Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security - The Agile Way

Shirish Padalkar
November 22, 2014
Technology
0
380

Application Security - The Agile Way

Traditionally application security has involved upfront design and a big bang penetration test after development. This leads to the phenomenon of “bolt-on” security that translates into increased cost and complexity.

Drawing on our experience on real-world projects we show how security can be baked-in on an agile project. Using case studies we demonstrate how security concerns are captured during project inceptions, how developers write secure code, security testing is automated and how configuration management can help achieve secure deployments. This talk introduces several new concepts like secure by design, secure design patterns and lightweight code reviews.

Shirish Padalkar

November 22, 2014
Tweet

More Decks by Shirish Padalkar

See All by Shirish Padalkar
Building a Secure Continuous Delivery Pipeline - Medly.Tech
shirishp
0
550
Building a Continuous Secure Delivery Pipeline
shirishp
2
990
Building Secure Web Applications
shirishp
1
550
Introduction to security vulnerabilities
shirishp
1
3k
Who will test your tests?
shirishp
1
590

Other Decks in Technology

See All in Technology
社内勉強会運営のコツ
senoo
5
1.1k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
1
620
転移学習とドメイン適応の基礎
kmatsui
2
550
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
680
**強い**エンジニアのなり方 - フィードバックサイクルを勝ち取る / grow one day each day
soudai
51
16k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs (QCon London)
inesmontani
PRO
0
130
20240330_LT資料「エンジニアに求められるマネジメント」
kc_nakanishi
0
110
アプリがつくるNOT A HOTELブランド
hokuts
0
440
普段有償でサポート業務をしているCSAが技術知見を無料で公開する理由
07jp27
1
590
少数チームで挑む: SwiftUI, TCA, KMPを用いた 新規動画配信アプリ 「ABEMA Live」の開発について
tomu28
0
220
Databricksを活用してDELISH KITCHENのレシピレコメンドを開発した話
furu8
0
230
LLMアプリケーションの実験管理・評価の工夫を紹介
pharma_x_tech
6
600

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
352
18k
jQuery: Nuts, Bolts and Bling
dougneiner
58
7.1k
The Mythical Team-Month
searls
214
42k
GraphQLの誤解/rethinking-graphql
sonatard
49
9.2k
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.6k
Statistics for Hackers
jakevdp
789
220k
Building a Scalable Design System with Sketch
lauravandoore
455
32k
Ruby is Unlike a Banana
tanoku
95
10k
How GitHub (no longer) Works
holman
302
140k
A better future with KSS
kneath
230
16k
Building Adaptive Systems
keathley
29
1.8k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k

Transcript

  1. APPLICATION SECURITY THE AGILE WAY Shirish Padalkar Agile - Pune.

    November 2014 1

  2. ABOUT ME 2

  3. ABOUT ME 3

  4. SOME QUESTIONS FIRST 4 https://flic.kr/p/2vgyWN

  5. HOW MANY OF YOU THINK SECURITY IS IMPORTANT FOR PROJECT?

    5

  6. HOW MANY OF YOU THINK YOU ARE DOING SECURITY “RIGHT”

    ON PROJECT? 6

  7. WHY YOU SHOULD CARE? 7

  8. CURRENT STATE 8

  9. 9 https://flic.kr/p/dq38oj

  10. Security review? We will do it before we go live!

    10

  11. Penetration testing? What’s the hurry? We still have a week

    to go live! 11

  12. IDEAL STATE 12

  13. 13 https://flic.kr/p/34T4Z Everything is SECURE!

  14. 14 https://flic.kr/p/34T4Z Defense in depth https://flic.kr/p/5UshcL

  15. SECURE SDLC 15

  16. SECURE SDLC 16

  17. “… is a software development process that helps developers build

    more secure software and address security compliance requirements while reducing development cost." 17

  18. WHAT IS DIFFERENT IN AGILE PROJECTS? 18

  19. WHAT IS DIFFERENT IN AGILE PROJECTS 19 CHANGING REQUIREMENTS

  20. WHAT IS DIFFERENT IN AGILE PROJECTS 20 PROGRESSIVE DEVELOPMENT

  21. WHAT IS DIFFERENT IN AGILE PROJECTS 21 ITERATIVE DEVELOPMENT

  22. WHAT IS DIFFERENT IN AGILE PROJECTS 22 FREQUENT DEPLOYMENTS

  23. OH, I GET WHY. HOW DO I DO IT? 23

  24. 24 https://flic.kr/p/cS8Hed It all starts at the beginning

  25. INCEPTION 25 https://flic.kr/p/8GW6WZ

  26. 26 IDENTIFY SECURITY OBJECTIVES https://flic.kr/p/6J9dhX

  27. HIGH LEVEL SECURITY OBJECTIVES 27 COMPLIANCE PCI DSS, SOX, HIPAA,

    DPA, Privacy Laws

  28. HIGH LEVEL SECURITY OBJECTIVES 28 LEGAL Intellectual Property, Contractual obligations

  29. HIGH LEVEL SECURITY OBJECTIVES 29 POLICIES AND STANDARDS

  30. 30 IDENTIFY BAD ACTORS https://flic.kr/p/aN98Gp

  31. BAD ACTORS 31 COMPETITORS

  32. BAD ACTORS 32 GOVERNMENT

  33. BAD ACTORS 33 POLITICAL

  34. BAD ACTORS 34 HACKTIVISTS

  35. BAD ACTORS 35 EMPLOYEES

  36. BAD ACTORS 36 PARTNERS

  37. 37 IDENTIFY ASSETS https://flic.kr/p/dTUAhR

  38. “Asset is anything that has value to an adversary" 38

  39. ASSETS 39 DATA

  40. ASSETS 40 INTELLECTUAL PROPERTY

  41. ASSETS 41 SECRET BUSINESS RULES

  42. ASSETS 42 SYSTEMS

  43. 43 IDENTIFY DISASTER SCENARIOS https://flic.kr/p/bD7ciD

  44. DISASTER SCENARIOS 44 DATA BREACH

  45. DISASTER SCENARIOS 45 UNAUTHORIZED DISCLOSURE

  46. DISASTER SCENARIOS 46 UNAVAILABILITY OF APPLICATION

  47. 47 IDENTIFY NEW SECURITY STORIES https://flic.kr/p/5a5d3b

  48. 48 PREPARATION https://flic.kr/p/gKtPYu

  49. 49 SECURITY SPECIALIST https://flic.kr/p/cHyzud

  50. A SECURITY SPECIALIST ▫︎Understands importance of security ▫︎Have experience in

    “doing” security properly ▫︎Can identify security requirements ▫︎Knows secure coding patterns ▫︎Knows how to test for security ▫︎Have coaching skills ▫︎Full time / Part time? ▫︎Internal / External? 50

  51. 51 TOOLS & LIBRARIES https://flic.kr/p/njnkhT https://flic.kr/p/hQQFyG

  52. TOOLS 52 LANGUAGES

  53. TOOLS 53 LIBRARIES

  54. TOOLS 54 CODE ANALYSIS TOOL Static / Dynamic code analysis?

  55. 55 TRAININGS https://flic.kr/p/njnkhT

  56. TRAININGS ▫︎For BAs ▫︎Identify security requirements ▫︎Write stories considering security

    requirements ▫︎For Developers ▫︎Secure coding guidelines ▫︎Secure coding patterns ▫︎For QAs ▫︎Security testing ▫︎Automation? 56

  57. 57 ONGOING INTERATIONS https://flic.kr/p/auuCWk

  58. IN ANALYSIS 58 IDENTIFY SECURITY REQUIREMENTS Based on latest understanding

  59. IN ANALYSIS 59 WRITE ABUSE CASES

  60. “… is a type of complete interaction between a system

    and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system" 60

  61. ABUSES CASE EXAMPLE 61 Given User is on comments page

    When User enters JavaScript as comment Then comment should be rendered as text

  62. IN ANALYSIS 62 MARK STORIES SECURITY SENSITIVE So that everybody

    pays special attention

  63. IN DEVELOPMENT 63 PAIR WITH SECURITY SPECIALIST ON SECURITY SENSITIVE

    STORIES

  64. 64 https://flic.kr/p/34T4Z SECURITY CODE REVIEWS

  65. IN TESTING 65 SECURITY TESTING

  66. IN TESTING 66 MANUAL SECURITY TESTING

  67. IN TESTING 67 AUTOMATED SECURITY TESTING

  68. IN TESTING 68 REGRESSION SECURITY TESTING

  69. IN TESTING 69 FUZZING

  70. DEPLOYMENT 70

  71. DEPLOYMENT 71 ACCESS CONTROL

  72. DEPLOYMENT 72 PACKAGE INTEGRITY

  73. CONFIGURATION MANAGEMENT 73

  74. CONFIGURATION MANAGEMENT ▫︎Infrastructure as code ▫︎Infrastructure tests ▫︎Infrastructure integrity ▫︎out

    of bound changes ▫︎configuration drift 74

  75. 75

  76. CONTINUOUS SECURITY TESTING 76

  77. CONTINUOUS SECURITY TESTING 77 WHY AUTOMATE?

  78. WHY AUTOMATE? 78 REGRESSION

  79. TOOLS 79

  80. CONTINUOUS SECURITY TESTING - TOOLS 80

  81. CONTINUOUS SECURITY TESTING - TOOLS 81

  82. CONTINUOUS SECURITY TESTING - TOOLS 82

  83. CONTINUOUS SECURITY TESTING - TOOLS 83 https://blog.codecentric.de/files/2013/10/zap-screenshot.png

  84. REMEMBER! 84

  85. 85 EVERYONE CAN BE RESPONSIBLE FOR SECURITY

  86. 86 PREFER BUILT-IN SECURITY OVER BLOAT-IN SECURITY

  87. 87 SECURITY REQUIREMENTS SHOULD BE TESTABLE So that they can

    be automated.

  88. 88 TRY TO INTEGRATE SECURITY TESTING INTO CI

  89. ANY QUESTIONS? 89 @_Garbage_ [email protected]

  90. RESOURCES ▫︎Application Security: The Agile Way ▫︎Embedding Security Testing in

    Development Workflow ▫︎BDD-Security Introduction ▫︎Automated Security Testing of web applications using OWASP Zed Attack Proxy ▫︎Security Development Lifecycle - Microsoft 90

  91. ThoughtWorks is hiring. http://www.thoughtworks.com/join THANK YOU!