Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/
FYRM Overview Qualifications Performance Strategy • Experience • CPAR 4/4 • Secure Agile • Respected Partner • CMS, DOE • Knowledge Sharing • FedRAMP 3PAO • Fortune 500 • Effective & Efficient Projects Within On time Accurately completed: budget https://www.fyrmassociates.com 2 May 31, 2017
Agenda • Agile Overview • Integrating Security into an Agile World • FISMA Compliance Integration • Recommendations for success https://www.fyrmassociates.com 3 May 31, 2017
Agile Overview • But first, let’s talk about how applications are made. 1. Planning 5. Testing (QA, UAT, Security) 3. Design 2. Requirements 6. Implementation 4. Coding / Implementation https://www.fyrmassociates.com 4 May 31, 2017
Agile Overview Product Backlog Rules of Agile Development: 1. You don't speak about the rules of Agile development Sprint Sprint 2. There are no rules of Agile Planning Development • Daily Scrum Sprint Deployment Backlog https://www.fyrmassociates.com 5 May 31, 2017
Agile Overview Mapping Non-Security • Requirements Product Backlog • Design Tasks to an Agile SDLC: • Use Cases / Stories • Development goals for sprint Sprint Planning • Use Cases / Stories for sprint • Goal breakdown into tasks Sprint Backlog • Development tasks for use cases / stories • Coding Sprint • Unit Testing, Functional Testing, Code Review • Scrum: Design, Planning • QA Deployment • Testing https://www.fyrmassociates.com 6 May 31, 2017
Agile Overview No two Agile SDLC's are identical Requirem ents Remember Rule # 2: There are no rules of Agile Development Release Design Testing Develop Backlog Scrum and QA ment Sprint https://www.fyrmassociates.com 7 May 31, 2017
Integrating Security into an Agile World Pen Testing Code Review Key Security Components Secure Development Training Design and Architecture Security Controls and Requirements https://www.fyrmassociates.com 8 May 31, 2017
Integrating Security into an Agile World Mapping Security Tasks • Security Controls and Requirements Product Backlog • Secure Design to an Agile SDLC: • Abuse Cases / Malicious User Stories • Security goals for sprint Sprint Planning • Abuse Cases / Malicious user stories for sprint • Security goal breakdown into tasks Sprint Backlog • Security components for development tasks and security task development • Secure Coding Sprint • Security Testing • Scrum: Secure Design, Security Planning Deployment • Security Testing https://www.fyrmassociates.com 9 May 31, 2017
Integrating Security into an Agile World Security Product Product Product Backlog Backlog Backlog Framework Sprint Sprint Sprint Planning Planning Planning Input Validation Sprint Sprint Sprint Backlog Backlog Backlog Output Encoding Sprint, Daily Sprint, Daily Sprint, Daily Scrums Scrums Scrums Identify XSS Deployment Deployment Deployment Sprint n Sprint n+1 Sprint n+2 https://www.fyrmassociates.com 10 May 31, 2017
Integrating Security into any SDLC Design, Development Testing, Requirements Deployment, • Security controls & Operations requirements • Security controls & • Design and requirements • Code review architecture • Design and • Penetration testing • Code review architecture • Control assessment • Penetration testing • Secure development training https://www.fyrmassociates.com 11 May 31, 2017
FISMA Compliance Integration • Development activities, control testing Align activities • Information Security activities, goals, projects and schedules • FISMA requirements, reporting/ATO deadlines • Review security control design Technical • Code review security testing • Penetration testing Security controls • Obtain evidence for non-technical controls during development assessment • Align with annual testing requirements https://www.fyrmassociates.com 12 May 31, 2017
FISMA Compliance Integration • Security Controls • Scrum • Sprint Backlog • Development meetings • In-development testing vs. • Release dates Annual SCA • ATO deadline Scope Schedule Logistics Continuous Testing Monitoring • Reporting security issues vs. • Test environment, accounts FISMA findings • Application testing scope • Add remediation to Backlog • Other evidence https://www.fyrmassociates.com 13 May 31, 2017
Secure Agile Development Pros and Cons with Secure Agile Development Cons Pros • No security testing in "Pure" • "Pure" Agile is not very Agile common • More security issues more • Well suited for quicker frequently remediation • Difficulty with security • Improved security and integration compliance once integrated https://www.fyrmassociates.com 14 May 31, 2017
Secure Agile Development Subject Matter Experts Security testing logistics • Secure Development SME • Environment, accounts, etc. • Application Security SME • Integrate security recommendations • Key POC's for each team • Integrate security remediation Recommendations to improve success Team Integration Development artifacts • Developers learn security • Anti-agile • IS/Compliance learn development • Diagrams, data flow and definitions • Bridge the gap • Security requirements, abuse cases https://www.fyrmassociates.com 15 May 31, 2017
Presenter Matthew Flick Managing Principal matt.flick@fyrmassociates.com https://www.fyrmassociates.com/
Recommend
More recommend