Post on 28-Jan-2016
description
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Agile + SDL Concepts and Misconceptions
Avi DouglenAware Securityavid@AwareID.com(972)-52-7891133
Nir BregmanSenior Project Manager, HP nir.bregman@hp.com(972)-54-5597038
15/09/2011
OWASP 2
Agenda
IntroductionMisconceptionsProblemsConceptsSolution
OWASP
INTRODUCTION
3
OWASP
“Agile” – A Definition
“… a group of software development methodologies based on iterative development, where requirements and solutions evolve through collaboration between self-organizing cross-functional teams.”
– Wikipedia 4
OWASP
Agile Methodology – Key Features
Early feedback
Prioritized “backlog”
Inherent improvement process
Adaptive to changes
Short, incremental iterations or sprints
‘Release like’ version every iteration
Team selects “user stories”5
OWASP
“SDL” – A Definition
“A Security Development Lifecycle is a software development process to reduce software maintenance costs and increase reliability of software concerning software security.”
- Wikipedia
6
OWASP
SDL – Microsoft Model
7
OWASP
SDL – OWASP Model (CLASP)
8
OWASP
SDL – Key Features
Activities for each development phaseRelatively formal processCarefully controlled development
9
OWASP
SDL – Main Activities General
Designing SDLC model Policies & guidelines Training & education Tools & products
Requirements Analysis Classification Security planning Security requirements
Architecture Initial Threat Modeling Secure Architecture
Design Detailed Threat Modeling Mitigation of threats Secure Design Formulating security
guidelines Security Design Review
Coding Secure Coding Unit security tests Initial security code review Security push
Testing Regression testing Final security code review Deployment inspection Black box penetration tests Final Security Review
Maintenance Security response Secure change
management Security bug tracking Metrics Process improvement
10
OWASP
MISCONCEPTIONS
11
OWASP
Agile is…
… really just “Waterfall”,repeated over and over again
12
OWASP
SDL is…
Only good for “Waterfall” process
13
OWASP
Agile is…
Like the “Wild West” of programming
14
OWASP
SDL is…
Control freaks
15
OWASP
Agile is…
Inconsistent
16
OWASP
SDL is…
Not flexible
17
OWASP
Agile is…
Out of control
18
OWASP
SDL is…
Very heavy process
19
OWASP
Agile means…
No documentation
20
OWASP
SDL means…
lots of boring documents
21
OWASP
Agile is…
22
An excuse to take shortcuts
OWASP
SDL is…
Full of duplicate activities
23
OWASP
Agile means…
No planning
24
OWASP
SDL is…
Unnecessary, for good programmers
25
OWASP
Agile is…
Never ending
26
OWASP
SDL is…
Slowing down real development
27
OWASP
Agile is…
a set of ceremonies anddisconnected techniques
28
OWASP
SDL is…
a set of ceremonies and disconnected tasks
29
OWASP
PROBLEM
30
OWASP
Agile + SDL = FAIL!
SDL Heavy
Agile Light
31
OWASP
Agile + SDL = FAIL!
SDL Strict process
Agile Adaptive process
32
OWASP
Agile + SDL = FAIL!
SDL Structured phases
Agile Short iterations
33
OWASP
Agile + SDL = FAIL!
SDL Lots of activities
Agile “Just enough”
34
OWASP
Agile + SDL = FAIL!
SDL Predefined checkpoints
Agile Predefined priorities
35
OWASP
Agile + SDL = FAIL!
SDL Centralized control
Agile Independent teams
36
OWASP
Agile + SDL = FAIL!
SDL Lots o’ docs
Agile Not so much
37
OWASP
Agile + SDL = FAIL!
SDL Assurance
Agile Responsibility
38
OWASP
Agile + SDL = …?
Putting SDL on top of Agile
kind of feels like…
39
OWASP 40
OWASP
We’ve been doing it wrong!
41
OWASP
CONCEPTS
42
OWASP
Agile Philosophy For SDL
“Early Feedback” already built in
Add Security to cross-functional
team
Always do “just enough” work
Focus on the current sprint backlog
Prioritize, don’t micro-manage43
OWASP
Training
Independent developers:Just teach them how to do things right
44
OWASP
Mapping SDL to Agile
Discovery
Security planning
45
OWASP
Mapping SDL to Agile
Acceptance Tests
Security requirements
46
OWASP
Mapping SDL to Agile
Non-functional stories
Security features
47
OWASP
Mapping SDL to Agile
Integration QA
Security testing
48
OWASP
Mapping SDL to Agile
UserStory “Done definition” Sprint entry criteria
Release completion criteria
Security tasks
49
OWASP
Mapping SDL to Agile
“Abuser” stories
Countermeasures
50
OWASP
Frequency-based “Wedges”
51
OWASP
SUGGESTED SOLUTION
52
OWASP
Ramp-up / Prerequisites
Security advisor
Coding guidelines
Regulations and policies
Training
53
OWASP
First Discovery
Security plan
Baseline Threat Model
Security response plan
54
OWASP
Discovery
Design review for User Stories
User Stories for security features
Review changes to Tech.Spec
Update Threat Model for features
55
OWASP
Sprint Entry Criteria
Automated static code
analysis
Fix all High+ security bugs
56
OWASP
UserStory Done Definition
Secure coding
Focused manual code reviews
(via “eXtreme Programming”)Build security Unit TestsPass security user story tests
57
OWASP
Integration QA
In-depth manual code review
Penetration testing
Review default configuration
58
OWASP
Release Completion Criteria
Ensure recent training
Response plan is updated
High-level security review
(FSR)
59
OWASP
“Bucket” Requirements
Verification bucket
Design bucket
Planning bucket
Security bug barPrivacy test planDRP / BCP
60
Review crypto design
Strong namesPrivacy review
FuzzingBinary analysisCOM object
testing
OWASP
Security “Spike”
Entire Sprint focused on security
Handle “Security Debt”
Intensive search for vulnerabilities
Do cross-feature requirements
61
OWASP
Summary
“Classic” SDL was about external control
Agile SDL is about internal control
Change from prescriptive to descriptive
Teams are expected to do the right thing
Can be even stronger than “Classic” SDL
62
OWASP
Questions?
63