Presentation is loading. Please wait.

Presentation is loading. Please wait.

August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity."— Presentation transcript:

1 August 1, 2006 XP Security

2 August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity SECURITY GOALS Prevention Detection Authentication Integrity Availability Privacy

3 August 1, 2006 Security Design Principles 1.Least Privilege 2.Fail-Safe Defaults 3.Economy of Mechanism 4.Complete Mediation 5.Open Design 6.Separation of Privilege 7.Least Common Mechanism 8.Psychological Acceptability

4 August 1, 2006 SDLC Artifacts

5 August 1, 2006 User Stories Security needs to be included in development –Constraints –User Stories modeled after Abuse Cases Security needs to be included in completion –Unit tests pass + customer sign off –Static analysis scans clean + risk analysis update.

6 August 1, 2006 Security Refactoring Software security through refactoring –Replace Insecure API –Add Input Validation –Single Point of Validation Use one iteration for security refactoring –Construct security stories to support goals.

7 August 1, 2006 Security Tests First Design security tests with unit tests –“Unit hacks” –Fuzz tests Need security knowledge to construct tests –Attackers head immediately for edge cases. –Attack patterns, working with security experts. –Do developers know enough about testing? –Do developers know enough about security?

8 August 1, 2006 Test Driven Design Coding to tests works well for features. –But security isn’t a feature. –Two features that are secure apart may be insecure when combined. Acceptance tests –Customer may not have security knowledge necessary to evaluate product security. Undocumented assumptions –Code is too low level to express design assumptions –Data flow between components

9 August 1, 2006 Pair Programming Security training –Pair with a security expert to learn software security. Security code reviews –Use a static analysis tool before checking in code.

10 August 1, 2006 References 1.Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison- Wesley, 2004. 2.Gary McGraw, “XP and Software Security?!”, XP Universe, 2003. 3.Gary McGraw, Software Security, Addison-Wesley, 2006. 4.Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006. 5.OWASP, The OWASP Top 10 Project, http://www.owasp.org/index.php/OWASP_Top_Ten_Project, 2006. http://www.owasp.org/index.php/OWASP_Top_Ten_Project 6.OWASP, The OWASP Guide to Building Secure Web Applications, http://www.owasp.org/index.php/OWASP_Guide_Project, 2006. http://www.owasp.org/index.php/OWASP_Guide_Project 7.Paul Saitta, Brenda Larcom, and Michael Eddington, “Trike v.1 Methodology Document [draft],” http://dymaxion.org/trike/, 2005.http://dymaxion.org/trike/ 8.Joel Scambray, Mike Shema, and Caleb Sima, Hacking Web Applications Exposed, 2 nd edition, Addison-Wesley, 2006. 9.Frank Swiderski and Window Snyder, Threat Modeling, Microsoft Press, 2004. 10.John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002. 11.VISA, Payment Card Industry Data Security Standard (PCI-DSS), http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_D ata_Security_Standard.pdf

Download ppt "August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
September 2008Mike Woodard Rational Unified Process Key Concepts Mike Woodard.

September 2008Mike Woodard Rational Unified Process Key Concepts Mike Woodard.
Extreme Programming Alexander Kanavin Lappeenranta University of Technology.

Extreme Programming Alexander Kanavin Lappeenranta University of Technology.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Risk Analysis James Walden Northern Kentucky University.

Risk Analysis James Walden Northern Kentucky University.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2012 Ethicsoft Technologies.1 Introduction to Agile Model Driven Development (AMDD)

Copyright 2012 Ethicsoft Technologies.1 Introduction to Agile Model Driven Development (AMDD)
Copyright 2001-2005 Scott W. Ambler1 Introduction to Agile Model Driven Development (AMDD) Scott W. Ambler Senior Consultant, Ambysoft Inc. www.ambysoft.com/scottAmbler.html.

Copyright Scott W. Ambler1 Introduction to Agile Model Driven Development (AMDD) Scott W. Ambler Senior Consultant, Ambysoft Inc.
CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
Threat Modeling for Hostile Client Systems Avni Rambhia.

Threat Modeling for Hostile Client Systems Avni Rambhia.
Left overs. Agenda 9. Sept Leftovers PM –Methodologies –Models in system development XPM Project Group establishment (45 min) Introduction to requirement.

Left overs. Agenda 9. Sept Leftovers PM –Methodologies –Models in system development XPM Project Group establishment (45 min) Introduction to requirement.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Embedding Security into a Software Development Methodology April 5 th, 8:30 AM Jonathan Minter Director, IT Development and Engineering Liberty University.

Embedding Security into a Software Development Methodology April 5 th, 8:30 AM Jonathan Minter Director, IT Development and Engineering Liberty University.

Similar presentations

Ads by Google