Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security in an Agile World - Stefan Streichsbier - Agile SG 2016

Application Security in an Agile World - Stefan Streichsbier - Agile SG 2016

Presented in Agile Singapore 2016 conference


Agile Singapore

October 06, 2016

More Decks by Agile Singapore

Other Decks in Technology


  1. Application Security In an Agile World

  2. Stefan Streichsbier CTO at Vantage Point Twitter: @s_streichsbier

  3. A brief history of AppSec

  4. ✤ Let’s start with what it is not: • Firewalls,

    secure network protocols, • Antivirus and Phishing attacks • Intrusion Detection • SoCs, ... What is AppSec?
  5. Firewall is locked down tight, ...only 443 is open…

  6. ✤ Application Security is: • A quality aspect of your

    application • And contributes to the business success the same way UX Design, Usability and Performance do. • In other words, is my application used the way it is intended to. What is AppSec?
  7. ✤ Security was traditionally in the hands of Network folks

    • Suddenly, they become responsible for applications... • ... And applied the same audit-like principals. Why AppSec == Pain?
  8. None
  9. ✤ Things slowly evolved • From performing “Penetration Tests” once

    a year • To doing a Pentest for every release (a few times a year) Pentest to the rescue Great, we all love Pentests, right?
  10. Pentesters after turning a report in...

  11. Security

  12. Meanwhile outside the security camp ...

  13. 0 20 40 60 80 100 120 140 2005 2010

    2015 2020 The frequency of releases over time Releases per app per year Towards CD From Waterfall The frequency increased
  14. 14 So many releases?!

  15. Security DevOps

  16. 16 Agile + DevOps + Security = DevSecOps

  17. Step 1: Security as part of Agile

  18. 1-4 Weeks 24 hours Develop Test Design Plan Output Shippable

    Increment Product Backlog Sprint Backlog Let’s look at SCRUM Start with understanding the process
  19. ✤ No more pdf/doc/xls! ✤ Security uses the same language

    as the dev team. ✤ Security as part of existing environments/workflows. ✤ Security work is completed in-cycle. ✤ Not all apps have the same security requirements. Some general hygiene
  20. 0x 5x 10x 15x 20x 25x 30x 35x Requirements/Design Coding

    Integration Testing Acceptance Testing Production Relative Cost to fix, based on time of detection Penetration Testing Source: NIST Relative Cost
  21. 1-4 Weeks 24 hours Develop Test Design Plan Output Shippable

    Increment Product Backlog Sprint Backlog Secure SCRUM Security Training Security Requirements Security Activities Threat Modelling Design Review Pairing Manual Security Tests Automatic Security Tests Security Feature Demo Security Retrospective Security Acceptance Criteria
  22. (Security) Training

  23. Are all security requirements non-functional?

  24. ✤ Functional security requirement are related to: - Authentication &

    Access Control - Data Integrity - Wrong password lockouts ✤ Non-functional requirements are related to: - Password policies - Characteristics of audit logs - Backups Functional vs Non-Functional
  25. • It all starts with the backlog & security is

    a part of this: • 1. As an anonymous user I want to see the entire book selection, ... • 2. As a logged-in user I want to see my entire purchase history, ... • 3. As a customer I want to ensure my privacy when using a public wifi , ... (Security) Requirements - User Story and it’s acceptance criteria is unrelated to security - User Story and it’s acceptance criteria is security sensitive [tagged] - “One-off” (Security) User story [tagged]
  26. v Architecture & Design Review & Threat Modelling Think like

    a hacker v Design Guidelines are invaluable. Use existing design patterns v Helps to reducing the ongoing amount of work Secure by Design
  27. ✤ Assorted Secure Coding Guidelines in the repo ✤ Pairing

    for more complex stories ✤ Pull requests for security relevant stories are reviewed - Code reviews are important (especially for increased speed). Secure Coding
  28. 99% of unit tests passed

  29. ✤ Code coverage is key aspect of quality 100% is

    just the beginning ✤ Security related acceptance criteria makes a difference Both for manual and automated tests ✤ The more that is automated the better Security Unit Tests
  30. ✤ Open source projects can help - Gauntlt - BDD-Security

    Security Unit Tests
  31. ✤ Continue demonstrating the new attributes/features and their impact on

    users ✤ What were the security considerations for this new feature ✤ In the retrospective share those lessons learned Sprint Review & Retro
  32. Is security hard?

  33. 0 20 40 60 80 100 120 Jan March May

    July September November % Remaining Security work % App Robustness, Security Skills Security Debt Burndown
  34. Step 2: DevSecOps

  35. None
  36. None
  37. None
  38. Vulnerability Repository • Security Unit Tests • SAST • SCA

    • DAST • IAST • VA • Security as Code • RASP • NG WAF • Red Team • GOPT • Actual Attackers • Sec Requirements • Design Review • Threat Modelling AppSec Pipeline
  39. Instead of this ...

  40. ...Let’s do this...

  41. Announcements DevSecCon Asia 2017

  42. ✤ Start with embedding your friendly AppSec guy ✤ Transfer

    knowledge, find a security champion ✤ Step back and advise ✤ Iterate continuously– don’t go for big bang ✤ Keep adding automation ✤ Churn out awesome (& secure) releases at the speed of DevOps From Zero to Hero
  43. stefan@vantagepoint.sg @s_streichsbier Stefan Streichsbier https://devsecopssg.herokuapp.com Questions?

  44. References • https://www.infoq.com/presentations/Facebook-Moving-Fast-at-Scale • Jeff Williams: 2013 Appsec USA: https://www.youtube.com/watch?v=cIvOth0fxmI&t=377

    • http://blog.diniscruz.com • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline • http://www.slideshare.net/SeniorStoryteller/amy-demartine-7-habits-of-rugged-devops