Application Security in an Agile World - Stefan Streichsbier - Agile SG 2016

Transcript

1. Application Security In an Agile World

2. Stefan Streichsbier CTO at Vantage Point Twitter: @s_streichsbier

3. A brief history of AppSec

4. ✤ Let’s start with what it is not: • Firewalls,

   secure network protocols, • Antivirus and Phishing attacks • Intrusion Detection • SoCs, ... What is AppSec?

5. Firewall is locked down tight, ...only 443 is open…

6. ✤ Application Security is: • A quality aspect of your

   application • And contributes to the business success the same way UX Design, Usability and Performance do. • In other words, is my application used the way it is intended to. What is AppSec?

7. ✤ Security was traditionally in the hands of Network folks

   • Suddenly, they become responsible for applications... • ... And applied the same audit-like principals. Why AppSec == Pain?
8. None

9. ✤ Things slowly evolved • From performing “Penetration Tests” once

   a year • To doing a Pentest for every release (a few times a year) Pentest to the rescue Great, we all love Pentests, right?

10. Pentesters after turning a report in...

11. Security

12. Meanwhile outside the security camp ...

13. 0 20 40 60 80 100 120 140 2005 2010

    2015 2020 The frequency of releases over time Releases per app per year Towards CD From Waterfall The frequency increased

14. 14 So many releases?!

15. Security DevOps

16. 16 Agile + DevOps + Security = DevSecOps

17. Step 1: Security as part of Agile

18. 1-4 Weeks 24 hours Develop Test Design Plan Output Shippable

    Increment Product Backlog Sprint Backlog Let’s look at SCRUM Start with understanding the process

19. ✤ No more pdf/doc/xls! ✤ Security uses the same language

    as the dev team. ✤ Security as part of existing environments/workflows. ✤ Security work is completed in-cycle. ✤ Not all apps have the same security requirements. Some general hygiene

20. 0x 5x 10x 15x 20x 25x 30x 35x Requirements/Design Coding

    Integration Testing Acceptance Testing Production Relative Cost to fix, based on time of detection Penetration Testing Source: NIST Relative Cost

21. 1-4 Weeks 24 hours Develop Test Design Plan Output Shippable

    Increment Product Backlog Sprint Backlog Secure SCRUM Security Training Security Requirements Security Activities Threat Modelling Design Review Pairing Manual Security Tests Automatic Security Tests Security Feature Demo Security Retrospective Security Acceptance Criteria

22. (Security) Training

23. Are all security requirements non-functional?

24. ✤ Functional security requirement are related to: - Authentication &

    Access Control - Data Integrity - Wrong password lockouts ✤ Non-functional requirements are related to: - Password policies - Characteristics of audit logs - Backups Functional vs Non-Functional

25. • It all starts with the backlog & security is

    a part of this: • 1. As an anonymous user I want to see the entire book selection, ... • 2. As a logged-in user I want to see my entire purchase history, ... • 3. As a customer I want to ensure my privacy when using a public wifi , ... (Security) Requirements - User Story and it’s acceptance criteria is unrelated to security - User Story and it’s acceptance criteria is security sensitive [tagged] - “One-off” (Security) User story [tagged]

26. v Architecture & Design Review & Threat Modelling Think like

    a hacker v Design Guidelines are invaluable. Use existing design patterns v Helps to reducing the ongoing amount of work Secure by Design

27. ✤ Assorted Secure Coding Guidelines in the repo ✤ Pairing

    for more complex stories ✤ Pull requests for security relevant stories are reviewed - Code reviews are important (especially for increased speed). Secure Coding

28. 99% of unit tests passed

29. ✤ Code coverage is key aspect of quality 100% is

    just the beginning ✤ Security related acceptance criteria makes a difference Both for manual and automated tests ✤ The more that is automated the better Security Unit Tests

30. ✤ Open source projects can help - Gauntlt - BDD-Security

    Security Unit Tests

31. ✤ Continue demonstrating the new attributes/features and their impact on

    users ✤ What were the security considerations for this new feature ✤ In the retrospective share those lessons learned Sprint Review & Retro

32. Is security hard?

33. 0 20 40 60 80 100 120 Jan March May

    July September November % Remaining Security work % App Robustness, Security Skills Security Debt Burndown

34. Step 2: DevSecOps

35. None
36. None
37. None

38. Vulnerability Repository • Security Unit Tests • SAST • SCA

    • DAST • IAST • VA • Security as Code • RASP • NG WAF • Red Team • GOPT • Actual Attackers • Sec Requirements • Design Review • Threat Modelling AppSec Pipeline

39. Instead of this ...

40. ...Let’s do this...

41. Announcements DevSecCon Asia 2017

42. ✤ Start with embedding your friendly AppSec guy ✤ Transfer

    knowledge, find a security champion ✤ Step back and advise ✤ Iterate continuously– don’t go for big bang ✤ Keep adding automation ✤ Churn out awesome (& secure) releases at the speed of DevOps From Zero to Hero

43. [email protected] @s_streichsbier Stefan Streichsbier https://devsecopssg.herokuapp.com Questions?

44. References • https://www.infoq.com/presentations/Facebook-Moving-Fast-at-Scale • Jeff Williams: 2013 Appsec USA: https://www.youtube.com/watch?v=cIvOth0fxmI&t=377

    • http://blog.diniscruz.com • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline • http://www.slideshare.net/SeniorStoryteller/amy-demartine-7-habits-of-rugged-devops