SlideShare a Scribd company logo

Agile Secure Development

Bosnia Agile, profile picture
Bosnia Agile

The document discusses how to integrate security requirements within agile development teams, highlighting the lack of security throughout the software development lifecycle. It presents key strategies for improving application security, including threat modeling, continuous integration, and incorporating security activities into sprints. The author emphasizes the importance of collaboration and responsibility among team members to create secure applications.

Technology
Related topics:
Bosnia Agile
1 of 30
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
SARAJEVO, 27.10.2014 Agile Secure Development Petter Sandholdt -How to make the agile team work with security requirements
Who am I? Petter Sandholdt -Senior Developer -Senior Security Consultant -Java, C, C++, C#, Cocoa, Erlang, PHP, Pike, Ruby, Cobol, Fortran, Lisp -Security in R&D for last 6 years ... in agile teams the last 5 years
Easy targets Verizon Enterprise’s 2013 Data Breach Investigations Report ●47,000reported security incidents, ●621confirmed data security breaches ●companies of all sizes. http://www.verizonenterprise.com/DBIR/2013/ 78% of successful security intrusions were simple to pull off
What do Dev and SO think? http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy Developers Security Officers Security of applications is not addressed There is no build security in process SSDLC Application had a security breach during the past 2 years Did not receive software and application security training Application meets security regulations 70% 50% 80% 64% 68% 47% 50% 50% 15% 12%
Agile application ≠ Secure? Agile moto: ●Do what’s in the sprint XP moto: ●Never do more that what’s required TDD moto: ●Code until its green
Agile application = Secure? REQS CODE
Agile application = Secure? CODE REQS NOT TESTED
When is an application secure? ●Requires hard-to-guess passwords? ●Has input validation? ●Has up-to-date and hardened 3rd-party libraries? ●The one that fulfills the security requirementsof the application
How can the POs know about security? POs are OWNERSin that role decide what is important for this application. ●Deployability (Architects or Operations) ●Performance (Architects,Testers & DBA) ●How to code it (Developers)
Secure Software Development Life Cycles ●Microsoft SDL ●Adobe SPLC ●CLASP ●Cigital Touchpoints
Secure Coding in 5 minutes 1.Take Responsibility 2.Never trust data 3.Create a threat model 4.Keep yourself updated 5.Make a fuzz 6.Stay proud of your code 7.Use the best tools http://bit.ly/1dZ6fwA
Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
1. Architecture overview
1. Architecture overview Image from: http://msdn.microsoft.com/en-us/library/ff649779.aspx
Data-Flow-Diagrams are great
Agile??? WTF! More artifacts! Not on my watch! -Helps collaboration-Find discrepancies-Creates ONE terminology
2. Threat Modeling session ●First session ○Brainstorming ●Following sessions ○Discussions aroundadded entities
2. Threat Modeling session Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidenciality Denial of Service Authentification Elevation of Privilege Authorization
Threat Modeling session Elevation of Privilege (EoP) Card Game
3. Backlog Review Look at the backlog from a security perspective Security Expert (from team) and PO Create checklist to facilitate
3. Checklist Example ●How will this new functionality be accessed? ●Can this affect “protected identites”? ●New entites in theatmodel require adding a new theatmodel session ●New role of users needs new validations on each resource ●Validations needed to be updated if property changes
4. Fix your tools to help you ●Continuous Integration ●Static code analyzers ●Dynamic code analyzers ●Penetration tests tools
4 Continuous Integration ●Find compile errors in configuration ●Automate robustness testing ○Unit ○Integration ○System ○Fuzz
4 Analyze the code ●Evaluate state of code checked in ○Complexity ○Rule breaking ●Tools ○SonarQube ○Coverity ○Fortify
5. Add activities to sprints ●Update high level diagram ●Keep updated ●Fuzz-testing
Buckets ●Verification ○Fuzz ○Data-flow ●Design ○Cryptology ○Privacy ●Planning ○Privacy tests ○Internal symbols
Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
Q & A -This won’t work in my team since… petter.sandholdt@softhouse.se
Agile Secure Development
Thank You

More Related Content

PDF
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
PDF
DevSecOps for Developers: How To Start
Patricia Aas
 
PDF
Zero to Ninety in Securing DevOps
DevSecOps Days
 
PPTX
Mobile security recipes for xamarin
Nicolas Milcoff
 
PDF
Adversary Driven Defense in the Real World
James Wickett
 
PPTX
Security Champions - Introduce them in your Organisation
Ives Laaf
 
PPTX
Threat Modeling with Threat Dragon
Steven Carlson
 
PPTX
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
Agile Testing Alliance
 
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
DevSecOps for Developers: How To Start
Patricia Aas
 
Zero to Ninety in Securing DevOps
DevSecOps Days
 
Mobile security recipes for xamarin
Nicolas Milcoff
 
Adversary Driven Defense in the Real World
James Wickett
 
Security Champions - Introduce them in your Organisation
Ives Laaf
 
Threat Modeling with Threat Dragon
Steven Carlson
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
Agile Testing Alliance
 

What's hot (20)

PDF
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
PDF
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Deborah Schalm
 
PDF
How to automate your DevSecOps successfully
Manuel Pistner
 
PPTX
ExpoQA19 slides security awareness Steven Nienhuis
steavy
 
PDF
Security in open source projects
Jose Manuel Ortega Candel
 
PDF
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
PPTX
Unit testing : what are you missing for security
Suman Sourav
 
PDF
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
PDF
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
PPTX
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days
 
PDF
Demystifying DevSecOps
Archana Joshi
 
PDF
Dev week cloud world conf2021
Archana Joshi
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
PDF
[OWASP Poland Day] OWASP for testing mobile applications
OWASP
 
PPTX
2020 05-tech saturday-devsecops-#2-v03
Diego Gabriel Cardoso
 
PDF
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
PDF
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
PDF
Why does security matter for devops by Caroline Wong
DevSecCon
 
PPTX
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
QADay
 
PDF
DevSecOps Everything You Need To Know
Centextech
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Deborah Schalm
 
How to automate your DevSecOps successfully
Manuel Pistner
 
ExpoQA19 slides security awareness Steven Nienhuis
steavy
 
Security in open source projects
Jose Manuel Ortega Candel
 
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
Unit testing : what are you missing for security
Suman Sourav
 
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days
 
Demystifying DevSecOps
Archana Joshi
 
Dev week cloud world conf2021
Archana Joshi
 
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
[OWASP Poland Day] OWASP for testing mobile applications
OWASP
 
2020 05-tech saturday-devsecops-#2-v03
Diego Gabriel Cardoso
 
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
Why does security matter for devops by Caroline Wong
DevSecCon
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
QADay
 
DevSecOps Everything You Need To Know
Centextech
 
Ad

Similar to Agile Secure Development (20)

PPTX
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
PDF
AppSec in an Agile World
David Lindner
 
PPT
Software security engineering
AHM Pervej Kabir
 
PPT
Software security engineering
AHM Pervej Kabir
 
PPT
Software Security Engineering
Marco Morana
 
PDF
A journey into Application Security
Christian Martorella
 
PPTX
Application security testing in the age of Agile development - by Julio Cesar...
Blaze Information Security
 
ODP
Matthew Coles - Izar Tarandach - Security Toolbox
Source Conference
 
PPT
Software Security in the Real World
Mark Curphey
 
PDF
SDLC & DevSecOps
Irina Kostina
 
PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
PDF
ProdSec: A Technical Approach
Jeremy Brown
 
PPTX
Security within Scaled Agile
Mark Underwood
 
PPTX
Agile security
Arthur Donkers
 
PPTX
Hacker vs Tools: Which to Choose?
Security Innovation
 
PPTX
Hacker vs tools
Geoffrey Vaughan
 
PPTX
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
AgileNetwork
 
PDF
An Introduction to Secure Application Development
Christopher Frenz
 
PDF
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
AppSec in an Agile World
David Lindner
 
Software security engineering
AHM Pervej Kabir
 
Software security engineering
AHM Pervej Kabir
 
Software Security Engineering
Marco Morana
 
A journey into Application Security
Christian Martorella
 
Application security testing in the age of Agile development - by Julio Cesar...
Blaze Information Security
 
Matthew Coles - Izar Tarandach - Security Toolbox
Source Conference
 
Software Security in the Real World
Mark Curphey
 
SDLC & DevSecOps
Irina Kostina
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
ProdSec: A Technical Approach
Jeremy Brown
 
Security within Scaled Agile
Mark Underwood
 
Agile security
Arthur Donkers
 
Hacker vs Tools: Which to Choose?
Security Innovation
 
Hacker vs tools
Geoffrey Vaughan
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
AgileNetwork
 
An Introduction to Secure Application Development
Christopher Frenz
 
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
Ad

More from Bosnia Agile (20)

PDF
Psychological Safety and Remote Work by Matthew Philip
Bosnia Agile
 
PDF
Agile playground - Navigating Change Through Continuous experimentation by St...
Bosnia Agile
 
PDF
Culture eats everything for breakfast! by Vladimir Kelava
Bosnia Agile
 
PDF
Beyond Boundaries: Nurturing Psychological Safety for Tech Excellence by Barı...
Bosnia Agile
 
PDF
Banking Reimagined - Navigating the Adaptive transformation by Ana Kafadar
Bosnia Agile
 
PDF
Decoding Success in Pharma and e-Health by Lejla Zonić
Bosnia Agile
 
PDF
Agile Experimentation in Everyday Life - A Guide to More Aha! moments by Milo...
Bosnia Agile
 
PDF
Agile Experimentation in Everyday Life - A Guide to More Aha! moments by Milo...
Bosnia Agile
 
PDF
How AI will transform agile project management by Jasna Pleho and Elvir Ćesko
Bosnia Agile
 
PDF
How can Operational Value Streams Shape Your Product Strategy and Roadmap Suc...
Bosnia Agile
 
PDF
Agile is not just for software development, it’s for the whole business! by O...
Bosnia Agile
 
PDF
Supercharge your teams with Value Stream Management by Richard Knaster
Bosnia Agile
 
PDF
Data Visualization Techniques in Meteorological and Climatological World usin...
Bosnia Agile
 
PDF
Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...
Bosnia Agile
 
PDF
Production Support - the DevOps way by Mustafa Mehmedić
Bosnia Agile
 
PDF
The Rationale for Continuous Delivery by Dave Farley
Bosnia Agile
 
PDF
What’s a Design Sprint and Why Does it Matter? by Elvis Pivić
Bosnia Agile
 
PDF
Disciplined Agile:  Past, present, and future. The path to true business agil...
Bosnia Agile
 
PDF
Building a world-class work culture by Rešad Začina
Bosnia Agile
 
PDF
Scrum Turns 25 - Usage and the future by Dave West
Bosnia Agile
 
Psychological Safety and Remote Work by Matthew Philip
Bosnia Agile
 
Agile playground - Navigating Change Through Continuous experimentation by St...
Bosnia Agile
 
Culture eats everything for breakfast! by Vladimir Kelava
Bosnia Agile
 
Beyond Boundaries: Nurturing Psychological Safety for Tech Excellence by Barı...
Bosnia Agile
 
Banking Reimagined - Navigating the Adaptive transformation by Ana Kafadar
Bosnia Agile
 
Decoding Success in Pharma and e-Health by Lejla Zonić
Bosnia Agile
 
Agile Experimentation in Everyday Life - A Guide to More Aha! moments by Milo...
Bosnia Agile
 
Agile Experimentation in Everyday Life - A Guide to More Aha! moments by Milo...
Bosnia Agile
 
How AI will transform agile project management by Jasna Pleho and Elvir Ćesko
Bosnia Agile
 
How can Operational Value Streams Shape Your Product Strategy and Roadmap Suc...
Bosnia Agile
 
Agile is not just for software development, it’s for the whole business! by O...
Bosnia Agile
 
Supercharge your teams with Value Stream Management by Richard Knaster
Bosnia Agile
 
Data Visualization Techniques in Meteorological and Climatological World usin...
Bosnia Agile
 
Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...
Bosnia Agile
 
Production Support - the DevOps way by Mustafa Mehmedić
Bosnia Agile
 
The Rationale for Continuous Delivery by Dave Farley
Bosnia Agile
 
What’s a Design Sprint and Why Does it Matter? by Elvis Pivić
Bosnia Agile
 
Disciplined Agile:  Past, present, and future. The path to true business agil...
Bosnia Agile
 
Building a world-class work culture by Rešad Začina
Bosnia Agile
 
Scrum Turns 25 - Usage and the future by Dave West
Bosnia Agile
 

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 

Agile Secure Development

  • 1. SARAJEVO, 27.10.2014 Agile Secure Development Petter Sandholdt -How to make the agile team work with security requirements
  • 2. Who am I? Petter Sandholdt -Senior Developer -Senior Security Consultant -Java, C, C++, C#, Cocoa, Erlang, PHP, Pike, Ruby, Cobol, Fortran, Lisp -Security in R&D for last 6 years ... in agile teams the last 5 years
  • 3. Easy targets Verizon Enterprise’s 2013 Data Breach Investigations Report ●47,000reported security incidents, ●621confirmed data security breaches ●companies of all sizes. http://www.verizonenterprise.com/DBIR/2013/ 78% of successful security intrusions were simple to pull off
  • 4. What do Dev and SO think? http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy Developers Security Officers Security of applications is not addressed There is no build security in process SSDLC Application had a security breach during the past 2 years Did not receive software and application security training Application meets security regulations 70% 50% 80% 64% 68% 47% 50% 50% 15% 12%
  • 5. Agile application ≠ Secure? Agile moto: ●Do what’s in the sprint XP moto: ●Never do more that what’s required TDD moto: ●Code until its green
  • 6. Agile application = Secure? REQS CODE
  • 7. Agile application = Secure? CODE REQS NOT TESTED
  • 8. When is an application secure? ●Requires hard-to-guess passwords? ●Has input validation? ●Has up-to-date and hardened 3rd-party libraries? ●The one that fulfills the security requirementsof the application
  • 9. How can the POs know about security? POs are OWNERSin that role decide what is important for this application. ●Deployability (Architects or Operations) ●Performance (Architects,Testers & DBA) ●How to code it (Developers)
  • 10. Secure Software Development Life Cycles ●Microsoft SDL ●Adobe SPLC ●CLASP ●Cigital Touchpoints
  • 11. Secure Coding in 5 minutes 1.Take Responsibility 2.Never trust data 3.Create a threat model 4.Keep yourself updated 5.Make a fuzz 6.Stay proud of your code 7.Use the best tools http://bit.ly/1dZ6fwA
  • 12. Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
  • 14. 1. Architecture overview Image from: http://msdn.microsoft.com/en-us/library/ff649779.aspx
  • 16. Agile??? WTF! More artifacts! Not on my watch! -Helps collaboration-Find discrepancies-Creates ONE terminology
  • 17. 2. Threat Modeling session ●First session ○Brainstorming ●Following sessions ○Discussions aroundadded entities
  • 18. 2. Threat Modeling session Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidenciality Denial of Service Authentification Elevation of Privilege Authorization
  • 19. Threat Modeling session Elevation of Privilege (EoP) Card Game
  • 20. 3. Backlog Review Look at the backlog from a security perspective Security Expert (from team) and PO Create checklist to facilitate
  • 21. 3. Checklist Example ●How will this new functionality be accessed? ●Can this affect “protected identites”? ●New entites in theatmodel require adding a new theatmodel session ●New role of users needs new validations on each resource ●Validations needed to be updated if property changes
  • 22. 4. Fix your tools to help you ●Continuous Integration ●Static code analyzers ●Dynamic code analyzers ●Penetration tests tools
  • 23. 4 Continuous Integration ●Find compile errors in configuration ●Automate robustness testing ○Unit ○Integration ○System ○Fuzz
  • 24. 4 Analyze the code ●Evaluate state of code checked in ○Complexity ○Rule breaking ●Tools ○SonarQube ○Coverity ○Fortify
  • 25. 5. Add activities to sprints ●Update high level diagram ●Keep updated ●Fuzz-testing
  • 26. Buckets ●Verification ○Fuzz ○Data-flow ●Design ○Cryptology ○Privacy ●Planning ○Privacy tests ○Internal symbols
  • 27. Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
  • 28. Q & A -This won’t work in my team since… petter.sandholdt@softhouse.se