Download presentation
Presentation is loading. Please wait.
1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Agile + SDL Concepts and Misconceptions Avi Douglen Aware Security avid@AwareID.com (972)-52-7891133 Nir Bregman Senior Project Manager, HP nir.bregman@hp.com nir.bregman@hp.com (972)-54-5597038 15/09/2011
2
OWASP 2 Agenda Introduction Misconceptions Problems Concepts Solution
3
OWASP INTRODUCTION 3
4
OWASP “Agile” – A Definition “… a group of software development methodologies based on iterative development, where requirements and solutions evolve through collaboration between self-organizing cross-functional teams.” – Wikipedia 4
5
OWASP Agile Methodology – Key Features Early feedback Prioritized “backlog” Inherent improvement process Adaptive to changes Short, incremental iterations or sprints ‘Release like’ version every iteration Team selects “user stories” 5
6
OWASP “SDL” – A Definition “A Security Development Lifecycle is a software development process to reduce software maintenance costs and increase reliability of software concerning software security.” - Wikipedia 6
7
OWASP SDL – Microsoft Model 7
8
OWASP SDL – OWASP Model (CLASP) 8
9
OWASP SDL – Key Features Activities for each development phase Relatively formal process Carefully controlled development 9
10
OWASP SDL – Main Activities General Designing SDLC model Policies & guidelines Training & education Tools & products Requirements Analysis Classification Security planning Security requirements Architecture Initial Threat Modeling Secure Architecture Design Detailed Threat Modeling Mitigation of threats Secure Design Formulating security guidelines Security Design Review Coding Secure Coding Unit security tests Initial security code review Security push Testing Regression testing Final security code review Deployment inspection Black box penetration tests Final Security Review Maintenance Security response Secure change management Security bug tracking Metrics Process improvement 10
11
OWASP MISCONCEPTIONS 11
12
OWASP Agile is… … really just “Waterfall”, repeated over and over again 12
13
OWASP SDL is… Only good for “Waterfall” process 13
14
OWASP Agile is… Like the “Wild West” of programming 14
15
OWASP SDL is… Control freaks 15
16
OWASP Agile is… Inconsistent 16
17
OWASP SDL is… Not flexible 17
18
OWASP Agile is… Out of control 18
19
OWASP SDL is… Very heavy process 19
20
OWASP Agile means… No documentation 20
21
OWASP SDL means… lots of boring documents 21
22
OWASP Agile is… 22 An excuse to take shortcuts
23
OWASP SDL is… Full of duplicate activities 23
24
OWASP Agile means… No planning 24
25
OWASP SDL is… Unnecessary, for good programmers 25
26
OWASP Agile is… Never ending 26
27
OWASP SDL is… Slowing down real development 27
28
OWASP Agile is… a set of ceremonies and disconnected techniques 28
29
OWASP SDL is… a set of ceremonies and disconnected tasks 29
30
OWASP PROBLEM 30
31
OWASP Agile + SDL = FAIL! SDL Heavy Agile Light 31
32
OWASP Agile + SDL = FAIL! SDL Strict process Agile Adaptive process 32
33
OWASP Agile + SDL = FAIL! SDL Structured phases Agile Short iterations 33
34
OWASP Agile + SDL = FAIL! SDL Lots of activities Agile “Just enough” 34
35
OWASP Agile + SDL = FAIL! SDL Predefined checkpoints Agile Predefined priorities 35
36
OWASP Agile + SDL = FAIL! SDL Centralized control Agile Independent teams 36
37
OWASP Agile + SDL = FAIL! SDL Lots o’ docs Agile Not so much 37
38
OWASP Agile + SDL = FAIL! SDL Assurance Agile Responsibility 38
39
OWASP Agile + SDL = …? Putting SDL on top of Agile kind of feels like… 39
40
OWASP 40
41
OWASP We’ve been doing it wrong! 41
42
OWASP CONCEPTS 42
43
OWASP Agile Philosophy For SDL “Early Feedback” already built in Add Security to cross-functional team Always do “just enough” work Focus on the current sprint backlog Prioritize, don’t micro-manage 43
44
OWASP Training Independent developers: Just teach them how to do things right 44
45
OWASP Mapping SDL to Agile Discovery Security planning 45
46
OWASP Mapping SDL to Agile Acceptance Tests Security requirements 46
47
OWASP Mapping SDL to Agile Non-functional stories Security features 47
48
OWASP Mapping SDL to Agile Integration QA Security testing 48
49
OWASP Mapping SDL to Agile UserStory “Done definition” Sprint entry criteria Release completion criteria Security tasks 49
50
OWASP Mapping SDL to Agile “Abuser” stories Countermeasures 50
51
OWASP Frequency-based “Wedges” 51
52
OWASP SUGGESTED SOLUTION 52
53
OWASP Ramp-up / Prerequisites Security advisor Coding guidelines Regulations and policies Training 53
54
OWASP First Discovery Security plan Baseline Threat Model Security response plan 54
55
OWASP Discovery Design review for User Stories User Stories for security features Review changes to Tech.Spec Update Threat Model for features 55
56
OWASP Sprint Entry Criteria Automated static code analysis Fix all High+ security bugs 56
57
OWASP UserStory Done Definition Secure coding Focused manual code reviews (via “eXtreme Programming”) Build security Unit Tests Pass security user story tests 57
58
OWASP Integration QA In-depth manual code review Penetration testing Review default configuration 58
59
OWASP Release Completion Criteria Ensure recent training Response plan is updated High-level security review (FSR) 59
60
OWASP “Bucket” Requirements Verification bucket Design bucket Planning bucket Security bug bar Privacy test plan DRP / BCP 60 Review crypto design Strong names Privacy review Fuzzing Binary analysis COM object testing
61
OWASP Security “Spike” Entire Sprint focused on security Handle “Security Debt” Intensive search for vulnerabilities Do cross-feature requirements 61
62
OWASP Summary “Classic” SDL was about external control Agile SDL is about internal control Change from prescriptive to descriptive Teams are expected to do the right thing Can be even stronger than “Classic” SDL 62
63
OWASP Questions? 63
Similar presentations
