SlideShare a Scribd company logo

Application Security in an Agile World - Agile Singapore 2016

Stefan Streichsbier, profile picture
Stefan Streichsbier

This document discusses application security in an agile development world. It begins with a brief history of application security and defines it as a quality aspect that contributes to business success like user experience and performance. Application security was traditionally handled by network teams but is now the responsibility of developers. The document advocates for adopting a DevSecOps approach where security is integrated into the development process through activities like threat modeling, design reviews, security testing, and monitoring. This allows catching issues earlier in the development cycle when they are cheaper to fix. The document provides examples of how to incorporate security into agile frameworks like Scrum.

Technology
1 of 44
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Application Security In an Agile World
Stefan Streichsbier CTO at Vantage Point Twitter: @s_streichsbier
A brief history of AppSec
✤ Let’s start with what it is not: • Firewalls, secure network protocols, • Antivirus and Phishing attacks • Intrusion Detection • SoCs, ... What is AppSec?
Firewall is locked down tight, ...only 443 is open…
✤ Application Security is: • A quality aspect of your application • And contributes to the business success the same way UX Design, Usability and Performance do. • In other words, is my application used the way it is intended to. What is AppSec?
✤ Security was traditionally in the hands of Network folks • Suddenly, they become responsible for applications... • ... And applied the same audit-like principals. Why AppSec == Pain?
Application Security in an Agile World - Agile Singapore 2016
✤ Things slowly evolved • From performing “Penetration Tests” once a year • To doing a Pentest for every release (a few times a year) Pentest to the rescue Great, we all love Pentests, right?
Pentesters after turning a report in...
Security
Meanwhile outside the security camp ...
0 20 40 60 80 100 120 140 2005 2010 2015 2020 The frequency of releases over time Releases per app per year Towards CD From Waterfall The frequency increased
14 So many releases?!
Security DevOps
16 Agile + DevOps + Security = DevSecOps
Step 1: Security as part of Agile
1-4 Weeks 24 hours Develop Test Design Plan Output Shippable Increment Product Backlog Sprint Backlog Let’s look at SCRUM Start with understanding the process
✤ No more pdf/doc/xls! ✤ Security uses the same language as the dev team. ✤ Security as part of existing environments/workflows. ✤ Security work is completed in-cycle. ✤ Not all apps have the same security requirements. Some general hygiene
0x 5x 10x 15x 20x 25x 30x 35x Requirements/Design Coding Integration Testing Acceptance Testing Production Relative Cost to fix, based on time of detection Penetration Testing Source: NIST Relative Cost
1-4 Weeks 24 hours Develop Test Design Plan Output Shippable Increment Product Backlog Sprint Backlog Secure SCRUM Security Training Security Requirements Security Activities Threat Modelling Design Review Pairing Manual Security Tests Automatic Security Tests Security Feature Demo Security Retrospective Security Acceptance Criteria
(Security) Training
Are all security requirements non-functional?
✤ Functional security requirement are related to: - Authentication & Access Control - Data Integrity - Wrong password lockouts ✤ Non-functional requirements are related to: - Password policies - Characteristics of audit logs - Backups Functional vs Non-Functional
• It all starts with the backlog & security is a part of this: • 1. As an anonymous user I want to see the entire book selection, ... • 2. As a logged-in user I want to see my entire purchase history, ... • 3. As a customer I want to ensure my privacy when using a public wifi , ... (Security) Requirements - User Story and it’s acceptance criteria is unrelated to security - User Story and it’s acceptance criteria is security sensitive [tagged] - “One-off” (Security) User story [tagged]
v Architecture & Design Review & Threat Modelling Think like a hacker v Design Guidelines are invaluable. Use existing design patterns v Helps to reducing the ongoing amount of work Secure by Design
✤ Assorted Secure Coding Guidelines in the repo ✤ Pairing for more complex stories ✤ Pull requests for security relevant stories are reviewed - Code reviews are important (especially for increased speed). Secure Coding
99% of unit tests passed
✤ Code coverage is key aspect of quality 100% is just the beginning ✤ Security related acceptance criteria makes a difference Both for manual and automated tests ✤ The more that is automated the better Security Unit Tests
✤ Open source projects can help - Gauntlt - BDD-Security Security Unit Tests
✤ Continue demonstrating the new attributes/features and their impact on users ✤ What were the security considerations for this new feature ✤ In the retrospective share those lessons learned Sprint Review & Retro
Is security hard?
0 20 40 60 80 100 120 Jan March May July September November % Remaining Security work % App Robustness, Security Skills Security Debt Burndown
Step 2: DevSecOps
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
Vulnerability Repository • Security Unit Tests • SAST • SCA • DAST • IAST • VA • Security as Code • RASP • NG WAF • Red Team • GOPT • Actual Attackers • Sec Requirements • Design Review • Threat Modelling AppSec Pipeline
Instead of this ...
...Let’s do this...
Announcements DevSecCon Asia 2017
✤ Start with embedding your friendly AppSec guy ✤ Transfer knowledge, find a security champion ✤ Step back and advise ✤ Iterate continuously– don’t go for big bang ✤ Keep adding automation ✤ Churn out awesome (& secure) releases at the speed of DevOps From Zero to Hero
stefan@vantagepoint.sg @s_streichsbier Stefan Streichsbier https://devsecopssg.herokuapp.com Questions?
References • https://www.infoq.com/presentations/Facebook-Moving-Fast-at-Scale • Jeff Williams: 2013 Appsec USA: https://www.youtube.com/watch?v=cIvOth0fxmI&t=377 • http://blog.diniscruz.com • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline • http://www.slideshare.net/SeniorStoryteller/amy-demartine-7-habits-of-rugged-devops

More Related Content

PPTX
Null application security in an agile world
Stefan Streichsbier
 
PDF
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
 
PDF
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
PDF
Devops: Security's big opportunity by Peter Chestna
DevSecCon
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PDF
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
PPTX
The Journey to DevSecOps
SeniorStoryteller
 
Null application security in an agile world
Stefan Streichsbier
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
Devops: Security's big opportunity by Peter Chestna
DevSecCon
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
The Journey to DevSecOps
SeniorStoryteller
 

What's hot (20)

PDF
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
DevSecOpsSg
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
PDF
DevSecOps - The big picture
Stefan Streichsbier
 
PDF
Ast in CI/CD by Ofer Maor
DevSecCon
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
PPTX
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
PDF
DevSecOps - The big picture
DevSecOpsSg
 
PDF
Dos and Don'ts of DevSecOps
Priyanka Aash
 
PDF
Integrating DevOps and Security
Stijn Muylle
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
PDF
A Secure DevOps Journey
Veracode
 
PPTX
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
PDF
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon
 
PDF
The Future of DevSecOps
Stefan Streichsbier
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
PDF
Renato Rodrigues - Security in the wild
DevSecCon
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
DevSecOpsSg
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
DevSecOps - The big picture
Stefan Streichsbier
 
Ast in CI/CD by Ofer Maor
DevSecCon
 
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps - The big picture
DevSecOpsSg
 
Dos and Don'ts of DevSecOps
Priyanka Aash
 
Integrating DevOps and Security
Stijn Muylle
 
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
A Secure DevOps Journey
Veracode
 
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon
 
The Future of DevSecOps
Stefan Streichsbier
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps : an Introduction
Prashanth B. P.
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
Renato Rodrigues - Security in the wild
DevSecCon
 
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Ad

Viewers also liked (20)

PDF
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
PPTX
DevOps & Security: Here & Now
Checkmarx
 
PDF
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
PDF
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
PDF
OutSystems Webinar - Building a Live Style Guide
Daniel Reis
 
PPTX
Software
macarenariann
 
PPTX
Making Security Agile
Oleg Gryb
 
PDF
Informe scsi 2012 sobre ciberseguridad
Pablo Heraklio
 
PPTX
Viii congreso isaca 2015 grc
balejandre
 
PDF
Implementing NIST Cybersecurity Framework Using COBIT 5
Francisco Javier Peris Montesinos
 
PDF
Cyberseguridad en entornos empresariales
CSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Industrial cyber security_tgs_barcelona_jun_2015_v1.pptx
Itconic
 
PDF
ICION 2016 - Cyber Security Governance
Charles Lim
 
PDF
Ciber... nacion: afrontando los retos del siglo XXI
Corporacion Colombia Digital
 
PDF
¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...
Paco Barranco
 
PDF
End-user computing - The Mobile Workforce Report
Dimension Data Asia Pacific
 
ODP
Building an Open Source AppSec Pipeline
Matt Tesauro
 
PDF
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Dinis Cruz
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PPTX
Digital transformation: introduction to cyber risk
Mosoco Ltd
 
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
DevOps & Security: Here & Now
Checkmarx
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
OutSystems Webinar - Building a Live Style Guide
Daniel Reis
 
Software
macarenariann
 
Making Security Agile
Oleg Gryb
 
Informe scsi 2012 sobre ciberseguridad
Pablo Heraklio
 
Viii congreso isaca 2015 grc
balejandre
 
Implementing NIST Cybersecurity Framework Using COBIT 5
Francisco Javier Peris Montesinos
 
Cyberseguridad en entornos empresariales
CSUC - Consorci de Serveis Universitaris de Catalunya
 
Industrial cyber security_tgs_barcelona_jun_2015_v1.pptx
Itconic
 
ICION 2016 - Cyber Security Governance
Charles Lim
 
Ciber... nacion: afrontando los retos del siglo XXI
Corporacion Colombia Digital
 
¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...
Paco Barranco
 
End-user computing - The Mobile Workforce Report
Dimension Data Asia Pacific
 
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Dinis Cruz
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Digital transformation: introduction to cyber risk
Mosoco Ltd
 
Ad

Similar to Application Security in an Agile World - Agile Singapore 2016 (20)

PPTX
Digital Product Security
SoftServe
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
PDF
BSides Vienna 2015
Daniel Liber
 
PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PDF
AppSec in an Agile World
David Lindner
 
PDF
Beyond security testing
Cu Nguyen
 
PDF
Threat modelling & apps testing
Adrian Munteanu
 
PPTX
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
PPTX
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
PPTX
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
PDF
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
PPTX
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
Owasp tds
snyff
 
PPT
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
PDF
IPNEC - Security Services
Abdus Saboor
 
PDF
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
PDF
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Digital Product Security
SoftServe
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
BSides Vienna 2015
Daniel Liber
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
AppSec in an Agile World
David Lindner
 
Beyond security testing
Cu Nguyen
 
Threat modelling & apps testing
Adrian Munteanu
 
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Owasp tds
snyff
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
IPNEC - Security Services
Abdus Saboor
 
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
DevSecOps 101
Narudom Roongsiriwong, CISSP
 

More from Stefan Streichsbier (10)

PDF
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
PPTX
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
PPTX
State of DevSecOps - GTACS 2019
Stefan Streichsbier
 
PPTX
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
PPTX
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
PPTX
Security and Mobility Co Create Week Jakarta
Stefan Streichsbier
 
PPTX
Securing a great Developer Experience - v1.3
Stefan Streichsbier
 
PPTX
Securing a great DX - DevSecOps Days Singapore 2018
Stefan Streichsbier
 
PDF
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
Stefan Streichsbier
 
PPT
DevSecOps Singapore introduction
Stefan Streichsbier
 
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
State of DevSecOps - GTACS 2019
Stefan Streichsbier
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
Security and Mobility Co Create Week Jakarta
Stefan Streichsbier
 
Securing a great Developer Experience - v1.3
Stefan Streichsbier
 
Securing a great DX - DevSecOps Days Singapore 2018
Stefan Streichsbier
 
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
Stefan Streichsbier
 
DevSecOps Singapore introduction
Stefan Streichsbier
 

Recently uploaded (20)

PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Teaching material agriculture food technology
LiaRayya
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 

Application Security in an Agile World - Agile Singapore 2016