Application Security - The Agile Way

by Shirish Padalkar

Slide 1

Slide 1 text

APPLICATION SECURITY THE AGILE WAY Shirish Padalkar Agile - Pune. November 2014 1

Slide 2

Slide 2 text

ABOUT ME 2

Slide 3

Slide 3 text

ABOUT ME 3

Slide 4

Slide 4 text

SOME QUESTIONS FIRST 4 https://ﬂic.kr/p/2vgyWN

Slide 5

Slide 5 text

HOW MANY OF YOU THINK SECURITY IS IMPORTANT FOR PROJECT? 5

Slide 6

Slide 6 text

HOW MANY OF YOU THINK YOU ARE DOING SECURITY “RIGHT” ON PROJECT? 6

Slide 7

Slide 7 text

WHY YOU SHOULD CARE? 7

Slide 8

Slide 8 text

CURRENT STATE 8

Slide 9

Slide 9 text

9 https://ﬂic.kr/p/dq38oj

Slide 10

Slide 10 text

Security review? We will do it before we go live! 10

Slide 11

Slide 11 text

Penetration testing? What’s the hurry? We still have a week to go live! 11

Slide 12

Slide 12 text

IDEAL STATE 12

Slide 13

Slide 13 text

13 https://ﬂic.kr/p/34T4Z Everything is SECURE!

Slide 14

Slide 14 text

14 https://ﬂic.kr/p/34T4Z Defense in depth https://ﬂic.kr/p/5UshcL

Slide 15

Slide 15 text

SECURE SDLC 15

Slide 16

Slide 16 text

SECURE SDLC 16

Slide 17

Slide 17 text

“… is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost." 17

Slide 18

Slide 18 text

WHAT IS DIFFERENT IN AGILE PROJECTS? 18

Slide 19

Slide 19 text

WHAT IS DIFFERENT IN AGILE PROJECTS 19 CHANGING REQUIREMENTS

Slide 20

Slide 20 text

WHAT IS DIFFERENT IN AGILE PROJECTS 20 PROGRESSIVE DEVELOPMENT

Slide 21

Slide 21 text

WHAT IS DIFFERENT IN AGILE PROJECTS 21 ITERATIVE DEVELOPMENT

Slide 22

Slide 22 text

WHAT IS DIFFERENT IN AGILE PROJECTS 22 FREQUENT DEPLOYMENTS

Slide 23

Slide 23 text

OH, I GET WHY. HOW DO I DO IT? 23

Slide 24

Slide 24 text

24 https://ﬂic.kr/p/cS8Hed It all starts at the beginning

Slide 25

Slide 25 text

INCEPTION 25 https://ﬂic.kr/p/8GW6WZ

Slide 26

Slide 26 text

26 IDENTIFY SECURITY OBJECTIVES https://ﬂic.kr/p/6J9dhX

Slide 27

Slide 27 text

HIGH LEVEL SECURITY OBJECTIVES 27 COMPLIANCE PCI DSS, SOX, HIPAA, DPA, Privacy Laws

Slide 28

Slide 28 text

HIGH LEVEL SECURITY OBJECTIVES 28 LEGAL Intellectual Property, Contractual obligations

Slide 29

Slide 29 text

HIGH LEVEL SECURITY OBJECTIVES 29 POLICIES AND STANDARDS

Slide 30

Slide 30 text

30 IDENTIFY BAD ACTORS https://ﬂic.kr/p/aN98Gp

Slide 31

Slide 31 text

BAD ACTORS 31 COMPETITORS

Slide 32

Slide 32 text

BAD ACTORS 32 GOVERNMENT

Slide 33

Slide 33 text

BAD ACTORS 33 POLITICAL

Slide 34

Slide 34 text

BAD ACTORS 34 HACKTIVISTS

Slide 35

Slide 35 text

BAD ACTORS 35 EMPLOYEES

Slide 36

Slide 36 text

BAD ACTORS 36 PARTNERS

Slide 37

Slide 37 text

37 IDENTIFY ASSETS https://ﬂic.kr/p/dTUAhR

Slide 38

Slide 38 text

“Asset is anything that has value to an adversary" 38

Slide 39

Slide 39 text

ASSETS 39 DATA

Slide 40

Slide 40 text

ASSETS 40 INTELLECTUAL PROPERTY

Slide 41

Slide 41 text

ASSETS 41 SECRET BUSINESS RULES

Slide 42

Slide 42 text

ASSETS 42 SYSTEMS

Slide 43

Slide 43 text

43 IDENTIFY DISASTER SCENARIOS https://ﬂic.kr/p/bD7ciD

Slide 44

Slide 44 text

DISASTER SCENARIOS 44 DATA BREACH

Slide 45

Slide 45 text

DISASTER SCENARIOS 45 UNAUTHORIZED DISCLOSURE

Slide 46

Slide 46 text

DISASTER SCENARIOS 46 UNAVAILABILITY OF APPLICATION

Slide 47

Slide 47 text

47 IDENTIFY NEW SECURITY STORIES https://ﬂic.kr/p/5a5d3b

Slide 48

Slide 48 text

48 PREPARATION https://ﬂic.kr/p/gKtPYu

Slide 49

Slide 49 text

49 SECURITY SPECIALIST https://ﬂic.kr/p/cHyzud

Slide 50

Slide 50 text

A SECURITY SPECIALIST ▫︎Understands importance of security ▫︎Have experience in “doing” security properly ▫︎Can identify security requirements ▫︎Knows secure coding patterns ▫︎Knows how to test for security ▫︎Have coaching skills ▫︎Full time / Part time? ▫︎Internal / External? 50

Slide 51

Slide 51 text

51 TOOLS & LIBRARIES https://ﬂic.kr/p/njnkhT https://ﬂic.kr/p/hQQFyG

Slide 52

Slide 52 text

TOOLS 52 LANGUAGES

Slide 53

Slide 53 text

TOOLS 53 LIBRARIES

Slide 54

Slide 54 text

TOOLS 54 CODE ANALYSIS TOOL Static / Dynamic code analysis?

Slide 55

Slide 55 text

55 TRAININGS https://ﬂic.kr/p/njnkhT

Slide 56

Slide 56 text

TRAININGS ▫︎For BAs ▫︎Identify security requirements ▫︎Write stories considering security requirements ▫︎For Developers ▫︎Secure coding guidelines ▫︎Secure coding patterns ▫︎For QAs ▫︎Security testing ▫︎Automation? 56

Slide 57

Slide 57 text

57 ONGOING INTERATIONS https://ﬂic.kr/p/auuCWk

Slide 58

Slide 58 text

IN ANALYSIS 58 IDENTIFY SECURITY REQUIREMENTS Based on latest understanding

Slide 59

Slide 59 text

IN ANALYSIS 59 WRITE ABUSE CASES

Slide 60

Slide 60 text

“… is a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system" 60

Slide 61

Slide 61 text

ABUSES CASE EXAMPLE 61 Given User is on comments page When User enters JavaScript as comment Then comment should be rendered as text

Slide 62

Slide 62 text

IN ANALYSIS 62 MARK STORIES SECURITY SENSITIVE So that everybody pays special attention

Slide 63

Slide 63 text

IN DEVELOPMENT 63 PAIR WITH SECURITY SPECIALIST ON SECURITY SENSITIVE STORIES

Slide 64

Slide 64 text

64 https://ﬂic.kr/p/34T4Z SECURITY CODE REVIEWS

Slide 65

Slide 65 text

IN TESTING 65 SECURITY TESTING

Slide 66

Slide 66 text

IN TESTING 66 MANUAL SECURITY TESTING

Slide 67

Slide 67 text

IN TESTING 67 AUTOMATED SECURITY TESTING

Slide 68

Slide 68 text

IN TESTING 68 REGRESSION SECURITY TESTING

Slide 69

Slide 69 text

IN TESTING 69 FUZZING

Slide 70

Slide 70 text

DEPLOYMENT 70

Slide 71

Slide 71 text

DEPLOYMENT 71 ACCESS CONTROL

Slide 72

Slide 72 text

DEPLOYMENT 72 PACKAGE INTEGRITY

Slide 73

Slide 73 text

CONFIGURATION MANAGEMENT 73

Slide 74

Slide 74 text

CONFIGURATION MANAGEMENT ▫︎Infrastructure as code ▫︎Infrastructure tests ▫︎Infrastructure integrity ▫︎out of bound changes ▫︎conﬁguration drift 74

Slide 75

Slide 75 text

Slide 76

Slide 76 text

CONTINUOUS SECURITY TESTING 76

Slide 77

Slide 77 text

CONTINUOUS SECURITY TESTING 77 WHY AUTOMATE?

Slide 78

Slide 78 text

WHY AUTOMATE? 78 REGRESSION

Slide 79

Slide 79 text

TOOLS 79

Slide 80

Slide 80 text

CONTINUOUS SECURITY TESTING - TOOLS 80

Slide 81

Slide 81 text

CONTINUOUS SECURITY TESTING - TOOLS 81

Slide 82

Slide 82 text

CONTINUOUS SECURITY TESTING - TOOLS 82

Slide 83

Slide 83 text

CONTINUOUS SECURITY TESTING - TOOLS 83 https://blog.codecentric.de/ﬁles/2013/10/zap-screenshot.png

Slide 84

Slide 84 text

REMEMBER! 84

Slide 85

Slide 85 text

85 EVERYONE CAN BE RESPONSIBLE FOR SECURITY

Slide 86

Slide 86 text

86 PREFER BUILT-IN SECURITY OVER BLOAT-IN SECURITY

Slide 87

Slide 87 text

87 SECURITY REQUIREMENTS SHOULD BE TESTABLE So that they can be automated.

Slide 88

Slide 88 text

88 TRY TO INTEGRATE SECURITY TESTING INTO CI

Slide 89

Slide 89 text

ANY QUESTIONS? 89 @_Garbage_ [email protected]

Slide 90

Slide 90 text

RESOURCES ▫︎Application Security: The Agile Way ▫︎Embedding Security Testing in Development Workﬂow ▫︎BDD-Security Introduction ▫︎Automated Security Testing of web applications using OWASP Zed Attack Proxy ▫︎Security Development Lifecycle - Microsoft 90

Slide 91

Slide 91 text

ThoughtWorks is hiring. http://www.thoughtworks.com/join THANK YOU!