Presentation is loading. Please wait.

Presentation is loading. Please wait.

SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного.

Published byCora Beckford Modified over 10 years ago

Similar presentations

Presentation on theme: "SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного."— Presentation transcript:

1 SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного обеспечения при его разработке.

2 What does Agile mean, anyway?

3

4 The Agile manifesto Individuals and interactions Processes and tools Working softwareComprehensive documentation Customer collaborationContract negotiation Responding to changeFollowing a plan

5 Security Development Lifecycle Ongoing Process Improvements ProcessEducationAccountability Microsofts industry leading software security assurance process designed to protect customers by reducing the number and severity of software vulnerabilities before release.

6 Challenges

7 Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality Emphasis on project/iteration backlogs General avoidance of automated tools Challenges of adapting SDL to Agile

8 Fits spiral or waterfall… …but Agile doesnt have phases SDL Classic phased approach

9 Very secure! But not Agile. Idea: Do the full SDL every iteration

10 From the Principles Behind the Agile Manifesto: Short timescale Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.

11 Very Agile! But not secure. Idea: Move SDL tasks to product backlog

12 But every requirement is, well, required We need to keep all requirements We need to reorganize into Agile-friendly form Idea: Drop some requirements

13 SDL-Agile process

14

15 Three classes of requirements Every Sprint Training Threat modeling etc... One-Time Only Set up tracking Create response plan etc... Bucket Fuzz parsers Refresh response plan etc…

16 One-time requirements get added to the Product Backlog (with deadlines) So do bucket requirements Every-sprint requirements go to the Sprint Backlog directly Requirements as backlog items Product Backlog Set up tracking system Upgrade to VS2012 Fuzz image parser Fuzz network parser … Sprint Backlog Threat model new stored procedures Run static analysis …

17 Agile sashimi

18 Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality Emphasis on project/iteration backlogs General avoidance of automated tools Challenges of adapting SDL to Agile

19 2:00 AM Christmas morning is a poor time to hold a Scrum meeting… Security incident response

20 Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality Emphasis on project/iteration backlogs General avoidance of automated tools Challenges of adapting SDL to Agile

21 Writing secure code

22 Secure code cannot be a "feature" Not a User Story Doesnt go in the Product Backlog Cant get prioritized in or out Cant decide to not do security this sprint

23 Some SDL requirements are straightforward... –Enable compiler switches –Run static analysis tools …some are more difficult (not actionable) –Avoid banned APIs –Access databases safely Breaking the SDL into tasks

24 Two options Verify manuallyVerify with tools

25 Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality Emphasis on project/iteration backlogs General avoidance of automated tools Challenges of adapting SDL to Agile

26 FxCop CAT.NET PREFast (/analyze) And/or your alternative tool(s) of choice These are every-sprint requirements Better still: Continuous Integration Static analysis requirements

27 Fuzzers (homegrown) AppVerifier Passive HTTP traffic analysis And/or your alternative tool(s) of choice These are bucket requirements Or Continuous Integration Dynamic analysis requirements

28 Web Protection Library (a.k.a AntiXss) StrSafe SafeInt Use always, check every sprint Secure coding libraries

29 Strengths

30 Bucket activities easily move in & out of sprints Teams self-select best security activities Each iteration is a gate Strengths of Agile in SDL

31 Bucket activities easily move in & out of sprints Teams self-select best security activities Each iteration is a gate Strengths of Agile in SDL Welcome changing requirements, even late in development. Agile processes harness change for the customers competitive advantage.

32 Bucket activities easily move in & out of sprints Teams self-select best security activities Each iteration is a gate Strengths of Agile in SDL At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.

33 Bucket activities easily move in & out of sprints Teams self-select best security activities Each iteration is a gate Strengths of Agile in SDL Security and privacy are most effective when built-in throughout the entire development lifecycle

34 The Agile manifesto Individuals and interactions Processes and tools Working softwareComprehensive documentation Customer collaborationContract negotiation Responding to changeFollowing a plan

35 The SDL-Agile manifesto Continuous, incremental effort Heroic pushes Automated toolsManual processes Planned responseAd-hoc response

36 http://www.microsoft.com/sdl http://blogs.msdn.com/b/sdl More resources

37 Thank you Спасибо за внимание

Download ppt "SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного."

Similar presentations

Keith McMillan Principal, Adept Technologies Copyright (C) 2008, Adept Technologies llc.

Keith McMillan Principal, Adept Technologies Copyright (C) 2008, Adept Technologies llc.
Colin Weaver The Eleven Essential Behaviours of Successful Agile Project Teams.

Colin Weaver The Eleven Essential Behaviours of Successful Agile Project Teams.
COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 1 Agile documentation development methodology Giby Panicker and Judith Benjamin 1-Dec-2012.

COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 1 Agile documentation development methodology Giby Panicker and Judith Benjamin 1-Dec-2012.
Software Development Methodologies 1. A methodology is: A collection of procedures, techniques, principles, and tools that help developers build a computer.

Software Development Methodologies 1. A methodology is: A collection of procedures, techniques, principles, and tools that help developers build a computer.
Agile at ON.Lab Bill Snow VP of Engineering. What is waterfall? RequirementsDesignDevelopTest Or Requirements Design Develop Test Time.

Agile at ON.Lab Bill Snow VP of Engineering. What is waterfall? RequirementsDesignDevelopTest Or Requirements Design Develop Test Time.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Bryan Sullivan Senior Security Program Mgr Microsoft SIA205.

Bryan Sullivan Senior Security Program Mgr Microsoft SIA205.
12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.

12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.
Agile Project Management with Scrum

Agile Project Management with Scrum
Agile development By Sam Chamberlain. First a bit of history..

Agile development By Sam Chamberlain. First a bit of history..
Agile Architecture? Paul Lund 24 th Nov 2010. Agile Manifesto We are uncovering better ways of developing software by doing it and helping others do it.

Agile Architecture? Paul Lund 24 th Nov Agile Manifesto We are uncovering better ways of developing software by doing it and helping others do it.
Agile Methods.

Agile Methods.
Managing a Project Using an Agile Approach and the PMBOK® Guide

Managing a Project Using an Agile Approach and the PMBOK® Guide
Does it work with Data Warehouses?. “We are uncovering better ways of developing software by doing it and helping others do it. Through this work we.

Does it work with Data Warehouses?. “We are uncovering better ways of developing software by doing it and helping others do it. Through this work we.
Formality, Agility, Security, and Evolution in Software Development Cody Ronning 2/16/2015.

Formality, Agility, Security, and Evolution in Software Development Cody Ronning 2/16/2015.
Introduction to Agile.

Introduction to Agile.
Software engineering Process models Pavel Agejkin.

Software engineering Process models Pavel Agejkin.
Software Development Landscape

Software Development Landscape
Dr. Tom WayCSC 47001 Software Processes CSC 4700 Software Engineering.

Dr. Tom WayCSC Software Processes CSC 4700 Software Engineering.
1 Agile Methodology & Programming Ric Holt July 2009.

1 Agile Methodology & Programming Ric Holt July 2009.

Similar presentations

Ads by Google