當軟體安全遇上敏捷 When Software Security Meet Agile 曾義峰 (Ant) yftzeng@gmail.com 2019-03-21
Introduction & Research interest 13 年互聯網研發經驗, 4 年顧問資歷。 時而編程,時而沉浸於法律領域、倘洋於資訊安全世界中。 Web Security ( 網頁安全 ) Data(base) Security ( 資料安全 ) Agile Way ( 敏捷方法 ) Compliance ( 法遵 / 合規 ) 2/78
Agenda 1 SDLC & Agile 引言 2 Product Owner & Stakeholders 角色 3 DevOps & Security 文化 4 CI/CD & Pipeline 實踐 3/78
Agenda 1 SDLC & Agile 引言 2 Product Owner & Stakeholders 3 DevOps & Security 4 CI/CD & Pipeline 4/78
Software Development Life Cycle (SDLC) Requirements Design Code Test Deploy 5/78
Secure Software Development Life Cycle (SSDLC) Requirements Risk Assessment Design Review Design & Threat Modeling Code Static Analysis Code Review Test & Penetration Testing Secure Configuration Deploy & Security Assessment 6/78
Secure Software Development Life Cycle (SSDLC) Requirements Risk Assessment Design Review Design & Threat Modeling Code Static Analysis Wa t e r f a l l E V E R Y T H I N G WO R K WE L L Code Review Test & Penetration Testing Secure Configuration Deploy & Security Assessment 7/78
Agile 8/78 Credit: https://medium.com/innodev/agile-development-for-dummies-dd161da253c7
Agile Scrum 9/78 Credit: https://www.kisspng.com/png-scrum-sprint-agile-software-development-systems-de-4949713/
Agile Kanban 10/78 Credit: https://sanzubusinesstraining.com/how-to-create-a-kanban-board-to-manage-your-to-do-list/
Agile 我們將嘗試一種稱為敏捷開發的模式。 意味著不需計畫,不需文檔。只要寫程式和發牢騷就好。 11/78 Credit: https://dilbert.com/strip/2007-11-26
Agile Prejudices 推動 Agile 後造成一團混亂 (Chaos) 。 Agile 過於複雜。 Agile 只是把待辦清單 (Todo) 用便利貼或數位的方式貼在牆上。 Agile 會產出不安全的軟體。 Agile 太浪費時間,例如每日站立會議、回顧 (retrospective) 。 12/78
Agile Prejudices 推動 Agile 後造成一團混亂 (Chaos) 。 Agile 過於複雜。 Agile 只是把待辦清單 (Todo) 用便利貼或數位的方式貼在牆上。 Agile 會產出不安全的軟體。 Agile 太浪費時間,例如每日站立會議、回顧 (retrospective) 。 13/78
Agile 14/78 Credit: http://www.commitstrip.com/en/2017/06/19/security-too-expensive-try-a-hack/
Agile 15/78
Agile A g i l e ≠ F a s t 16/78
Agile 很多公司都有推動各種敏捷專案管理流程。 例如 Scrum 或 Kanban 。 但其中有具備資安 (Security) 思維的只有一小部分。 更不用論更大範圍的法遵 / 合規 (Compliance) ,例如 GDPR 等。 17/78
誰說 Agile Coach 不需要懂資安 !? Injection 頻繁安插的無理需求、急件 Agile 18/78
誰說 Agile Coach 不需要懂資安 !? Injection XSS 頻繁安插的無理需求、急件 從其他團隊來的跨組扔包 Agile 19/78
誰說 Agile Coach 不需要懂資安 !? Injection XSS 頻繁安插的無理需求、急件 從其他團隊來的跨組扔包 Agile StackOverflow 我是 Full-Stack Developer 指的是如果再給我一個工作 我的工作 (Stack) 就會溢出 20/78
誰說 Agile Coach 不需要懂資安 !? Injection XSS 頻繁安插的無理需求、急件 從其他團隊來的跨組扔包 Agile StackOverflow God Injection 老闆一聲令下 我是 Full-Stack Developer 搖身變為隕石開發法 指的是如果再給我一個工作 我的工作 (Stack) 就會溢出 21/78
隕石開發法 Waterfall 22/78 Credit: http://eiki.hatenablog.jp/entry/meteo_fall
隕石開發法 Agile 23/78 Credit: http://eiki.hatenablog.jp/entry/meteo_fall
隕石開發法 Agile 無論什麼方法,在神面前, 都無用 24/78 Credit: http://eiki.hatenablog.jp/entry/meteo_fall
Agenda 1 SDLC & Agile 2 Product Owner & Stakeholders 角色 3 DevOps & Security 4 CI/CD & Pipeline 25/78
Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的 唯 一人 員 。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責 與客戶 和利 益相關者 合作 以了解 他們的需求。” 26/78 Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的 唯 一人 員 。” Who are your stakeholders ? 誰是 你 們的利 益相關者 “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責 與客戶 和利 益相關者 合作 以了解 他們的需求。” 27/78 Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的 唯 一人 員 。” Security officer should start taking up the role of security stakeholders “The PO role is responsible for working with the customers and 資安 官應該 開 始擔任 利 益相關者 的角色 stakeholders to understand their needs.” “ 產品負責人負責 與客戶 和利 益相關者 合作 以了解 他們的需求。” 28/78 Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
Product Backlog Product Backlog Item (PBI) : ● Features ● Bugs ● Refactoring ● Spike ● … ● Security Features ● Security Stories ● Attacker Stories ● Ab- U se U ser Stories 29/78
Product Backlog BDD Scenario : U ser are able to register Given the user is on “ /users/register ” When the user types the email “ yftzeng@gmail.com ” When the user types the password “ xxx ” When the user clicks the register button Then the response should contains “ Password must be at least 8 characters long ” ... 30/78
Product Backlog BDD Scenario : The application should not contain S QL in j ection vulnerabilities And the S QL -In j ection policy is enabled And the attack strength is set to H igh And the alert threshold is set to L ow When the scanner is run And the following false positives are removed | url | parameter | cweId | wascId | And the XML report is written to the file output/security/s q l _ in j ection. x ml Then no M edium or H igher risk vulnerabilities should be present 31/78 Credit: https://continuumsecurity.net/bdd-security/
Product Backlog BDD Scenario : Present the login form itself over an H TTPS connection Given a new browser instance And the client/browser is configured to use an intercepting pro x y And the pro x y logs are cleared And the login page is displayed And the H TTP re q uest-response containing the login form Then the protocol should be H TTPS And ... 32/78 Credit: https://continuumsecurity.net/bdd-security/
Tools BDD SpecFlow (. NE T) ● Cucumber (Ruby) ● J Behave ( J ava) ● Behat (P H P) ● J est ( J avaScript) ● Godog (Go) ● … ● 33/78
Agenda 1 SDLC & Agile 2 Product Owner & Stakeholders 3 DevOps & Security 文化 4 CI/CD & Pipeline 34/78
DevOps & Security ⋅ 《 Dev Ops 》 同 Agile / L ean ,具備 自 身 核心 ,更 快 的 執行速度 和更 快 的 學習速度 。 這 就是為什麼 它 經 常被描述 為一種文化。 從 DevOps 視 角, 探討 Security 35/78
DevOps & Security ⋅ 《 Dev Ops 》 同 Agile / L ean ,具備 自 身 核心 ,更 快 的 執行速度 和更 快 的 學習速度 。 這 就是為什麼 它 經 常被描述 為一種文化。 36/78
DevOps & Security 37/78
DevOps & Security SecDevOps—sometimes called “ Rugged DevOps ” or “ security at speed ” —as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches. 38/78 Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/
DevOps & Security “SecDevOps seeks to embed security inside the development process as deeply as DevOps has done with operations” (SecDevOps 旨 在將開發過程中的資訊安全 深入到 DevOps 的 操 作中 ) SecDevOps—sometimes called “ Rugged DevOps ” or “ security at speed ” —as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches. 39/78 Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/
Recommend
More recommend