winston Royce as “ something you shouldn’t do " in his article "Managing the development of large software systems”. Winston Walker Royce (August 15, 1929 – June 7, 1995) 13
FOUR CORE VALUES OF AGILE OR AGILE MANIFESTO We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: 1.Individual interactions over processes and tools. 2.Working software over comprehensive documentation. 3.Customer collaboration over contract negotiations. 4.Responding to change over following a plan. That is, while there is value in the items on the right, we value the items on the left more. 14
12 PRINCIPLES OF AGILE 1. Satisfy the customer. 2. Welcome change. 3. Deliver frequently. 4. Work together. 5. Trust, support & motivate. 6. Face-to-face communication. 15
12 PRINCIPLES OF AGILE 7. Working software. 8. Sustainable development. 9. Continuous attention to technical excellence. 10. Simplicity is essential. 11. Self-organized teams. 12. Reflect and adjust. 16
KEY FACTS ABOUT AGILE • It’s driven by reality and customer requirements. • It’s focused on end user/customer, i.e. the business. • It’s based on free communication and open collaboration. • It takes reward/risk into account. • It’s characterized with timely and rapid delivery of results. • It’s highly adaptable to change, using course corrections natively. • It relies on discipline and focus. 17
THE SCRUM METHODOLOGY Sprint planning Sprint review & retrospect 18
MAIN ROLES IN A PRODUCT STREAM Scrum Master Team Members Product Owner 19 Business Users
WHAT IS A USER STORY? As a < type of user >, I want < some function>, so that < some benefit > Example: As a web site user, I want to be able to login, so I can access my personalized dashboard. 20
EFFECTIVE COLLABORATION IS PARAMOUNT • Open collaborative environment. • Teams engage and share ideas easily and without constrains. • No more working in silos. • Everyone as a team is responsible for the success as well as the failure. 21
AUTOMATION EVERYWHERE Popular automation tools: Improve efficiency. Better use of resources. Empower the human talent. Don’t reinvent the wheel. 22
SOLUTIONS THAT MATTER How to make sure security becomes integral part of Agile? Key paradigm shift: Security – responsibility of EVERYONE! 23
SECURITY CHAMPIONS PROGRAM • A key strategy to address security in the Agile environment. • Adopted successfully by many organizations. • Creates strong bond between Security and Agile teams. 24
INDUSTRY TRENDS “By 2021, 35% of enterprises will implement a security champions program, up from less than 10% in 2017” Gartner 25
MAIN OBJECTIVES • Develop Working and Secure Code. Manage Security Risk for Agile . • Do everything the Agile way. • 26
OWASP DEFINITION Security Champions are active members of • a team that may help to make decisions about when to engage the Security Team Act as the "voice" of security for the given • product or team Assist in the triage of security bugs for their • team or area 27
SECURITY CHAMPION’S ROLE • Act as a security ambassador in their product streams. • Communicate CoP (Community of Practice) decisions and knowledge back to the teams. • Assess security impact and risk at the high level. • Make decisions about engaging Security. • Develop “ evil stories ” for their team’s sprints. • Review and approve usage of third party libraries. • Have these responsibilities in their PA goals. 28
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 1 Communicate – simplify the security concepts for the Agile teams and don’t reinvent the wheel, but utilize the full potential of popular Agile tools, such as Confluence/Jira. 29
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 2 Collaborate – make it easy for the Agile teams to engage security, again, by utilizing the full potential of the widely used Agile tools. 30
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 3 Coach – training and coaching is the key to achieve competence across the board and build trust. Coaching of security knowledge must follow the Agile values and principles in a complete sync. 31
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 4 Trust – build strong team relationship, based on mutual trust. It should come naturally as a result of executing successfully the above steps from 1 to 3. 32
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 5 Deputize – delegate responsibilities, based on the strong foundation of trust. 33
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 6 Quantify – build statistics using easy to implement metrics in order to measure the progress and to provide adjustments that further improve the overall process. 34
SOME PRACTICAL TASKS • Organize continuous training sessions, preferably bi-weekly. • Constantly improve the resources for Security Champions: • By creating ‘Secure Coding Cheat sheet’ . • By offering online training resources for continuous self- training (ex. Hacksplaining.com). • By constantly updating the ‘Secure Code’ Confluence page, following the industry. • Possibly provide a tool for each team to create and use Evil- Stories within each sprint – i.e. Microsoft Threat Modeling Tool. 35
THE CONCEPT OF “EVIL STORIES” • An innovative idea by the OWASP team. • Simplifies the threat modeling process for Agile and makes it easier to understand. • Provides an Agile-friendly method of including security requirements in each sprint cycle. • Can be easily embedded in the process for each Agile sprint in the backlog as security task to “fight evil” . 36
EXAMPLE OF A SECURITY STORY Security Story Backlog Tasks SAFECode CWE-ID Fundamental Practices As a(n) architect/developer, I want to * Use one of the many available * Use Anti-Cross CWE- ensure AND as QA, I want to verify that libraries and Site Scripting 352 cross-site request forgery attacks are frameworks that takes CSRF into (XSS) Libraries prevented. account. * Validate * Defend against cross-site Input scripting Story. and Output * Do not use HTTP GET for any to Mitigate method that effects a change in Common system state. Vulnerabilities * Use Logging and Tracing 37
Recommend
More recommend