APPLICATION SECURITY
THE AGILE WAY
Shirish Padalkar
Agile - Pune. November 2014
1
Slide 2
Slide 2 text
ABOUT ME
2
Slide 3
Slide 3 text
ABOUT ME
3
Slide 4
Slide 4 text
SOME QUESTIONS FIRST
4
https://flic.kr/p/2vgyWN
Slide 5
Slide 5 text
HOW MANY OF YOU THINK
SECURITY IS IMPORTANT FOR PROJECT?
5
Slide 6
Slide 6 text
HOW MANY OF YOU THINK
YOU ARE
DOING SECURITY “RIGHT” ON PROJECT?
6
Slide 7
Slide 7 text
WHY YOU SHOULD CARE?
7
Slide 8
Slide 8 text
CURRENT STATE
8
Slide 9
Slide 9 text
9
https://flic.kr/p/dq38oj
Slide 10
Slide 10 text
Security review?
We will do it before we go live!
10
Slide 11
Slide 11 text
Penetration testing?
What’s the hurry?
We still have a week to go live!
11
Slide 12
Slide 12 text
IDEAL STATE
12
Slide 13
Slide 13 text
13
https://flic.kr/p/34T4Z
Everything is SECURE!
Slide 14
Slide 14 text
14
https://flic.kr/p/34T4Z
Defense in depth
https://flic.kr/p/5UshcL
Slide 15
Slide 15 text
SECURE SDLC
15
Slide 16
Slide 16 text
SECURE SDLC
16
Slide 17
Slide 17 text
“… is a software development
process that helps developers build
more secure software and address
security compliance requirements
while reducing development cost."
17
Slide 18
Slide 18 text
WHAT IS DIFFERENT
IN AGILE PROJECTS?
18
Slide 19
Slide 19 text
WHAT IS DIFFERENT IN AGILE PROJECTS
19
CHANGING
REQUIREMENTS
Slide 20
Slide 20 text
WHAT IS DIFFERENT IN AGILE PROJECTS
20
PROGRESSIVE
DEVELOPMENT
Slide 21
Slide 21 text
WHAT IS DIFFERENT IN AGILE PROJECTS
21
ITERATIVE
DEVELOPMENT
Slide 22
Slide 22 text
WHAT IS DIFFERENT IN AGILE PROJECTS
22
FREQUENT
DEPLOYMENTS
Slide 23
Slide 23 text
OH, I GET WHY.
HOW DO I DO IT?
23
Slide 24
Slide 24 text
24
https://flic.kr/p/cS8Hed
It all starts at the beginning
DISASTER SCENARIOS
46
UNAVAILABILITY OF
APPLICATION
Slide 47
Slide 47 text
47
IDENTIFY NEW SECURITY STORIES
https://flic.kr/p/5a5d3b
Slide 48
Slide 48 text
48
PREPARATION
https://flic.kr/p/gKtPYu
Slide 49
Slide 49 text
49
SECURITY
SPECIALIST
https://flic.kr/p/cHyzud
Slide 50
Slide 50 text
A SECURITY SPECIALIST
▫︎Understands importance of security
▫︎Have experience in “doing” security properly
▫︎Can identify security requirements
▫︎Knows secure coding patterns
▫︎Knows how to test for security
▫︎Have coaching skills
▫︎Full time / Part time?
▫︎Internal / External?
50
IN ANALYSIS
58
IDENTIFY
SECURITY REQUIREMENTS
Based on latest understanding
Slide 59
Slide 59 text
IN ANALYSIS
59
WRITE ABUSE CASES
Slide 60
Slide 60 text
“… is a type of complete interaction
between a system and one or more
actors, where the results of the
interaction are harmful to the
system, one of the actors, or one of the
stakeholders in the system"
60
Slide 61
Slide 61 text
ABUSES CASE EXAMPLE
61
Given User is on comments page
When User enters JavaScript as comment
Then comment should be rendered as text
Slide 62
Slide 62 text
IN ANALYSIS
62
MARK STORIES
SECURITY SENSITIVE
So that everybody pays special attention
Slide 63
Slide 63 text
IN DEVELOPMENT
63
PAIR WITH
SECURITY SPECIALIST
ON SECURITY SENSITIVE STORIES
Slide 64
Slide 64 text
64
https://flic.kr/p/34T4Z
SECURITY CODE REVIEWS
Slide 65
Slide 65 text
IN TESTING
65
SECURITY TESTING
Slide 66
Slide 66 text
IN TESTING
66
MANUAL
SECURITY TESTING
Slide 67
Slide 67 text
IN TESTING
67
AUTOMATED
SECURITY TESTING
Slide 68
Slide 68 text
IN TESTING
68
REGRESSION
SECURITY TESTING
Slide 69
Slide 69 text
IN TESTING
69
FUZZING
Slide 70
Slide 70 text
DEPLOYMENT
70
Slide 71
Slide 71 text
DEPLOYMENT
71
ACCESS CONTROL
Slide 72
Slide 72 text
DEPLOYMENT
72
PACKAGE INTEGRITY
Slide 73
Slide 73 text
CONFIGURATION
MANAGEMENT
73
Slide 74
Slide 74 text
CONFIGURATION MANAGEMENT
▫︎Infrastructure as code
▫︎Infrastructure tests
▫︎Infrastructure integrity
▫︎out of bound changes
▫︎configuration drift
74
RESOURCES
▫︎Application Security: The Agile Way
▫︎Embedding Security Testing in Development Workflow
▫︎BDD-Security Introduction
▫︎Automated Security Testing of web applications using
OWASP Zed Attack Proxy
▫︎Security Development Lifecycle - Microsoft
90
Slide 91
Slide 91 text
ThoughtWorks is hiring.
http://www.thoughtworks.com/join
THANK YOU!