10 Steps To Agile Development Without Compromising Enterprise Security Author : Yair Rovek
“It is a well known and acknowledged fact that Challenged by Agile “It is a well known and acknowledged fact that Agile processes are extremely difficult to combine with any existing security frameworks” -- Extract from a blog of a very popular software provider “The good news is that our retroactive security is very good…” -- Extract from the same blog as above
Yair Rovek 20+ years in the industry 4 years Security Specialist @ About Me Yair Rovek 20+ years in the industry 4 years Security Specialist @ Leading the SDLC Program Design security and new technologies within our products Contact Me! yairr@liveperson.com @lione_heart Hosted by OWASP & the NYC Chapter
LivePerson ID What we do? 16 years in business SaaS from day 1. NASDAQ & TASE (LPSN) ~8500 Customers ~800 employees SaaS platform for creation of meaningful connections through real-time engagement How it works? Monitor web visitor’s behavior (Over 1.5 B visits each month) Security is NOT optional… Conduct behavioral ranking Provide the engagement platform (Over 10 M chats each month) SaaS & Cloud only Hosted by OWASP & the NYC Chapter
Who are the key players? Software Architects Sales & Product System Architects R&D Scrum teams CI environment Artifact Production Hosted by OWASP & the NYC Chapter
Agile Framework
Agile Framework RETROSPECTIVE
Add Security to the Agile Process Scrum Actions Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release It is essential to understand that Agile comes to simplify the work and deliver working code in a fashion timely manner Describe the milestones for Security approval during the process Customer pentest Security checkpoints: they’re a one-to-one to scrum actions. This is the whole idea behind a successful project. The point is that security is part of the process. In order to reach the next stage in scrum, you need to meet all requirements. And one of the requirements is security.
Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design
Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design Guide-in the teams On-Demand
Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design ESAPI & SCA checks for each build Guide-in the teams On-Demand
Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design Guide-in the teams On-Demand ESAPI & SCA checks for each build Automated Security Tests
Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design ESAPI & SCA checks for each build Automated Security Tests Guide-in the teams On-Demand
Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design Q&A On-Demand ESAPI & SCA checks for each build Automated Security Tests External Pen-Test
Add Security to the Agile Process Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design ESAPI & SCA checks for each build Automated Security Tests External Pen-Test Guide-in the teams On-Demand
POM File Open Source Policy Screening Code in 3D Delivered Dependencies and Open Source POM File Developer Code ESAPI/AntiSamy/CSRF Guard… Utilities SCA Open Source Policy
ESAPI Building Blocks Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration
Where Do I put my validation Any Interpreter Controller Business Functions Data Layer Web Service Any Encoding Database User Mainframe Etc… User Interface File System
Where Do I put my validation Any Interpreter Specific Validate Controller Business Functions Data Layer Web Service Any Encoding Database User Mainframe Etc… User Interface File System Encode For HTML Validate
Define Relevant Filters API example Define Relevant Filters
Automated Test Example Filter Black/ White Listing Integrating Automated Testing: Example Preventing RegEx DoS and Performance Issues
LivePerson ESAPI implementation For Each Product Live Person Security API (LPSAPI) - In-House Security Package based on ESAPI project Imports LPSAPI Enforces correct usage via Source Code Analysis (SCA) Enforce Open Source Policy Test your infra BB
Maven Build Process (Unit tests) CI environment Develop Code Commit Source Control (SVN) TeamCity (Build Trigger) Maven Build Process (Unit tests) Deploy to Production Deploy to Test Env Report & Notify Publish to release repository
Security in CI environment Develop Code Commit Source Control (SVN) TeamCity (Build Trigger) Maven Build Process (Unit tests) Deploy to Production Deploy to Test Env SCA , Dynamic, OS Report & Notify Publish to release repository
Results are integrated within TeamCity One Dashboard Results are integrated within TeamCity
Dive into the results Results are integrated within TeamCity Developer has all required info. No need to involve the Security Team
10 Best Practices Secure Agile Development
Key Success Factors Identify the process within R&D and set a plan to become part of it Set Security Package API to be consumed with each code (ESAPI AntiSamy CSRF Guard) Screen and enforce your policy on your code Open Source and platform Use automation to collaborate with the security dynamic test Allow customer to run a pen test and work as a community to succeed
Key Success Factors Engage tech leaders as security champions by showing them the value Train developers on a regular basis Create a knowledge base and discussions around security Break the build for any “High” or “Medium” findings Start small but think big
Never ending story …
Q&A Contact Me! yairr@liveperson.com @lione_heart