10 Steps To Agile Development Without Compromising Enterprise Security

Slides:



Advertisements
Similar presentations
LESSONS LEARNT IN MY TEN YEARS OF AGILE TESTING Baiju Joseph Director QE, Yahoo! 08 May 2012.
Advertisements

Implementing Tableau Server in an Enterprise Environment
DevOps and Security: It’s Happening. Right Now.
THE CORE PROJECT Jose Jimenez (project manager). What is the Core platform?
1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.
<<replace with Customer Logo>>
© 2014 VMware Inc. All rights reserved. BlazeMeter Load Testing Solution with vCloud Air High-level Overview Jan 2015.
Agile development By Sam Chamberlain. First a bit of history..
GAI Proprietary Information
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.
ESAPI Pictures For Javadoc.
Realising the Potential of Service Oriented Architecture Kris Horrocks Connected Systems Division Microsoft.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
SaaS, PaaS & TaaS By: Raza Usmani
Troy Eversen | 19 May 2015 Data Integrity Workshop.
Applying MDA in the ATM: A practical approach Teodora Bozheva, Terry Bailey (ESI) Julia Reznik, Tom Ritter (Fraunhofer FOKUS)
Presenter: NAME Date: MM/DD/YYYY CUSTOMER NAME Presenter: Harris Date: 04/06/ An extensible platform for creating.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Agile/Scrum Case study Code name: ninja.  2 scrum teams  One product backlog  8 months so far  Long term project  External integrations  R&D and.
PopMedNet Software Development Life Cycle Chayim Herzig-Marx Harvard Pilgrim Health Care Institute Daniel Dee Lincoln Peak Partners.
> Blueprint Kickoff >. Introductions Customer Vision & Success Criteria Apigee Accelerator Overview Blueprint Schedule Roles & Responsibilities Communications.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
Real World Software Development Management and Solutions Mario Cardinal March 16, 2011.
Sharing Geographic Content
Cloud Computing in Large Scale Projects George Bourmas Sales Consulting Manager Database & Options.
February Semantion Privately owned, founded in 2000 First commercial implementation of OASIS ebXML Registry and Repository.
Alfresco – An Open Source Content Management System - Bindu Nayar, Bhavana Mohanraj.
Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.
Continuous Integration with TeamCity Adrian Ritchie BSc, MBCS Guernsey Software Developer Forum
Dr. Rob Hasker. Logistics  Class roster, attendance policy  Book, Schedule, policies, grading  Course web site  Prereq check:  SE 2800, Software.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
1 © 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential Cloud Computing – The Value Proposition Wayne Clark Architect, Intelligent Network.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP ESAPI SwingSet An introduction by Fabio Cerullo.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Automated Assessment Management System. The Assessment Cycle Trainee | Learner Dashboard Trainer Dashboard Employer Dashboard Verifier Dashboard Assessor.
AUTOMATING DAAS DESKTOPS WITH CITRIX CORTEX Tony Sanchez WW Alliances Solutions Architecture Citrix Systems Inc SESSION CODE: CLI415 (c) 2011 Microsoft.
The FI-WARE Project – Base Platform for Future Service Infrastructures FI-WARE Stefano De Panfilis (Fi-WARE PCC Member) 4 th July 2011 FInES - Samos Summit.
PRESENTATION TITLE Presented by: Xxxx Xxxxx. Providence Health & Services Very large Catholic healthcare system 33 hospitals in AK, CA, MT, OR, WA 65,000.
1 confidential | ©2015 Sabre GLBL Inc. All rights reserved. Implementing Kanban at Different Levels During Agile Adoption Krishnakumar C Principal Agile.
Sprint 113 Review / Sprint 114 Planning August 12th, 2013.
The OWASP Foundation OWASP Global Update Seba Deleersnyder OWASP Foundation Board Member.
Test Driven Development Introduction Issued date: 8/29/2007 Author: Nguyen Phuc Hai.
Geoff Davis Software Development Leader Software Development at eWater.
JRA1 Meeting – 09/02/ Software Configuration Management and Integration EGEE is proposed as a project funded by the European Union under contract.
The Next Level Of Agile: DevOps and CD אוקטובר 2015.
Perfecto We help customers deliver exceptional digital experiences.
1. ENTERPRISE AGILE TRANSFORMATION AT THE US POSTAL SERVICE MAY 24, Agile Business Solutions.
1 Visual Studio Online for Cost Effective Code and Project Management Ravi Gudlavalleti.
Streamlining the development of your mobile app(s) Frequently releasing value to users Constantly maintaining quality Monitoring app health and engagement.
Adapting Webconference Cloud Services to R&E communities Session: Successful instantiations of cloud services Rui Ribeiro FCCN|FCT 21 May 2014.
© Akaza Research, LLC : 1 :: 10 Professional open source for clinical research.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Making the Case for Business Intelligence
Web GIS: Architectural Patterns and Practices
By: Raza Usmani SaaS, PaaS & TaaS By: Raza Usmani
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Week 01 Comp 7780 – Class Overview.
MEF 3.0.
Continuous Automated Chatbot Testing
OWASP in favor of a more secure world
Developing Maximum Value
Simplified Development Toolkit
Continuous Localization
2/24/2019 6:15 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Software Development In Agile
Salesforce.com Salesforce.com is the world leader in on-demand customer relationship management (CRM) services Manages sales, marketing, customer service,
Presentation transcript:

10 Steps To Agile Development Without Compromising Enterprise Security Author : Yair Rovek

“It is a well known and acknowledged fact that Challenged by Agile “It is a well known and acknowledged fact that Agile processes are extremely difficult to combine with any existing security frameworks” -- Extract from a blog of a very popular software provider “The good news is that our retroactive security is very good…” -- Extract from the same blog as above

Yair Rovek 20+ years in the industry 4 years Security Specialist @ About Me Yair Rovek 20+ years in the industry 4 years Security Specialist @ Leading the SDLC Program Design security and new technologies within our products Contact Me! yairr@liveperson.com @lione_heart Hosted by OWASP & the NYC Chapter

LivePerson ID What we do? 16 years in business SaaS from day 1. NASDAQ & TASE (LPSN) ~8500 Customers ~800 employees SaaS platform for creation of meaningful connections through real-time engagement How it works? Monitor web visitor’s behavior (Over 1.5 B visits each month) Security is NOT optional… Conduct behavioral ranking Provide the engagement platform (Over 10 M chats each month) SaaS & Cloud only Hosted by OWASP & the NYC Chapter

Who are the key players? Software Architects Sales & Product System Architects R&D Scrum teams CI environment Artifact Production Hosted by OWASP & the NYC Chapter

Agile Framework

Agile Framework RETROSPECTIVE

Add Security to the Agile Process Scrum Actions Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release It is essential to understand that Agile comes to simplify the work and deliver working code in a fashion timely manner Describe the milestones for Security approval during the process Customer pentest Security checkpoints: they’re a one-to-one to scrum actions. This is the whole idea behind a successful project. The point is that security is part of the process. In order to reach the next stage in scrum, you need to meet all requirements. And one of the requirements is security.

Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design

Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design Guide-in the teams On-Demand

Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design ESAPI & SCA checks for each build Guide-in the teams On-Demand

Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design Guide-in the teams On-Demand ESAPI & SCA checks for each build Automated Security Tests

Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design ESAPI & SCA checks for each build Automated Security Tests Guide-in the teams On-Demand

Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design Q&A On-Demand ESAPI & SCA checks for each build Automated Security Tests External Pen-Test

Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design ESAPI & SCA checks for each build Automated Security Tests External Pen-Test Guide-in the teams On-Demand

POM File Open Source Policy Screening Code in 3D Delivered Dependencies and Open Source POM File Developer Code ESAPI/AntiSamy/CSRF Guard… Utilities SCA Open Source Policy

ESAPI Building Blocks Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration

Where Do I put my validation Any Interpreter Controller Business Functions Data Layer Web Service Any Encoding Database User Mainframe Etc… User Interface File System

Where Do I put my validation Any Interpreter Specific Validate Controller Business Functions Data Layer Web Service Any Encoding Database User Mainframe Etc… User Interface File System Encode For HTML Validate

Define Relevant Filters API example Define Relevant Filters

Automated Test Example Filter Black/ White Listing Integrating Automated Testing: Example Preventing RegEx DoS and Performance Issues

LivePerson ESAPI implementation For Each Product Live Person Security API (LPSAPI) - In-House Security Package based on ESAPI project Imports LPSAPI Enforces correct usage via Source Code Analysis (SCA) Enforce Open Source Policy Test your infra BB

Maven Build Process (Unit tests) CI environment Develop Code Commit Source Control (SVN) TeamCity (Build Trigger) Maven Build Process (Unit tests) Deploy to Production Deploy to Test Env Report & Notify Publish to release repository

Security in CI environment Develop Code Commit Source Control (SVN) TeamCity (Build Trigger) Maven Build Process (Unit tests) Deploy to Production Deploy to Test Env SCA , Dynamic, OS Report & Notify Publish to release repository

Results are integrated within TeamCity One Dashboard Results are integrated within TeamCity

Dive into the results Results are integrated within TeamCity Developer has all required info. No need to involve the Security Team

10 Best Practices Secure Agile Development

Key Success Factors Identify the process within R&D and set a plan to become part of it Set Security Package API to be consumed with each code (ESAPI AntiSamy CSRF Guard) Screen and enforce your policy on your code Open Source and platform Use automation to collaborate with the security dynamic test Allow customer to run a pen test and work as a community to succeed

Key Success Factors Engage tech leaders as security champions by showing them the value Train developers on a regular basis Create a knowledge base and discussions around security Break the build for any “High” or “Medium” findings Start small but think big

Never ending story …

Q&A Contact Me! yairr@liveperson.com @lione_heart