Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security - The Agile Way

Shirish Padalkar
November 22, 2014
Technology
0
390

Application Security - The Agile Way

Traditionally application security has involved upfront design and a big bang penetration test after development. This leads to the phenomenon of “bolt-on” security that translates into increased cost and complexity.

Drawing on our experience on real-world projects we show how security can be baked-in on an agile project. Using case studies we demonstrate how security concerns are captured during project inceptions, how developers write secure code, security testing is automated and how configuration management can help achieve secure deployments. This talk introduces several new concepts like secure by design, secure design patterns and lightweight code reviews.

Shirish Padalkar

November 22, 2014
Tweet

More Decks by Shirish Padalkar

See All by Shirish Padalkar
Building a Secure Continuous Delivery Pipeline - Medly.Tech
shirishp
0
620
Building a Continuous Secure Delivery Pipeline
shirishp
2
1.1k
Building Secure Web Applications
shirishp
1
610
Introduction to security vulnerabilities
shirishp
1
3k
Who will test your tests?
shirishp
1
650

Other Decks in Technology

See All in Technology
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
880
強いチームと開発生産性
onk
PRO
35
11k
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
660
Engineer Career Talk
lycorp_recruit_jp
0
190
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
600
Platform Engineering for Software Developers and Architects
syntasso
1
520
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
9
1.1k
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
430

Featured

See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
900
Designing Experiences People Love
moore
138
23k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Music & Morning Musume
bryan
46
6.2k
We Have a Design System, Now What?
morganepeng
50
7.2k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
For a Future-Friendly Web
brad_frost
175
9.4k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k

Transcript

  1. APPLICATION SECURITY THE AGILE WAY Shirish Padalkar Agile - Pune.

    November 2014 1

  2. ABOUT ME 2

  3. ABOUT ME 3

  4. SOME QUESTIONS FIRST 4 https://flic.kr/p/2vgyWN

  5. HOW MANY OF YOU THINK SECURITY IS IMPORTANT FOR PROJECT?

    5

  6. HOW MANY OF YOU THINK YOU ARE DOING SECURITY “RIGHT”

    ON PROJECT? 6

  7. WHY YOU SHOULD CARE? 7

  8. CURRENT STATE 8

  9. 9 https://flic.kr/p/dq38oj

  10. Security review? We will do it before we go live!

    10

  11. Penetration testing? What’s the hurry? We still have a week

    to go live! 11

  12. IDEAL STATE 12

  13. 13 https://flic.kr/p/34T4Z Everything is SECURE!

  14. 14 https://flic.kr/p/34T4Z Defense in depth https://flic.kr/p/5UshcL

  15. SECURE SDLC 15

  16. SECURE SDLC 16

  17. “… is a software development process that helps developers build

    more secure software and address security compliance requirements while reducing development cost." 17

  18. WHAT IS DIFFERENT IN AGILE PROJECTS? 18

  19. WHAT IS DIFFERENT IN AGILE PROJECTS 19 CHANGING REQUIREMENTS

  20. WHAT IS DIFFERENT IN AGILE PROJECTS 20 PROGRESSIVE DEVELOPMENT

  21. WHAT IS DIFFERENT IN AGILE PROJECTS 21 ITERATIVE DEVELOPMENT

  22. WHAT IS DIFFERENT IN AGILE PROJECTS 22 FREQUENT DEPLOYMENTS

  23. OH, I GET WHY. HOW DO I DO IT? 23

  24. 24 https://flic.kr/p/cS8Hed It all starts at the beginning

  25. INCEPTION 25 https://flic.kr/p/8GW6WZ

  26. 26 IDENTIFY SECURITY OBJECTIVES https://flic.kr/p/6J9dhX

  27. HIGH LEVEL SECURITY OBJECTIVES 27 COMPLIANCE PCI DSS, SOX, HIPAA,

    DPA, Privacy Laws

  28. HIGH LEVEL SECURITY OBJECTIVES 28 LEGAL Intellectual Property, Contractual obligations

  29. HIGH LEVEL SECURITY OBJECTIVES 29 POLICIES AND STANDARDS

  30. 30 IDENTIFY BAD ACTORS https://flic.kr/p/aN98Gp

  31. BAD ACTORS 31 COMPETITORS

  32. BAD ACTORS 32 GOVERNMENT

  33. BAD ACTORS 33 POLITICAL

  34. BAD ACTORS 34 HACKTIVISTS

  35. BAD ACTORS 35 EMPLOYEES

  36. BAD ACTORS 36 PARTNERS

  37. 37 IDENTIFY ASSETS https://flic.kr/p/dTUAhR

  38. “Asset is anything that has value to an adversary" 38

  39. ASSETS 39 DATA

  40. ASSETS 40 INTELLECTUAL PROPERTY

  41. ASSETS 41 SECRET BUSINESS RULES

  42. ASSETS 42 SYSTEMS

  43. 43 IDENTIFY DISASTER SCENARIOS https://flic.kr/p/bD7ciD

  44. DISASTER SCENARIOS 44 DATA BREACH

  45. DISASTER SCENARIOS 45 UNAUTHORIZED DISCLOSURE

  46. DISASTER SCENARIOS 46 UNAVAILABILITY OF APPLICATION

  47. 47 IDENTIFY NEW SECURITY STORIES https://flic.kr/p/5a5d3b

  48. 48 PREPARATION https://flic.kr/p/gKtPYu

  49. 49 SECURITY SPECIALIST https://flic.kr/p/cHyzud

  50. A SECURITY SPECIALIST ▫︎Understands importance of security ▫︎Have experience in

    “doing” security properly ▫︎Can identify security requirements ▫︎Knows secure coding patterns ▫︎Knows how to test for security ▫︎Have coaching skills ▫︎Full time / Part time? ▫︎Internal / External? 50

  51. 51 TOOLS & LIBRARIES https://flic.kr/p/njnkhT https://flic.kr/p/hQQFyG

  52. TOOLS 52 LANGUAGES

  53. TOOLS 53 LIBRARIES

  54. TOOLS 54 CODE ANALYSIS TOOL Static / Dynamic code analysis?

  55. 55 TRAININGS https://flic.kr/p/njnkhT

  56. TRAININGS ▫︎For BAs ▫︎Identify security requirements ▫︎Write stories considering security

    requirements ▫︎For Developers ▫︎Secure coding guidelines ▫︎Secure coding patterns ▫︎For QAs ▫︎Security testing ▫︎Automation? 56

  57. 57 ONGOING INTERATIONS https://flic.kr/p/auuCWk

  58. IN ANALYSIS 58 IDENTIFY SECURITY REQUIREMENTS Based on latest understanding

  59. IN ANALYSIS 59 WRITE ABUSE CASES

  60. “… is a type of complete interaction between a system

    and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system" 60

  61. ABUSES CASE EXAMPLE 61 Given User is on comments page

    When User enters JavaScript as comment Then comment should be rendered as text

  62. IN ANALYSIS 62 MARK STORIES SECURITY SENSITIVE So that everybody

    pays special attention

  63. IN DEVELOPMENT 63 PAIR WITH SECURITY SPECIALIST ON SECURITY SENSITIVE

    STORIES

  64. 64 https://flic.kr/p/34T4Z SECURITY CODE REVIEWS

  65. IN TESTING 65 SECURITY TESTING

  66. IN TESTING 66 MANUAL SECURITY TESTING

  67. IN TESTING 67 AUTOMATED SECURITY TESTING

  68. IN TESTING 68 REGRESSION SECURITY TESTING

  69. IN TESTING 69 FUZZING

  70. DEPLOYMENT 70

  71. DEPLOYMENT 71 ACCESS CONTROL

  72. DEPLOYMENT 72 PACKAGE INTEGRITY

  73. CONFIGURATION MANAGEMENT 73

  74. CONFIGURATION MANAGEMENT ▫︎Infrastructure as code ▫︎Infrastructure tests ▫︎Infrastructure integrity ▫︎out

    of bound changes ▫︎configuration drift 74

  75. 75

  76. CONTINUOUS SECURITY TESTING 76

  77. CONTINUOUS SECURITY TESTING 77 WHY AUTOMATE?

  78. WHY AUTOMATE? 78 REGRESSION

  79. TOOLS 79

  80. CONTINUOUS SECURITY TESTING - TOOLS 80

  81. CONTINUOUS SECURITY TESTING - TOOLS 81

  82. CONTINUOUS SECURITY TESTING - TOOLS 82

  83. CONTINUOUS SECURITY TESTING - TOOLS 83 https://blog.codecentric.de/files/2013/10/zap-screenshot.png

  84. REMEMBER! 84

  85. 85 EVERYONE CAN BE RESPONSIBLE FOR SECURITY

  86. 86 PREFER BUILT-IN SECURITY OVER BLOAT-IN SECURITY

  87. 87 SECURITY REQUIREMENTS SHOULD BE TESTABLE So that they can

    be automated.

  88. 88 TRY TO INTEGRATE SECURITY TESTING INTO CI

  89. ANY QUESTIONS? 89 @_Garbage_ [email protected]

  90. RESOURCES ▫︎Application Security: The Agile Way ▫︎Embedding Security Testing in

    Development Workflow ▫︎BDD-Security Introduction ▫︎Automated Security Testing of web applications using OWASP Zed Attack Proxy ▫︎Security Development Lifecycle - Microsoft 90

  91. ThoughtWorks is hiring. http://www.thoughtworks.com/join THANK YOU!