August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.

Slides:



Advertisements
Similar presentations
Sachin Rawat Crypsis SDL Threat Modeling.
Advertisements

September 2008Mike Woodard Rational Unified Process Key Concepts Mike Woodard.
Extreme Programming Alexander Kanavin Lappeenranta University of Technology.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Risk Analysis James Walden Northern Kentucky University.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2012 Ethicsoft Technologies.1 Introduction to Agile Model Driven Development (AMDD)
Copyright Scott W. Ambler1 Introduction to Agile Model Driven Development (AMDD) Scott W. Ambler Senior Consultant, Ambysoft Inc.
CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
VM: Chapter 5 Guiding Principles for Software Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
Threat Modeling for Hostile Client Systems Avni Rambhia.
Left overs. Agenda 9. Sept Leftovers PM –Methodologies –Models in system development XPM Project Group establishment (45 min) Introduction to requirement.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Embedding Security into a Software Development Methodology April 5 th, 8:30 AM Jonathan Minter Director, IT Development and Engineering Liberty University.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
A Security Review Process for Existing Software Applications
CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,
May 2, 2007St. Cloud State University Software Security.
August 1, The Software Security Problem August 1, 2006.
Security Development Lifecycle: Changing the Software Development Process to build in Security from the start Eric Bidstrup Ellen Cram Kowalczyk Security.
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
Microsoft Security Development Lifecycle
Risk Analysis James Walden Northern Kentucky University.
Security in Computer System 491 CS-G(172) By Manesh T
1 Software Process Models-ii Presented By; Mehwish Shafiq.
Extreme Programming (XP). Agile Software Development Paradigm Values individuals and interactions over processes and tools. Values working software over.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CSCE 522 Secure Software Development Best Practices.
CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Code Reviews James Walden Northern Kentucky University.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
1 Software Engineering and Security DJPS April 12, 2005 Professor Richard Sinn CMPE 297: Software Security Technologies.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
AGILE XP AND SCRUM © University of LiverpoolCOMP 319slide 1.
CSC 593: Secure Software Engineering Seminar
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Security Development Lifecycle. Microsoft SDL 概觀 The SDL is composed of proven security practices It works in development organizations regardless of.
1 Chapter 12: Design Principles Overview –There are principles for many kinds of design Generally, a design should consider: Balance, Rhythm, Proportion,
June 1, 2004© Matt Bishop [Changed by Hamid R. Shahriari] Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.
1 Saltzer [1974] and later Saltzer and Schroeder [1975] list the following principles of the design of secure protection systems, which are still valid:
Extreme Programming מתודולוגיה לפיתוח פרויקטי תוכנה.
CS457 Introduction to Information Security Systems
Presented by Rob Carver
PCI-DSS Security Awareness
Software Security Testing
CSCE 548 Secure Software Development Use Cases Misuse Cases
421 Review Questions Does software engineering add documentation that slows down the project? Is there one software process that is better than the others.
Threat modeling Aalto University, autumn 2013.
Planning User stories are written.
Jeff Williams OWASP Chair
A Security Review Process for Existing Software Applications
Alexander Kanavin Lappeenranta University of Technology
James Walden Northern Kentucky University
Chapter 1: Introduction
Chapter 3 – Agile Software Development
Presentation transcript:

August 1, 2006 XP Security

August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity SECURITY GOALS Prevention Detection Authentication Integrity Availability Privacy

August 1, 2006 Security Design Principles 1.Least Privilege 2.Fail-Safe Defaults 3.Economy of Mechanism 4.Complete Mediation 5.Open Design 6.Separation of Privilege 7.Least Common Mechanism 8.Psychological Acceptability

August 1, 2006 SDLC Artifacts

August 1, 2006 User Stories Security needs to be included in development –Constraints –User Stories modeled after Abuse Cases Security needs to be included in completion –Unit tests pass + customer sign off –Static analysis scans clean + risk analysis update.

August 1, 2006 Security Refactoring Software security through refactoring –Replace Insecure API –Add Input Validation –Single Point of Validation Use one iteration for security refactoring –Construct security stories to support goals.

August 1, 2006 Security Tests First Design security tests with unit tests –“Unit hacks” –Fuzz tests Need security knowledge to construct tests –Attackers head immediately for edge cases. –Attack patterns, working with security experts. –Do developers know enough about testing? –Do developers know enough about security?

August 1, 2006 Test Driven Design Coding to tests works well for features. –But security isn’t a feature. –Two features that are secure apart may be insecure when combined. Acceptance tests –Customer may not have security knowledge necessary to evaluate product security. Undocumented assumptions –Code is too low level to express design assumptions –Data flow between components

August 1, 2006 Pair Programming Security training –Pair with a security expert to learn software security. Security code reviews –Use a static analysis tool before checking in code.

August 1, 2006 References 1.Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison- Wesley, Gary McGraw, “XP and Software Security?!”, XP Universe, Gary McGraw, Software Security, Addison-Wesley, Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, OWASP, The OWASP Top 10 Project, OWASP, The OWASP Guide to Building Secure Web Applications, Paul Saitta, Brenda Larcom, and Michael Eddington, “Trike v.1 Methodology Document [draft],” Joel Scambray, Mike Shema, and Caleb Sima, Hacking Web Applications Exposed, 2 nd edition, Addison-Wesley, Frank Swiderski and Window Snyder, Threat Modeling, Microsoft Press, John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, VISA, Payment Card Industry Data Security Standard (PCI-DSS), ata_Security_Standard.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.