Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Agile + SDL Concepts and Misconceptions

Avi DouglenAware Securityavid@AwareID.com(972)-52-7891133

Nir BregmanSenior Project Manager, HP nir.bregman@hp.com(972)-54-5597038

15/09/2011

OWASP 2

Agenda

IntroductionMisconceptionsProblemsConceptsSolution

OWASP

INTRODUCTION

3

OWASP

“Agile” – A Definition

“… a group of software development methodologies based on iterative development, where requirements and solutions evolve through collaboration between self-organizing cross-functional teams.”

– Wikipedia 4

OWASP

Agile Methodology – Key Features

Early feedback

Prioritized “backlog”

Inherent improvement process

Adaptive to changes

Short, incremental iterations or sprints

‘Release like’ version every iteration

Team selects “user stories”5

OWASP

“SDL” – A Definition

“A Security Development Lifecycle is a software development process to reduce software maintenance costs and increase reliability of software concerning software security.”

- Wikipedia

6

OWASP

SDL – Microsoft Model

7

OWASP

SDL – OWASP Model (CLASP)

8

OWASP

SDL – Key Features

Activities for each development phaseRelatively formal processCarefully controlled development

9

OWASP

SDL – Main Activities General

Designing SDLC model Policies & guidelines Training & education Tools & products

Requirements Analysis Classification Security planning Security requirements

Architecture Initial Threat Modeling Secure Architecture

Design Detailed Threat Modeling Mitigation of threats Secure Design Formulating security

guidelines Security Design Review

Coding Secure Coding Unit security tests Initial security code review Security push

Testing Regression testing Final security code review Deployment inspection Black box penetration tests Final Security Review

Maintenance Security response Secure change

management Security bug tracking Metrics Process improvement

10

OWASP

MISCONCEPTIONS

11

OWASP

Agile is…

… really just “Waterfall”,repeated over and over again

12

OWASP

SDL is…

Only good for “Waterfall” process

13

OWASP

Agile is…

Like the “Wild West” of programming

14

OWASP

SDL is…

Control freaks

15

OWASP

Agile is…

Inconsistent

16

OWASP

SDL is…

Not flexible

17

OWASP

Agile is…

Out of control

18

OWASP

SDL is…

Very heavy process

19

OWASP

Agile means…

No documentation

20

OWASP

SDL means…

lots of boring documents

21

OWASP

Agile is…

22

An excuse to take shortcuts

OWASP

SDL is…

Full of duplicate activities

23

OWASP

Agile means…

No planning

24

OWASP

SDL is…

Unnecessary, for good programmers

25

OWASP

Agile is…

Never ending

26

OWASP

SDL is…

Slowing down real development

27

OWASP

Agile is…

a set of ceremonies anddisconnected techniques

28

OWASP

SDL is…

a set of ceremonies and disconnected tasks

29

OWASP

PROBLEM

30

OWASP

Agile + SDL = FAIL!

SDL Heavy

Agile Light

31

OWASP

Agile + SDL = FAIL!

SDL Strict process

Agile Adaptive process

32

OWASP

Agile + SDL = FAIL!

SDL Structured phases

Agile Short iterations

33

OWASP

Agile + SDL = FAIL!

SDL Lots of activities

Agile “Just enough”

34

OWASP

Agile + SDL = FAIL!

SDL Predefined checkpoints

Agile Predefined priorities

35

OWASP

Agile + SDL = FAIL!

SDL Centralized control

Agile Independent teams

36

OWASP

Agile + SDL = FAIL!

SDL Lots o’ docs

Agile Not so much

37

OWASP

Agile + SDL = FAIL!

SDL Assurance

Agile Responsibility

38

OWASP

Agile + SDL = …?

Putting SDL on top of Agile

kind of feels like…

39

OWASP 40

OWASP

We’ve been doing it wrong!

41

OWASP

CONCEPTS

42

OWASP

Agile Philosophy For SDL

“Early Feedback” already built in

Add Security to cross-functional

team

Always do “just enough” work

Focus on the current sprint backlog

Prioritize, don’t micro-manage43

OWASP

Training

Independent developers:Just teach them how to do things right

44

OWASP

Mapping SDL to Agile

Discovery

Security planning

45

OWASP

Mapping SDL to Agile

Acceptance Tests

Security requirements

46

OWASP

Mapping SDL to Agile

Non-functional stories

Security features

47

OWASP

Mapping SDL to Agile

Integration QA

Security testing

48

OWASP

Mapping SDL to Agile

UserStory “Done definition” Sprint entry criteria

Release completion criteria

Security tasks

49

OWASP

Mapping SDL to Agile

“Abuser” stories

Countermeasures

50

OWASP

Frequency-based “Wedges”

51

OWASP

SUGGESTED SOLUTION

52

OWASP

Ramp-up / Prerequisites

Security advisor

Coding guidelines

Regulations and policies

Training

53

OWASP

First Discovery

Security plan

Baseline Threat Model

Security response plan

54

OWASP

Discovery

Design review for User Stories

User Stories for security features

Review changes to Tech.Spec

Update Threat Model for features

55

OWASP

Sprint Entry Criteria

Automated static code

analysis

Fix all High+ security bugs

56

OWASP

UserStory Done Definition

Secure coding

Focused manual code reviews

(via “eXtreme Programming”)Build security Unit TestsPass security user story tests

57

OWASP

Integration QA

In-depth manual code review

Penetration testing

Review default configuration

58

OWASP

Release Completion Criteria

Ensure recent training

Response plan is updated

High-level security review

(FSR)

59

OWASP

“Bucket” Requirements

Verification bucket

Design bucket

Planning bucket

Security bug barPrivacy test planDRP / BCP

60

Review crypto design

Strong namesPrivacy review

FuzzingBinary analysisCOM object

testing

OWASP

Security “Spike”

Entire Sprint focused on security

Handle “Security Debt”

Intensive search for vulnerabilities

Do cross-feature requirements

61

OWASP

Summary

“Classic” SDL was about external control

Agile SDL is about internal control

Change from prescriptive to descriptive

Teams are expected to do the right thing

Can be even stronger than “Classic” SDL

62

OWASP

Questions?

63