Application Security In an Agile World

Stefan Streichsbier CTO at Vantage Point Twitter: @s_streichsbier

A brief history of AppSec

✤ Let’s start with what it is not: • Firewalls, secure network protocols, • Antivirus and Phishing attacks • Intrusion Detection • SoCs, ... What is AppSec?

Firewall is locked down tight, ...only 443 is open…

✤ Application Security is: • A quality aspect of your application • And contributes to the business success the same way UX Design, Usability and Performance do. • In other words, is my application used the way it is intended to. What is AppSec?

✤ Security was traditionally in the hands of Network folks • Suddenly, they become responsible for applications... • ... And applied the same audit-like principals. Why AppSec == Pain?

No content

✤ Things slowly evolved • From performing “Penetration Tests” once a year • To doing a Pentest for every release (a few times a year) Pentest to the rescue Great, we all love Pentests, right?

Pentesters after turning a report in...

Security

Meanwhile outside the security camp ...

0 20 40 60 80 100 120 140 2005 2010 2015 2020 The frequency of releases over time Releases per app per year Towards CD From Waterfall The frequency increased

14 So many releases?!

Security DevOps

16 Agile + DevOps + Security = DevSecOps

Step 1: Security as part of Agile

1-4 Weeks 24 hours Develop Test Design Plan Output Shippable Increment Product Backlog Sprint Backlog Let’s look at SCRUM Start with understanding the process

✤ No more pdf/doc/xls! ✤ Security uses the same language as the dev team. ✤ Security as part of existing environments/workflows. ✤ Security work is completed in-cycle. ✤ Not all apps have the same security requirements. Some general hygiene

0x 5x 10x 15x 20x 25x 30x 35x Requirements/Design Coding Integration Testing Acceptance Testing Production Relative Cost to fix, based on time of detection Penetration Testing Source: NIST Relative Cost

1-4 Weeks 24 hours Develop Test Design Plan Output Shippable Increment Product Backlog Sprint Backlog Secure SCRUM Security Training Security Requirements Security Activities Threat Modelling Design Review Pairing Manual Security Tests Automatic Security Tests Security Feature Demo Security Retrospective Security Acceptance Criteria

(Security) Training

Are all security requirements non-functional?

✤ Functional security requirement are related to: - Authentication & Access Control - Data Integrity - Wrong password lockouts ✤ Non-functional requirements are related to: - Password policies - Characteristics of audit logs - Backups Functional vs Non-Functional

• It all starts with the backlog & security is a part of this: • 1. As an anonymous user I want to see the entire book selection, ... • 2. As a logged-in user I want to see my entire purchase history, ... • 3. As a customer I want to ensure my privacy when using a public wifi , ... (Security) Requirements - User Story and it’s acceptance criteria is unrelated to security - User Story and it’s acceptance criteria is security sensitive [tagged] - “One-off” (Security) User story [tagged]

v Architecture & Design Review & Threat Modelling Think like a hacker v Design Guidelines are invaluable. Use existing design patterns v Helps to reducing the ongoing amount of work Secure by Design

✤ Assorted Secure Coding Guidelines in the repo ✤ Pairing for more complex stories ✤ Pull requests for security relevant stories are reviewed - Code reviews are important (especially for increased speed). Secure Coding

99% of unit tests passed

✤ Code coverage is key aspect of quality 100% is just the beginning ✤ Security related acceptance criteria makes a difference Both for manual and automated tests ✤ The more that is automated the better Security Unit Tests

✤ Open source projects can help - Gauntlt - BDD-Security Security Unit Tests

✤ Continue demonstrating the new attributes/features and their impact on users ✤ What were the security considerations for this new feature ✤ In the retrospective share those lessons learned Sprint Review & Retro

Is security hard?

0 20 40 60 80 100 120 Jan March May July September November % Remaining Security work % App Robustness, Security Skills Security Debt Burndown

Step 2: DevSecOps

No content

No content

No content

Vulnerability Repository • Security Unit Tests • SAST • SCA • DAST • IAST • VA • Security as Code • RASP • NG WAF • Red Team • GOPT • Actual Attackers • Sec Requirements • Design Review • Threat Modelling AppSec Pipeline

Instead of this ...

...Let’s do this...

Announcements DevSecCon Asia 2017

✤ Start with embedding your friendly AppSec guy ✤ Transfer knowledge, find a security champion ✤ Step back and advise ✤ Iterate continuously– don’t go for big bang ✤ Keep adding automation ✤ Churn out awesome (& secure) releases at the speed of DevOps From Zero to Hero

[email protected] @s_streichsbier Stefan Streichsbier https://devsecopssg.herokuapp.com Questions?

References • https://www.infoq.com/presentations/Facebook-Moving-Fast-at-Scale • Jeff Williams: 2013 Appsec USA: https://www.youtube.com/watch?v=cIvOth0fxmI&t=377 • http://blog.diniscruz.com • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline • http://www.slideshare.net/SeniorStoryteller/amy-demartine-7-habits-of-rugged-devops