Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Develop Secure Software using Agile Methods? Dr. Imran Ghani

Published byAubrey Paul Modified over 7 years ago

Similar presentations

Presentation on theme: "How to Develop Secure Software using Agile Methods? Dr. Imran Ghani"— Presentation transcript:

1 How to Develop Secure Software using Agile Methods? Dr. Imran Ghani
Agile Conference (c)

2 Outline Myths about Agile
Agile Methods and Secure Software Development Scrum, XP, FDD, and DSDM Software Process Improvement (SPI) Agile Methods for Security Findings Conclusion Q &A Agile Conference (c)

3 The World is Going Agile (Securely?)
Agile is like “Nasi Lemak” Fast & Tasty Everybody is trying it… Agile Conference (c)

4 Myths about Agile Agile is for “Experienced Developers”
Agile is for “Small Projects” Agile does not support “Secure Software Development” Agile Conference (c)

5 Agile Methods do not support “Secure Software Development”
How Developers and Customers Interact on Security? Basic Scrum, XP, FDD and DSDM, really don’t!! Quick delivery of software does not mean that software is SECURE too!! Developers assume that software will be SECURE, but are surprised when it is not!! Lack of complete view of system, lack of detailed documentation, lack of security awareness of customers and developers. Agile Conference (c)

6 Examples of Software Attacks
Phishing SQL - Injection Cross-site Scripting (XSS) Brute Force Attack Agile Conference (c)

7 Fast + Secure Software Development
Developing Software with Security in Mind (Julia et al., 2007) Authentication, Authorization, Encryption, Audit & Accountability, Data Integrity, Infra Security Agile Conference (c)

8 Recent Web-based Attack Reports : 2012~2013
Most Serious Attacks Cross Site Scripting (XSS) SQL Injection Directory Traversals Brute force Attack Session Hijacking Denial of Service (DoS) Phishing Man in the middle Spam (76% increase) 1 in 5 s was legitimate 76% network traffic increased (source websense report, 2013) FireHost, Tuesday, July 30, 2013 Agile Conference (c)

9 Data Breaches Agile Conference (c)

10 Agile Conference (c)

11 Top 10 Countries Hosting Malware
All are victims: Websites Mobile Apps Social Media Cloud How cybercriminals use certain countries in different aspects of their attack plans. For example, To target victims in Brazil a cybercriminal might find it easier to set up phishing websites in the United States, Send spam from Germany, Host malware in Russia and establish a command and control (CnC) server in China. Agile Conference (c)

12 Top 10 Countries -Web Threat Victims
Agile Conference (c)

13 Agile and Software Security
Agile Conference (c)

14 Scrum, XP, FDD, DSDM - (Mind Map)
Security Ignored Agile Conference (c)

15 Srcum, XP, FDD, DSDM - (Planning)
Security Ignored Agile Conference (c)

16 So, what do we learn from software threats and existing Agile methods?
Agile Conference (c)

17 SPI of Agile Methods Agile process (non-secure)  Product (non-secure)
Agile process (secure)  Product (secure) Process itself needs to change to better fit the development processes that Agile teams use Changes always result in a temporary drop of performance [SEI, 2009]

18 Why Agile Process Improvement?
Long before widely used phrase “software process improvement (SPI)” [Roger, 2010] Focus: “reduced number of security threats/bugs/flaws” Agile Conference (c)

19 Local Security (one web page ): Authentication
Global Security (whole website): Session Mgt Local security > 70% Global security < 30%

20 Misuse case Quick Documentation Attack Tree

21 Scrum and Software Security
User Story !! Security Sub-Story – What is that? Agile Conference (c)

22 DSDM and Software Security
Agile Conference (c)

23 Basic FDD Model FDD Roles: Domain expert, Chief Programmer, Project Manager, Feature Team & Chief Architect Agile Conference (c)

24 Within Phase Security Agile Conference (c)

25 After Phase Security Agile Conference (c)

26 XP and Software Security
Agile Conference (c)

27 Agile Conference (c)

28 Testers Agile Conference (c)

29 Secure Agile Tools - @UTM
Secure Scrum - SAgile Secure XP - SAgile Secure FDD - SAgile Agile Conference (c)

30 Tool Support Security feature Agile Conference (c)

31 Agile Conference (c)

32 Fast + Secure Software Development
Developing Software with Security in Mind (Julia et al., 2007) Authentication, Authorization, Encryption, Audit & Accountability, Data Integrity, Infra Security Agile Conference (c)

33 Are you sure, our Agile team is producing secure software?
Yes Boss, I am!! Let’s enjoy the party  Are you sure, our Agile team is producing secure software? Agile Conference (c)

34 Next generation Agile Conference (c)

35 Upcoming Agile Malaysia 2014 Langkawi, 23rd Sep 2014 Kuala Lumpur: October/November
Agile Conference: For Corporates October/November 2014 Agile Symposium: For Academcian/Researchers Paper submission: 26 May 2014 Sponsors are welcome  Imran Ghani 

36 Use case & Misuse case - Hackers, employees, criminals, terrorists etc

37 Software Vulnerabilities Databases

38 Assessment of Security in Agile
Degree of Agility Attributes Flexibility Leanness Speed Learning Responsiveness Refer to my presentation on Scrum & Security

Download ppt "How to Develop Secure Software using Agile Methods? Dr. Imran Ghani"

Similar presentations

Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.

Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Establishing an effective performance testing environment. Gordon McKeown www.facilita.com TMF 2010.

Establishing an effective performance testing environment. Gordon McKeown TMF 2010.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.

1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.

Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
Juha Siivikko 7.11.2013 SECURITY IN SOCIAL MEDIA.

Juha Siivikko SECURITY IN SOCIAL MEDIA.
Security Testing Case Study 360logica Software Testing Services.

Security Testing Case Study 360logica Software Testing Services.
 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.
10/14/2015 Introducing Worry-Free SecureSite. Copyright 2007 - Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.

10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.
Trojan Horses on the Web. Definition: A Trojan horse a piece of software that allows the user think that it does a certain task, while actually does an.

Trojan Horses on the Web. Definition: A Trojan horse a piece of software that allows the user think that it does a certain task, while actually does an.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.
Strong Security for Your Weak Link: Implementing People-Centric Security Jennifer Cheng, Director of Product Marketing.

Strong Security for Your Weak Link: Implementing People-Centric Security Jennifer Cheng, Director of Product Marketing.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.

Similar presentations

Ads by Google