Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Requirements Engineering Processes – 2
Advertisements

Using Metrics to Reduce Cost of Re-work Dwight Lamppert Senior Test Manager Franklin Templeton.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
Task Group Chairman and Technical Contact Responsibilities ASTM International Officers Training Workshop September 2012 Scott Orthey and Steve Mawn 1.
UNITED NATIONS Shipment Details Report – January 2006.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination. Introduction to the Business.
Writing Pseudocode And Making a Flow Chart A Number Guessing Game
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
Create an Application Title 1A - Adult Chapter 3.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
BUILDING THE CAPACITY TO ACHIEVE HEALTH & LEARNING OUTCOMES
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 10 second questions
Agile Modeling Emitzá Guzmán Agile Modeling.
Navigator Management Partners LLC, Confidential Brenda Sprite, MLIR, PMP, PMI-ACP Founder, Organizational Change Leadership Practice Navigator Management.
Using outcomes data for program improvement Kathy Hebbeler and Cornelia Taylor Early Childhood Outcome Center, SRI International.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
Excel Functions. Part 1. Introduction 2 An Excel function is a formula or a procedure that is performed in the Visual Basic environment, outside the.
Site Safety Plans PFN ME 35B.
1 Implementing Internet Web Sites in Counseling and Career Development James P. Sampson, Jr. Florida State University Copyright 2003 by James P. Sampson,
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
Week 2 The Object-Oriented Approach to Requirements
Time Management F OR A S MALL B USINESS. TIMEMANAGEMENT 2 Welcome 1. Agenda 2. Ground Rules 3. Introductions.
Chapter 5 – Enterprise Analysis
Are Parametric Techniques Relevant for Agile Development Projects?
An Effective Agile Testing Framework AN AGILE TESTING FRAMEWORK
EU market situation for eggs and poultry Management Committee 20 October 2011.
Bellwork Do the following problem on a ½ sheet of paper and turn in.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
DevOps The effects of DevOps on your IT service organization
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
©2007 First Wave Consulting, LLC A better way to do business. Period This is definitely NOT your father’s standard operating procedure.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
© 2012 National Heart Foundation of Australia. Slide 2.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
GEtServices Services Training For Suppliers Requests/Proposals.
Presented by Dustin Friel, PMP CSM May 6, 2009 Agile Lessons Learned 1.
Note to the teacher: Was 28. A. to B. you C. said D. on Note to the teacher: Make this slide correct answer be C and sound to be “said”. to said you on.
Model and Relationships 6 M 1 M M M M M M M M M M M M M M M M
25 seconds left…...
Chapter 10: The Traditional Approach to Design
Analyzing Genes and Genomes
Systems Analysis and Design in a Changing World, Fifth Edition
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
Intracellular Compartments and Transport
PSSA Preparation.
Essential Cell Biology
Chapter 11: Systems Development and Procurement Copyright © 2013 Pearson Education, Inc. publishing as Prentice Hall Chapter
Immunobiology: The Immune System in Health & Disease Sixth Edition
Energy Generation in Mitochondria and Chlorplasts
Introduction Peter Dolog dolog [at] cs [dot] aau [dot] dk Intelligent Web and Information Systems September 9, 2010.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Interoperability. What is testing? Where have we come from? Where are we now? Why is nFocus at MSAIC? Overview.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 3 – Agile Software Development 1Chapter 3 Agile software development.
Agile Concepts - II “Agile” Estimating & Planning Nupul Kukreja 5 th November, 2014.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2015, Robert W. Hasker. Classic Model Gathering Requirements Specification Scenarios Sequences Design Architecture Class, state models Implementation.
Agile Development – a new way of software development?
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP EU09 Poland Leveraging agile to gain better security An agile developers perspective Erlend Oftedal Board Member – Norway Bekk Consulting AS

OWASP AppSecEU09 Poland Who am I? Erlend Oftedal Consultant/developer at Bekk Consulting AS in Oslo, Norway Board member of OWASP Chapter Norway Member of Honeynet Chapter Norway 2

OWASP AppSecEU09 Poland 3 Agenda Agile – What and why? The agile toolbox Agile and secure?

OWASP AppSecEU09 Poland Why was agile created? We are building the wrong solution Does not meet requirements Requirements change We are building the solution wrong High number of bugs Not delivered on time Hard to change 4

OWASP AppSecEU09 Poland Waterfall 5 System requirements Software requirements Analysis Program design Coding Testing Operations

OWASP AppSecEU09 Poland What are we building? 6

OWASP AppSecEU09 Poland Requirements Specification Is it accurate? Will all stakeholders understand it and get the same picture? 7

OWASP AppSecEU09 Poland Requirements cost Inaccurate requirements It doesnt work – lets do more 8 Effort/time invested Accuracy

OWASP AppSecEU09 Poland Security requirements 9 Effort Time Delivery to production

OWASP AppSecEU09 Poland Are we securing the right solution? 10

OWASP AppSecEU09 Poland So what is agile? Agile is process – its not a process Agile is culture Agile is a set of tools and techniques Summary of agile: We reflect after each iteration 11

OWASP AppSecEU09 Poland The Agile Manifesto Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan That is, while there is value in the items on the right, we value the items on the left more 12

OWASP AppSecEU09 Poland Agile 13

OWASP AppSecEU09 Poland Requirements Customer collaboration over contract negotiation Responding to change over following a plan Co-located customer Customer is accessible Short feedback loop - decide and verify often Plans are nothing – planning is everything Eisenhower 14

OWASP AppSecEU09 Poland Agile requirements 15

OWASP AppSecEU09 Poland Handling risk Handle risk early Proof of concepts Starting with the most difficult tasks Postpone decisions to the latest responsible point in time More information informed decisions Making risk visible 16

OWASP AppSecEU09 Poland Definition of done What does 90% done mean? When is a task done? Tests are passing? Accepted by customer? In production? 17

OWASP AppSecEU09 Poland Common arguments against Agile Too little documentation Focus is only on functionality Agile is not written in stone Lets change it 18

OWASP AppSecEU09 Poland Tools from the agile toolbox Continuous integration Clean code Pair programming 19

OWASP AppSecEU09 Poland Continuous integration and automated tests Build code on check-in Run tests on check-in Unit tests Integration tests Acceptance tests Web tests 20

OWASP AppSecEU09 Poland Unit tests Tests a small unit of code Does not touch external resources Very fast to run (milliseconds) Can serve as specification for a class Security benefit Reduce number of logical bugs We can test our security modules Are the roles resolved correctly? OWASP ESAPI 21

OWASP AppSecEU09 Poland Integration tests Test integration between components and can touch external resources A bit slower to run Security benefit Test how components interact Can a person in role X perform task Y? Can a person in role Z perform task Y? 22

OWASP AppSecEU09 Poland Acceptance tests High level tests Runnable specs Cucumber/Rspec/Fitnesse etc. Web tests Watir/Selenium etc. Can be quite slow to run Run the slowest every night Security benefit Test the whole stack Verify an XSRF protection? 23 [

OWASP AppSecEU09 Poland Clean code SOLID principles Keep code DRY Dont Repeat Yourself – No duplication Testable code Dependency Injection Test Driven Development 1.Write a test 2.Implement untill the test passes 3.Refactor 4.Goto 1 Behaviour Driven Development 24

OWASP AppSecEU09 Poland Bug handling 1. Write a test that proves the existense of the bug 2. Fix the code and watch the test pass Automated regression testing Security benefit If we find a bug somewhere, we can make sure it does not reappear 25

OWASP AppSecEU09 Poland Pair programming Instant code review Knowledge sharing Reducing risk by not depending on a single person Spreading knowledge within the team Security benefit Spread knowledge about potential issues and frameworks OWASP Top 10 OWASP ESAPI 26

OWASP AppSecEU09 Poland Testing, clean code and security Well-tested code gives us assurance and confidence in our code base Well-tested code is easy to change We have a safety net Changeable code allows us to refactor Clean code Change design – improve the architecture Improve the readability 27

OWASP AppSecEU09 Poland Testing, clean code and security - cont. Clean readable code is easier to understand Comments are a failure to express oneself in code Robert C. Martin (paraphrased) Understandable code is easier to secure Security tests give us assurance and confidence in our security controls Regression testing OWASP ESAPI 28

OWASP AppSecEU09 Poland Going fast The only way to go fast, is to go well Robert C. Martin Dont hack and skip testing just to finish at the end of an iteration Write unit tests Fix the code Refactor 29

OWASP AppSecEU09 Poland Definition of done revisited A task is not done before: Security has been evaluated Tests for possible security issues are in place Avoid security sprints if you can 30

OWASP AppSecEU09 Poland Winning the prioritization race Create a business case Use standard well-tested components to lower implementation costs Do not enter XSS, SQL-injection etc. are not user stories! 31

OWASP AppSecEU09 Poland Agile security enablers Security controls Secure coding guidelines Training [Dave Wichers – Security in agile development - AppSec NYC 2008] 32

OWASP AppSecEU09 Poland Secure coding guidelines Improve as you go Should be easy to change and easy to access Wiki Implement as code analysis rules where possible and cost effective Run as part of local build in IDE Run as part of CI 33

OWASP AppSecEU09 Poland Training Web security training Internal or external Microworkshops on demand 5-20 minutes workshop Present a problem and a solution with examples from the projects code base Example: How to avoid SQL-injection and why its dangerous? Can be used to introduce rules in the secure coding guideline 34

OWASP AppSecEU09 Poland Copying the co-located customer idea The co-located security professional Short feedback loop Improve knowledge sharing Alternative: Protégé or apprentice Danger: Avoid thats the security guys responsibility 35

OWASP AppSecEU09 Poland Summary Agile does not focus on security the good news is that we can change that We can hook security onto the process: Have security competency in the team Establish security as a joint responsibility Training and microworkshops Clean code can help improve security Readability, simplification, testability Focus on getting things done Create security sprints or security tasks only if absolutely necessary 36

OWASP AppSecEU09 Poland Questions? More information: achieve-more-agile-application-security achieve-more-agile-application-security &hl=en &hl=en My blog: Twitter: webtonull 37

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.