Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Published byReynold Nash Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."— Presentation transcript:

1 Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation OWASP AppSec Seattle Oct 2006 http://www.owasp.org/ Agile and Secure: Can We Be Both? Dan Cornell, OWASP San Antonio Leader Principal, Denim Group Ltd. dan@denimgroup.com (210) 572-4400

2 OWASP AppSec Seattle 2006 2 The Agile Practitioner’s Dilemma Agile Forces:  More responsive to business concerns  Increasing the frequency of stable releases  Decreasing the time it takes to deploy new features Secure Forces:  More aggressive regulatory environment  Increasing focus on need for security  Traditional approaches are top-down, document centric

3 OWASP AppSec Seattle 2006 3 Objectives  Background  Goals of Agile Methods  Goals of Secure Development Lifecycle (SDL)  Review the Momentum of Agile Methods  Look at An Integrated Process  Challenges & Compromises

4 OWASP AppSec Seattle 2006 4 Background  Dan Cornell  Principal of Denim Group, Ltd.  MCSD, Java 2 Certified Programmer  Challenges facing our own agile teams  Deliver projects in an economically-responsible manner  Uphold security goals

5 OWASP AppSec Seattle 2006 5 Notable Agile Methods  eXtreme Programming (XP)  Feature Driven Development (FDD)  SCRUM  MSF for Agile Software Development  Agile Unified Process (AUP)  Crystal Clear  Dynamic Systems Development Method (DSDM)

6 OWASP AppSec Seattle 2006 6 Manifesto for Agile Software Development Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan Source: http://www.agilemanifesto.org/http://www.agilemanifesto.org/

7 OWASP AppSec Seattle 2006 7 Agile’s Core Values  Communication  Simplicity  Feedback  Courage

8 OWASP AppSec Seattle 2006 8 Principles of Agile Development  Rapid Feedback  Simple Design  Incremental Change  Embracing Change  Quality Work The system is appropriate for the intended audience. The code passes all the tests. The code communicates everything it needs to. The code has the smallest number of classes and methods.

9 OWASP AppSec Seattle 2006 9 Agile Practices  The Planning Game  The Driving Metaphor  Shared Vision  On-Site Customer  Small Releases Customer: scope, priorities and release dates Developer: estimates, consequences and detailed scheduling Development iterations or cycles that last 1-4 weeks. Release iterations as soon as possible (weekly, monthly, quarterly).

10 OWASP AppSec Seattle 2006 10 More Agile Practices  Collective Ownership  Test Driven  Continuous Integration  Coding Standards  Pair Programming

11 OWASP AppSec Seattle 2006 11 Definition of Secure A secure product is one that protects the confidentiality, integrity, and availability of the customers’ information, and the integrity and availability of processing resources under control of the system’s owner or administrator. -- Source: Writing Secure Code (Microsoft.com)

12 OWASP AppSec Seattle 2006 12 A Secure Development Process…  Strives To Be A Repeatable Process  Requires Team Member Education  Tracks Metrics and Maintains Accountability Sources: “Writing Secure Code” 2 nd Ed., Howard & LeBlanc “The Trustworthy Computing Security Development Lifecycle” by Lipner & Howard

13 OWASP AppSec Seattle 2006 13 Secure Development Principles  SD 3 : Secure by Design, Secure by Default, and in Deployment  Learn From Mistakes  Minimize Your Attack Surface  Assume External Systems Are Insecure  Plan On Failure  Never Depend on Security Through Obscurity Alone  Fix Security Issues Correctly

14 OWASP AppSec Seattle 2006 14 Secure Development Practices  Education, Education, Education  Threat Modeling  Secure Coding Techniques  Security Testing  Security Code Reviews

15 OWASP AppSec Seattle 2006 15 Microsoft’s Secure Development Lifecycle (SDL)  Requirements  Design  Implementation  Verification  Release  (Waterfall!)

16 OWASP AppSec Seattle 2006 16 Observations of the SDL in Practice  Threat Modeling is the Highest-Priority Component  Penetration Testing Alone is Not the Answer  Tools Should be Complementary

17 OWASP AppSec Seattle 2006 17 Threat Modeling  STRIDE – classify threats  Spoofing Identity  Tampering with Data  Repudiation  Information Disclosure  Denial of Service  Elevation of Privilege  DREAD – rank vulnerabilities  Damage Potential  Reproducibility  Exploitability  Affected Users  Discoverability

18 OWASP AppSec Seattle 2006 18 Dr. Dobb’s says Agile Methods Are Catching On 41% of organizations have adopted an agile methodology Of the 2,611 respondents doing agile…  37% using eXtreme Programming  19% using Feature Driven Development (FDD)  16% using SCRUM  7% using MSF for Agile Software Development Source: http://www.ddj.com/dept/architect/191800169http://www.ddj.com/dept/architect/191800169

19 OWASP AppSec Seattle 2006 19 Agile Teams are “Quality Infected”  60% reported increased productivity  66% reported improved quality  58% improved stakeholder satisfaction

20 OWASP AppSec Seattle 2006 20 Adoption Rate for Agile Practices Of the respondents using an agile method…  36% have active customer participation  61% have adopted common coding guidelines  53% perform code regression testing  37% utilize pair programming

21 OWASP AppSec Seattle 2006 21 Let’s Look at Some Specific Agile Methods  eXtreme Programming (XP)  Feature Driven Development (FDD)  SCRUM  MSF for Agile Software Development

22 OWASP AppSec Seattle 2006 22 eXtreme Programming (XP)

23 OWASP AppSec Seattle 2006 23 Feature Driven Development (FDD) Startup Phase Develop an Overall Model Build Features List Planning Design by Feature Build by Feature Construction Phase Source: http://featuredrivendevelopment.com/

24 OWASP AppSec Seattle 2006 24 SCRUM  Commonly Used to Enhance Existing Systems  Feature Backlog  30 Day Sprints  Daily Team Meeting Source: http://www.controlchaos.com/

25 OWASP AppSec Seattle 2006 25 MSF for Agile Software Development  Adapted from the Spiral / Waterfall Hybrid  Product definition, development and testing occurs in overlapping iterations  Different iterations have a different focus

26 OWASP AppSec Seattle 2006 26 An Integrated Process Making Agile Trustworthy

27 OWASP AppSec Seattle 2006 27 Project Roles  Product Manager / Customer  Program Manager / Coach  Architect  Developer  Tester  Security Adviser

28 OWASP AppSec Seattle 2006 28 Project Setup  Education & Training (include Security)  Developers  Testers  Customers  User Stories / Use Case Development  Architecture Decisions (spikes)  Agree on Threat Modeling standards for the project  STRIDE priorities  DREAD ratings

29 OWASP AppSec Seattle 2006 29 Release Planning  User Stories / Use Cases Drive…  Acceptance Test Scenarios  Estimations may affect priorities and thus the composition of the release  Inputs for Threat Modeling  Security Testing Scenarios  Determine the qualitative “risk budget”  Keep the customer involved in making risk tradeoffs  Finalize Architecture & Development Guidelines  Common Coding Standards (include security)  Crucial for collective code ownership  Conduct Initial Threat Modeling (assets & threats)  Designer’s Security Checklist

30 OWASP AppSec Seattle 2006 30 Iteration Planning  1-4 Weeks in Length (2 weeks is very common)  Begins with an Iteration Planning Meeting  User Stories are broken down into Development Tasks  Developers estimate their own tasks  Document the Attack Surface (Story Level)  Model the threats alongside the user story documentation  Crucial in documentation-light processes  Capture these and keep them –Code will tell you what decision was made, threat models will tell you why decisions were made –Crucial for “refactoring” in the face of changing security priorities  Never Slip the Date  Add or Remove Stories As Necessary

31 OWASP AppSec Seattle 2006 31 Executing an Iteration  Daily Stand-ups  Continuous Integration  Code Scanning Tools  Security Testing Tools  Adherence to Common Coding Standards and Security Guidelines  Crucial for communal code ownership  Developer’s Checklist

32 OWASP AppSec Seattle 2006 32 Closing an Iteration  Automation of Customer Acceptance Tests  Include negative testing for identified threats  Security Code Review  Some may have happened informally during pair programming

33 OWASP AppSec Seattle 2006 33 Stabilizing a Release  Schedule Defects & Vulnerabilities  Prioritize vulnerabilities with client input based on agreed-upon STRIDE and DREAD standards  Security Push  Include traditional penetration testing

34 OWASP AppSec Seattle 2006 34 Compromises We’ve Made  Feature-focus in iterations removes some “top down” control  More documentation than is required in pure Agile development  Security coding standards  Project-specific STRIDE and DREAD standards  User story threat models

35 OWASP AppSec Seattle 2006 35 Values of an Agile and Secure Process  Communication  Simplicity  Feedback  Courage  Trustworthy

36 OWASP AppSec Seattle 2006 36 Questions Dan Cornell dan@denimgroup.com Website: www.denimgroup.comwww.denimgroup.com Blog: www.agileandsecure.comwww.agileandsecure.com

Download ppt "Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."

Similar presentations

Software Development Practices and Methodologies Svetlin Nakov Telerik Corporation www.telerik.com.

Software Development Practices and Methodologies Svetlin Nakov Telerik Corporation
Agile Software Development کاری از : مهدی هوشان استاد راهنما : استاد آدابی.

Agile Software Development کاری از : مهدی هوشان استاد راهنما : استاد آدابی.
AGILE DEVELOPMENT Outlines : Quick Look of agile development Agility

AGILE DEVELOPMENT Outlines : Quick Look of agile development Agility
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
SDLC – Beyond the Waterfall

SDLC – Beyond the Waterfall
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
A little Software Engineering: Agile Software Development C Sc 335 Rick Mercer.

A little Software Engineering: Agile Software Development C Sc 335 Rick Mercer.
Chapter 2 Modeling the Process and Life Cycle Shari L. Pfleeger

Chapter 2 Modeling the Process and Life Cycle Shari L. Pfleeger
<<replace with Customer Logo>>

<<replace with Customer Logo>>
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Agile methods and techniques– some method comparisons Dave Parsons Mark Cranshaw.

Agile methods and techniques– some method comparisons Dave Parsons Mark Cranshaw.
NAUG NAUG Knowledge Evening – 01 27 th February 2007.

NAUG NAUG Knowledge Evening – th February 2007.
 User assignments (product owner)  ‘circle’  1 st sprint: ◦ Scrum Boards (informative workspace)  Product -, release -, sprint -, defect backlog 

 User assignments (product owner)  ‘circle’  1 st sprint: ◦ Scrum Boards (informative workspace)  Product -, release -, sprint -, defect backlog 
Agile Process Models. Prescriptive models don’t work It is unrealistic to not have changes. Why? The Agile Manifesto: Individuals and interactions over.

Agile Process Models. Prescriptive models don’t work It is unrealistic to not have changes. Why? The Agile Manifesto: Individuals and interactions over.
Agile development By Sam Chamberlain. First a bit of history..

Agile development By Sam Chamberlain. First a bit of history..
Agile

Agile
Extreme Programming Collaboration in Software Development Process.

Extreme Programming Collaboration in Software Development Process.
EXtreme Programming Quick Introduction Daniel Arraes Pereira Eduardo Lourenço Apolinário Ricardo de Oliveira Cavalcanti.

EXtreme Programming Quick Introduction Daniel Arraes Pereira Eduardo Lourenço Apolinário Ricardo de Oliveira Cavalcanti.
Extreme Programming Mark Steverson. What Is Extreme Programming? ● Extreme Programming (XP) is a lightweight, agile methodology developed by Kent Beck.

Extreme Programming Mark Steverson. What Is Extreme Programming? ● Extreme Programming (XP) is a lightweight, agile methodology developed by Kent Beck.
Computer Engineering 203 R Smith Agile Development 1/2009 1 Agile Methods What are Agile Methods? – Extreme Programming is the best known example – SCRUM.

Computer Engineering 203 R Smith Agile Development 1/ Agile Methods What are Agile Methods? – Extreme Programming is the best known example – SCRUM.

Similar presentations

Ads by Google