Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Agile + SDL Concepts and Misconceptions Avi Douglen Aware Security (972) Nir Bregman Senior Project Manager, HP (972) /09/2011

OWASP 2 Agenda  Introduction  Misconceptions  Problems  Concepts  Solution

OWASP INTRODUCTION 3

OWASP “Agile” – A Definition “… a group of software development methodologies based on iterative development, where requirements and solutions evolve through collaboration between self-organizing cross-functional teams.” – Wikipedia 4

OWASP Agile Methodology – Key Features  Early feedback  Prioritized “backlog”  Inherent improvement process  Adaptive to changes  Short, incremental iterations or sprints  ‘Release like’ version every iteration  Team selects “user stories” 5

OWASP “SDL” – A Definition “A Security Development Lifecycle is a software development process to reduce software maintenance costs and increase reliability of software concerning software security.” - Wikipedia 6

OWASP SDL – Microsoft Model 7

OWASP SDL – OWASP Model (CLASP) 8

OWASP SDL – Key Features  Activities for each development phase  Relatively formal process  Carefully controlled development 9

OWASP SDL – Main Activities  General  Designing SDLC model  Policies & guidelines  Training & education  Tools & products  Requirements Analysis  Classification  Security planning  Security requirements  Architecture  Initial Threat Modeling  Secure Architecture  Design  Detailed Threat Modeling  Mitigation of threats  Secure Design  Formulating security guidelines  Security Design Review  Coding  Secure Coding  Unit security tests  Initial security code review  Security push  Testing  Regression testing  Final security code review  Deployment inspection  Black box penetration tests  Final Security Review  Maintenance  Security response  Secure change management  Security bug tracking  Metrics  Process improvement 10

OWASP MISCONCEPTIONS 11

OWASP Agile is… … really just “Waterfall”, repeated over and over again 12

OWASP SDL is… Only good for “Waterfall” process 13

OWASP Agile is… Like the “Wild West” of programming 14

OWASP SDL is… Control freaks 15

OWASP Agile is… Inconsistent 16

OWASP SDL is… Not flexible 17

OWASP Agile is… Out of control 18

OWASP SDL is… Very heavy process 19

OWASP Agile means… No documentation 20

OWASP SDL means… lots of boring documents 21

OWASP Agile is… 22 An excuse to take shortcuts

OWASP SDL is… Full of duplicate activities 23

OWASP Agile means… No planning 24

OWASP SDL is… Unnecessary, for good programmers 25

OWASP Agile is… Never ending 26

OWASP SDL is… Slowing down real development 27

OWASP Agile is… a set of ceremonies and disconnected techniques 28

OWASP SDL is… a set of ceremonies and disconnected tasks 29

OWASP PROBLEM 30

OWASP Agile + SDL = FAIL! SDL  Heavy Agile  Light 31

OWASP Agile + SDL = FAIL! SDL  Strict process Agile  Adaptive process 32

OWASP Agile + SDL = FAIL! SDL  Structured phases Agile  Short iterations 33

OWASP Agile + SDL = FAIL! SDL  Lots of activities Agile  “Just enough” 34

OWASP Agile + SDL = FAIL! SDL  Predefined checkpoints Agile  Predefined priorities 35

OWASP Agile + SDL = FAIL! SDL  Centralized control Agile  Independent teams 36

OWASP Agile + SDL = FAIL! SDL  Lots o’ docs Agile  Not so much 37

OWASP Agile + SDL = FAIL! SDL  Assurance Agile  Responsibility 38

OWASP Agile + SDL = …? Putting SDL on top of Agile kind of feels like… 39

OWASP 40

OWASP We’ve been doing it wrong! 41

OWASP CONCEPTS 42

OWASP Agile Philosophy For SDL  “Early Feedback” already built in  Add Security to cross-functional team  Always do “just enough” work  Focus on the current sprint backlog  Prioritize, don’t micro-manage 43

OWASP Training Independent developers: Just teach them how to do things right 44

OWASP Mapping SDL to Agile Discovery Security planning 45

OWASP Mapping SDL to Agile Acceptance Tests Security requirements 46

OWASP Mapping SDL to Agile Non-functional stories Security features 47

OWASP Mapping SDL to Agile Integration QA Security testing 48

OWASP Mapping SDL to Agile  UserStory “Done definition”  Sprint entry criteria  Release completion criteria Security tasks 49

OWASP Mapping SDL to Agile “Abuser” stories Countermeasures 50

OWASP Frequency-based “Wedges” 51

OWASP SUGGESTED SOLUTION 52

OWASP Ramp-up / Prerequisites  Security advisor  Coding guidelines  Regulations and policies  Training 53

OWASP First Discovery  Security plan  Baseline Threat Model  Security response plan 54

OWASP Discovery  Design review for User Stories  User Stories for security features  Review changes to Tech.Spec  Update Threat Model for features 55

OWASP Sprint Entry Criteria  Automated static code analysis  Fix all High+ security bugs 56

OWASP UserStory Done Definition  Secure coding  Focused manual code reviews (via “eXtreme Programming”)  Build security Unit Tests  Pass security user story tests 57

OWASP Integration QA  In-depth manual code review  Penetration testing  Review default configuration 58

OWASP Release Completion Criteria  Ensure recent training  Response plan is updated  High-level security review (FSR) 59

OWASP “Bucket” Requirements  Verification bucket  Design bucket  Planning bucket  Security bug bar  Privacy test plan  DRP / BCP 60  Review crypto design  Strong names  Privacy review  Fuzzing  Binary analysis  COM object testing

OWASP Security “Spike”  Entire Sprint focused on security  Handle “Security Debt”  Intensive search for vulnerabilities  Do cross-feature requirements 61

OWASP Summary  “Classic” SDL was about external control  Agile SDL is about internal control  Change from prescriptive to descriptive  Teams are expected to do the right thing  Can be even stronger than “Classic” SDL 62

OWASP Questions? 63