Agile + SDL Concepts and Misconceptions Avi Douglen Aware Security [email protected] (972)-52-7891133 OWASP 15/09/2011 Nir Bregman Senior Project Manager, HP [email protected] (972)-54-5597038 Copyright © The OWASP Foundation Permission is granted to copy, distribute.
Download ReportTranscript Agile + SDL Concepts and Misconceptions Avi Douglen Aware Security [email protected] (972)-52-7891133 OWASP 15/09/2011 Nir Bregman Senior Project Manager, HP [email protected] (972)-54-5597038 Copyright © The OWASP Foundation Permission is granted to copy, distribute.
Agile + SDL Concepts and Misconceptions Avi Douglen Aware Security [email protected] (972)-52-7891133 OWASP 15/09/2011 Nir Bregman Senior Project Manager, HP [email protected] (972)-54-5597038 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Agenda Introduction Misconceptions Problems Concepts Solution OWASP 2 INTRODUCTION OWASP 3 “Agile” – A Definition “… a group of software development methodologies based on iterative development, where requirements and solutions evolve through collaboration between self-organizing cross-functional teams.” – Wikipedia OWASP 4 Agile Methodology – Key Features Early feedback Prioritized “backlog” Inherent improvement process Adaptive to changes Short, incremental iterations or sprints ‘Release like’ version every iteration Team selects “user stories” OWASP 5 “SDL” – A Definition “A Security Development Lifecycle is a software development process to reduce software maintenance costs and increase reliability of software concerning software security.” - Wikipedia OWASP 6 SDL – Microsoft Model OWASP 7 SDL – OWASP Model (CLASP) OWASP 8 SDL – Key Features Activities for each development phase Relatively formal process Carefully controlled development OWASP 9 SDL – Main Activities General Coding Secure Coding Unit security tests Initial security code review Security push Regression testing Final security code review Deployment inspection Black box penetration tests Final Security Review Security response Secure change management Security bug tracking Metrics Process improvement Designing SDLC model Policies & guidelines Training & education Tools & products Requirements Analysis Classification Security planning Security requirements Architecture Initial Threat Modeling Secure Architecture Design Detailed Threat Modeling Mitigation of threats Secure Design Formulating security guidelines Security Design Review Testing Maintenance OWASP 10 MISCONCEPTIONS OWASP 11 Agile is… … really just “Waterfall”, repeated over and over again OWASP 12 SDL is… Only good for “Waterfall” process OWASP 13 Agile is… Like the “Wild West” of programming OWASP 14 SDL is… Control freaks OWASP 15 Agile is… Inconsistent OWASP 16 SDL is… Not flexible OWASP 17 Agile is… Out of control OWASP 18 SDL is… Very heavy process OWASP 19 Agile means… No documentation OWASP 20 SDL means… lots of boring documents OWASP 21 Agile is… An excuse to take shortcuts OWASP 22 SDL is… Full of duplicate activities OWASP 23 Agile means… No planning OWASP 24 SDL is… Unnecessary, for good programmers OWASP 25 Agile is… Never ending OWASP 26 SDL is… Slowing down real development OWASP 27 Agile is… a set of ceremonies and disconnected techniques OWASP 28 SDL is… a set of ceremonies and disconnected tasks OWASP 29 PROBLEM OWASP 30 Agile + SDL = FAIL! SDL Heavy Agile Light OWASP 31 Agile + SDL = FAIL! SDL Strict process Agile Adaptive process OWASP 32 Agile + SDL = FAIL! SDL Structured phases Agile Short iterations OWASP 33 Agile + SDL = FAIL! SDL Lots of activities Agile “Just enough” OWASP 34 Agile + SDL = FAIL! SDL Predefined checkpoints Agile Predefined priorities OWASP 35 Agile + SDL = FAIL! SDL Centralized control Agile Independent teams OWASP 36 Agile + SDL = FAIL! SDL Lots o’ docs Agile Not so much OWASP 37 Agile + SDL = FAIL! SDL Assurance Agile Responsibility OWASP 38 Agile + SDL = …? Putting SDL on top of Agile kind of feels like… OWASP 39 OWASP 40 We’ve been doing it wrong! OWASP 41 CONCEPTS OWASP 42 Agile Philosophy For SDL “Early Feedback” already built in Add Security to cross-functional team Always do “just enough” work Focus on the current sprint backlog Prioritize, don’t micro-manage OWASP 43 Training Independent developers: Just teach them how to do things right OWASP 44 Mapping SDL to Agile Discovery Security planning OWASP 45 Mapping SDL to Agile Acceptance Tests Security requirements OWASP 46 Mapping SDL to Agile Non-functional stories Security features OWASP 47 Mapping SDL to Agile Integration QA Security testing OWASP 48 Mapping SDL to Agile UserStory “Done definition” Sprint entry criteria Release completion criteria Security tasks OWASP 49 Mapping SDL to Agile “Abuser” stories Countermeasures OWASP 50 Frequency-based “Wedges” OWASP 51 SUGGESTED SOLUTION OWASP 52 Ramp-up / Prerequisites Security advisor Coding guidelines Regulations and policies Training OWASP 53 First Discovery Security plan Baseline Threat Model Security response plan OWASP 54 Discovery Design review for User Stories User Stories for security features Review changes to Tech.Spec Update Threat Model for features OWASP 55 Sprint Entry Criteria Automated static code analysis Fix all High+ security bugs OWASP 56 UserStory Done Definition Secure coding Focused manual code reviews (via “eXtreme Programming”) Build security Unit Tests Pass security user story tests OWASP 57 Integration QA In-depth manual code review Penetration testing Review default configuration OWASP 58 Release Completion Criteria Ensure recent training Response plan is updated High-level security review (FSR) OWASP 59 “Bucket” Requirements Verification bucket Fuzzing Binary analysis COM object testing Design bucket Review crypto design Strong names Privacy review Planning bucket Security bug bar Privacy test plan DRP / BCP OWASP 60 Security “Spike” Entire Sprint focused on security Handle “Security Debt” Intensive search for vulnerabilities Do cross-feature requirements OWASP 61 Summary “Classic” SDL was about external control Agile SDL is about internal control Change from prescriptive to descriptive Teams are expected to do the right thing Can be even stronger than “Classic” SDL OWASP 62 Questions? OWASP 63