Agile + SDL Concepts and Misconceptions Avi Douglen Aware Security [email protected] (972)-52-7891133 OWASP 15/09/2011 Nir Bregman Senior Project Manager, HP [email protected] (972)-54-5597038 Copyright © The OWASP Foundation Permission is granted to copy, distribute.
Download
Report
Transcript Agile + SDL Concepts and Misconceptions Avi Douglen Aware Security [email protected] (972)-52-7891133 OWASP 15/09/2011 Nir Bregman Senior Project Manager, HP [email protected] (972)-54-5597038 Copyright © The OWASP Foundation Permission is granted to copy, distribute.
Agile + SDL
Concepts and Misconceptions
Avi Douglen
Aware Security
[email protected]
(972)-52-7891133
OWASP
15/09/2011
Nir Bregman
Senior Project Manager, HP
[email protected]
(972)-54-5597038
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Agenda
Introduction
Misconceptions
Problems
Concepts
Solution
OWASP
2
INTRODUCTION
OWASP
3
“Agile” – A Definition
“… a group of software development
methodologies based on iterative
development, where requirements
and solutions evolve through
collaboration between
self-organizing cross-functional
teams.”
– Wikipedia
OWASP
4
Agile Methodology – Key Features
Early feedback
Prioritized “backlog”
Inherent improvement process
Adaptive to changes
Short, incremental iterations or sprints
‘Release like’ version every iteration
Team selects “user stories”
OWASP
5
“SDL” – A Definition
“A Security Development Lifecycle is
a software development process to
reduce software maintenance costs
and increase reliability of software
concerning software security.”
- Wikipedia
OWASP
6
SDL – Microsoft Model
OWASP
7
SDL – OWASP Model (CLASP)
OWASP
8
SDL – Key Features
Activities for each development phase
Relatively formal process
Carefully controlled development
OWASP
9
SDL – Main Activities
General
Coding
Secure Coding
Unit security tests
Initial security code review
Security push
Regression testing
Final security code review
Deployment inspection
Black box penetration tests
Final Security Review
Security response
Secure change management
Security bug tracking
Metrics
Process improvement
Designing SDLC model
Policies & guidelines
Training & education
Tools & products
Requirements Analysis
Classification
Security planning
Security requirements
Architecture
Initial Threat Modeling
Secure Architecture
Design
Detailed Threat Modeling
Mitigation of threats
Secure Design
Formulating security guidelines
Security Design Review
Testing
Maintenance
OWASP
10
MISCONCEPTIONS
OWASP
11
Agile is…
… really just “Waterfall”,
repeated over and over again
OWASP
12
SDL is…
Only good for “Waterfall” process
OWASP
13
Agile is…
Like the “Wild West” of programming
OWASP
14
SDL is…
Control freaks
OWASP
15
Agile is…
Inconsistent
OWASP
16
SDL is…
Not flexible
OWASP
17
Agile is…
Out of control
OWASP
18
SDL is…
Very heavy process
OWASP
19
Agile means…
No documentation
OWASP
20
SDL means…
lots of boring documents
OWASP
21
Agile is…
An excuse to take shortcuts
OWASP
22
SDL is…
Full of duplicate activities
OWASP
23
Agile means…
No planning
OWASP
24
SDL is…
Unnecessary,
for good programmers
OWASP
25
Agile is…
Never ending
OWASP
26
SDL is…
Slowing down real development
OWASP
27
Agile is…
a set of ceremonies and
disconnected techniques
OWASP
28
SDL is…
a set of ceremonies and
disconnected tasks
OWASP
29
PROBLEM
OWASP
30
Agile + SDL = FAIL!
SDL Heavy
Agile Light
OWASP
31
Agile + SDL = FAIL!
SDL Strict process
Agile Adaptive process
OWASP
32
Agile + SDL = FAIL!
SDL Structured phases
Agile Short iterations
OWASP
33
Agile + SDL = FAIL!
SDL Lots of activities
Agile “Just enough”
OWASP
34
Agile + SDL = FAIL!
SDL Predefined checkpoints
Agile Predefined priorities
OWASP
35
Agile + SDL = FAIL!
SDL Centralized control
Agile Independent teams
OWASP
36
Agile + SDL = FAIL!
SDL Lots o’ docs
Agile Not so much
OWASP
37
Agile + SDL = FAIL!
SDL Assurance
Agile Responsibility
OWASP
38
Agile + SDL = …?
Putting SDL on top of Agile
kind of feels like…
OWASP
39
OWASP
40
We’ve been doing it wrong!
OWASP
41
CONCEPTS
OWASP
42
Agile Philosophy For SDL
“Early Feedback” already built in
Add Security to cross-functional team
Always do “just enough” work
Focus on the current sprint backlog
Prioritize, don’t micro-manage
OWASP
43
Training
Independent developers:
Just teach them how to do things right
OWASP
44
Mapping SDL to Agile
Discovery
Security planning
OWASP
45
Mapping SDL to Agile
Acceptance Tests
Security requirements
OWASP
46
Mapping SDL to Agile
Non-functional stories
Security features
OWASP
47
Mapping SDL to Agile
Integration QA
Security testing
OWASP
48
Mapping SDL to Agile
UserStory “Done definition”
Sprint entry criteria
Release completion criteria
Security tasks
OWASP
49
Mapping SDL to Agile
“Abuser” stories
Countermeasures
OWASP
50
Frequency-based “Wedges”
OWASP
51
SUGGESTED SOLUTION
OWASP
52
Ramp-up / Prerequisites
Security advisor
Coding guidelines
Regulations and policies
Training
OWASP
53
First Discovery
Security plan
Baseline Threat Model
Security response plan
OWASP
54
Discovery
Design review for User Stories
User Stories for security features
Review changes to Tech.Spec
Update Threat Model for features
OWASP
55
Sprint Entry Criteria
Automated static code analysis
Fix all High+ security bugs
OWASP
56
UserStory Done Definition
Secure coding
Focused manual code reviews
(via “eXtreme Programming”)
Build security Unit Tests
Pass security user story tests
OWASP
57
Integration QA
In-depth manual code review
Penetration testing
Review default configuration
OWASP
58
Release Completion Criteria
Ensure recent training
Response plan is updated
High-level security review (FSR)
OWASP
59
“Bucket” Requirements
Verification
bucket
Fuzzing
Binary analysis
COM object testing
Design
bucket
Review crypto design
Strong names
Privacy review
Planning
bucket
Security bug bar
Privacy test plan
DRP / BCP
OWASP
60
Security “Spike”
Entire Sprint focused on security
Handle “Security Debt”
Intensive search for vulnerabilities
Do cross-feature requirements
OWASP
61
Summary
“Classic” SDL was about external control
Agile SDL is about internal control
Change from prescriptive to descriptive
Teams are expected to do the right thing
Can be even stronger than “Classic” SDL
OWASP
62
Questions?
OWASP
63