SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного обеспечения при его разработке.
What does Agile mean, anyway?
The Agile manifesto Individuals and interactions Processes and tools Working softwareComprehensive documentation Customer collaborationContract negotiation Responding to changeFollowing a plan
Security Development Lifecycle Ongoing Process Improvements ProcessEducationAccountability Microsofts industry leading software security assurance process designed to protect customers by reducing the number and severity of software vulnerabilities before release.
Challenges
Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality Emphasis on project/iteration backlogs General avoidance of automated tools Challenges of adapting SDL to Agile
Fits spiral or waterfall… …but Agile doesnt have phases SDL Classic phased approach
Very secure! But not Agile. Idea: Do the full SDL every iteration
From the Principles Behind the Agile Manifesto: Short timescale Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.
Very Agile! But not secure. Idea: Move SDL tasks to product backlog
But every requirement is, well, required We need to keep all requirements We need to reorganize into Agile-friendly form Idea: Drop some requirements
SDL-Agile process
Three classes of requirements Every Sprint Training Threat modeling etc... One-Time Only Set up tracking Create response plan etc... Bucket Fuzz parsers Refresh response plan etc…
One-time requirements get added to the Product Backlog (with deadlines) So do bucket requirements Every-sprint requirements go to the Sprint Backlog directly Requirements as backlog items Product Backlog Set up tracking system Upgrade to VS2012 Fuzz image parser Fuzz network parser … Sprint Backlog Threat model new stored procedures Run static analysis …
Agile sashimi
Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality Emphasis on project/iteration backlogs General avoidance of automated tools Challenges of adapting SDL to Agile
2:00 AM Christmas morning is a poor time to hold a Scrum meeting… Security incident response
Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality Emphasis on project/iteration backlogs General avoidance of automated tools Challenges of adapting SDL to Agile
Writing secure code
Secure code cannot be a "feature" Not a User Story Doesnt go in the Product Backlog Cant get prioritized in or out Cant decide to not do security this sprint
Some SDL requirements are straightforward... –Enable compiler switches –Run static analysis tools …some are more difficult (not actionable) –Avoid banned APIs –Access databases safely Breaking the SDL into tasks
Two options Verify manuallyVerify with tools
Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality Emphasis on project/iteration backlogs General avoidance of automated tools Challenges of adapting SDL to Agile
FxCop CAT.NET PREFast (/analyze) And/or your alternative tool(s) of choice These are every-sprint requirements Better still: Continuous Integration Static analysis requirements
Fuzzers (homegrown) AppVerifier Passive HTTP traffic analysis And/or your alternative tool(s) of choice These are bucket requirements Or Continuous Integration Dynamic analysis requirements
Web Protection Library (a.k.a AntiXss) StrSafe SafeInt Use always, check every sprint Secure coding libraries
Strengths
Bucket activities easily move in & out of sprints Teams self-select best security activities Each iteration is a gate Strengths of Agile in SDL
Bucket activities easily move in & out of sprints Teams self-select best security activities Each iteration is a gate Strengths of Agile in SDL Welcome changing requirements, even late in development. Agile processes harness change for the customers competitive advantage.
Bucket activities easily move in & out of sprints Teams self-select best security activities Each iteration is a gate Strengths of Agile in SDL At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.
Bucket activities easily move in & out of sprints Teams self-select best security activities Each iteration is a gate Strengths of Agile in SDL Security and privacy are most effective when built-in throughout the entire development lifecycle
The Agile manifesto Individuals and interactions Processes and tools Working softwareComprehensive documentation Customer collaborationContract negotiation Responding to changeFollowing a plan
The SDL-Agile manifesto Continuous, incremental effort Heroic pushes Automated toolsManual processes Planned responseAd-hoc response
More resources
Thank you Спасибо за внимание