Create Agile confidence for better application security
27
Create Agile confidence for better application security Rogue Wave Accelerate Series Part 2 of 3
-
Upload
rogue-wave-software -
Category
Software
-
view
286 -
download
0
Transcript of Create Agile confidence for better application security
Create Agile confidence for better application security
Rogue Wave Accelerate Series
Part 2 of 3
Christine Bottagaro, CMO
Presenter
Rogue Wave Software
2© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Agenda
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
• Agile Methodology • Security as a service • Integrated security goals • Best practices for Agile teams • How to get started
3
Agile benefits
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
4
Adaptive
Integrated development teams
Fewer surprises when working in a cross-functional
environment
Faster feedback loop
Faster time to market
Constant feedback during development
Responds quickly to changing requirements
Agile versus Waterfall
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
5
Fixed requirements Adaptive
Integrated teams
Best for…
Separation of duties
• Rapid development cycles• Frequent releases
• Cross-functional responsibilities • Cooperative decision making
• Fast time to market • Smaller projects • Websites, graphical interfaces
Best for…• Complicated systems • System and backend applications
• Development, security and compliance work independently
• Separate reporting
• Longer development cycles • Few releases per year • Patches
Agile Waterfall
Traditional development: Security as a service
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
6
Adaptive
Separation of duties for testing and auditing
Separate testing tools, results fed to development
Traditional Secure Development Lifecycle Activities
Design
• Establish design Requirements
• Analyze attack surface
• Threat modeling
Build
• Use approved tools
• Deprecate unsafe functions
Test
• Static analysis• Dynamic
analysis• Fuzz testing• Attack surface
review• Open source
review
Deploy
• Incident response plan
• Final security review
• Release archive
Development, compliance, and security are independent functions
Req's
• Establish security requirements
• Create quality gates
• Risk assessments
Consequences of security as a service
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
7
Adaptive
Cost of Remediation Source: Barry Boehm, “Equity Keynote Address” March 19, 2007
Cost of Remediation
Increased remediation
costsDelayed releases
Security and development become adversarial
5x
Design
• Establish design requirements
• Analyze attack surface
• Threat modeling
10x
Build
• Use approved tools
• Deprecate unsafe functions
20x50x
Test
• Static analysis• Dynamic
analysis• Fuzz testing• Attack surface
review• Open source
review
150x
Deploy
• Incident response plan
• Final security review
• Release archive
1x
Reqs
• Establish security requirements
• Create quality gates
• Risk assessments
Agile development: Integrated security
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
8
Adaptive
AcceptSprint 1
Sprint 2
Sprint nRelease
ChangeAdjust and Track
FeedbackReview
Next Iteration
No!
Yes!
Release to
Market
Integrate and Test
Integrate and TestIntegrate
and Test
Multiple testing points
Rapid feedback required
“Outside” testing does
not meet Agile needs
Integrated security goals
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
9
Adaptive
Build security into the Agile process
Adapt to the needs of each team
Provide information needed in a timely manner
Help teams improve over time
Maintain integrity of separation of duties
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
10
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
11
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
Best Practice 1.
Integrate security and compliance testing
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
12
AdaptiveGive Agile teams tools & responsibility for testing
Self-sufficiency is required for rapid
reaction
Run tests on development
schedule
Embed security with Agile team for triage and
assistance
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
13
Adaptive
Best Practice 1.
Integrate at IDE and Build Server
Do what works best
for each team
Run separately
Integrate at IDEIntegrate at build server
Testing and remediation on the
fly
Testing at the end of each
sprint
Testing with each sprint test build
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
14
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
15
Adaptive
Best Practice 2.
Enforce standards that relate to the project
Understand the
objectives
Risk varies with
application deployments
Use flexible rule sets
Compliance rules (e.g.,
PCI)
Language and framework
specific rules
Custom rules for custom frameworks
High/low security
requirements
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
16
Adaptive
Best Practice 2.
Compliance rule sets
PCI-DSS v 3The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.
Specific rule sets
SANS Top 25
Reporting for regulatory audits
OWASP Top 10
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
17
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
Provide information needed to act
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
18
Best Practice 3.
Context for remediation
What needs architectural
review?
Provide actionable results
Prioritize results to accelerate triage
Eliminate “noise” from reporting
What can I fix quickly?
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
19
Adaptive
Best Practice 3.
Minimize code changes after code check-in
Trace errors to root causes
Input validation
Manifests itself when
tainted data is used
A single error can result in 10’s or 100’s of issues
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
20
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
21
Adaptive
Best Practice 4.
Continuous improvement
Help developers learn on the job
Move from training “events” to a training
“process”Source: https://uwaterloo.ca/counselling-services/curve-forgetting
Push remediation advice to the IDE
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
22
Adaptive
Best Practice 4.
Ongoing developer education
Remediation advice in the IDE
Specific to bug type
Specific to language rule set
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
23
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
24
Adaptive
Best Practice 5.
Enterprise reporting
Development
Security reporting
Compliance reporting
Legal reporting
Identify security training needs
Maintain independence of audits
Testing for OWASP/SANS bugs
Audits and reporting for OSSTraceability for security risks
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
25
Adaptive
How to get started
Empower development with training,
processes, and technology to own
security testing
Build testing earlier into the development
process
Start with a pilot project
Develop coding and remediation standards
Close the loop
1 2
3 45
72% of developers think they are responsible for security
See us in action:
www.roguewave.com
KlocworkOpenLogic
