Presentation is loading. Please wait.

Presentation is loading. Please wait.

10 Steps To Agile Development Without Compromising Enterprise Security

Published byBenedict Douglas Modified over 9 years ago

Similar presentations

Presentation on theme: "10 Steps To Agile Development Without Compromising Enterprise Security"— Presentation transcript:

1 10 Steps To Agile Development Without Compromising Enterprise Security
Author : Yair Rovek

2 “It is a well known and acknowledged fact that
Challenged by Agile “It is a well known and acknowledged fact that Agile processes are extremely difficult to combine with any existing security frameworks” -- Extract from a blog of a very popular software provider “The good news is that our retroactive security is very good…” -- Extract from the same blog as above

3 Yair Rovek 20+ years in the industry 4 years Security Specialist @
About Me Yair Rovek 20+ years in the industry 4 years Security Leading the SDLC Program Design security and new technologies within our products Contact Me! @lione_heart Hosted by OWASP & the NYC Chapter

4 LivePerson ID What we do?
16 years in business SaaS from day 1. NASDAQ & TASE (LPSN) ~8500 Customers ~800 employees SaaS platform for creation of meaningful connections through real-time engagement How it works? Monitor web visitor’s behavior (Over 1.5 B visits each month) Security is NOT optional… Conduct behavioral ranking Provide the engagement platform (Over 10 M chats each month) SaaS & Cloud only Hosted by OWASP & the NYC Chapter

5 Who are the key players? Software Architects Sales & Product
System Architects R&D Scrum teams CI environment Artifact Production Hosted by OWASP & the NYC Chapter

6 Agile Framework

7 Agile Framework RETROSPECTIVE

8 Add Security to the Agile Process
Scrum Actions Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release It is essential to understand that Agile comes to simplify the work and deliver working code in a fashion timely manner Describe the milestones for Security approval during the process Customer pentest Security checkpoints: they’re a one-to-one to scrum actions. This is the whole idea behind a successful project. The point is that security is part of the process. In order to reach the next stage in scrum, you need to meet all requirements. And one of the requirements is security.

9 Add Security to the Agile Process
Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design

10 Add Security to the Agile Process
Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design Guide-in the teams On-Demand

11 Add Security to the Agile Process
Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design ESAPI & SCA checks for each build Guide-in the teams On-Demand

12 Add Security to the Agile Process
Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design Guide-in the teams On-Demand ESAPI & SCA checks for each build Automated Security Tests

13 Add Security to the Agile Process
Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design ESAPI & SCA checks for each build Automated Security Tests Guide-in the teams On-Demand

14 Add Security to the Agile Process
Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design Q&A On-Demand ESAPI & SCA checks for each build Automated Security Tests External Pen-Test

15 Add Security to the Agile Process
Scrum Actions Security Control Release Planning Sprint Planning Coding Code Freeze Q&A – Regression Tests Release Security High-Level Design ESAPI & SCA checks for each build Automated Security Tests External Pen-Test Guide-in the teams On-Demand

16 POM File Open Source Policy
Screening Code in 3D Delivered Dependencies and Open Source POM File Developer Code ESAPI/AntiSamy/CSRF Guard… Utilities SCA Open Source Policy

17 ESAPI Building Blocks Custom Enterprise Web Application
Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration

18 Where Do I put my validation
Any Interpreter Controller Business Functions Data Layer Web Service Any Encoding Database User Mainframe Etc… User Interface File System

19 Where Do I put my validation
Any Interpreter Specific Validate Controller Business Functions Data Layer Web Service Any Encoding Database User Mainframe Etc… User Interface File System Encode For HTML Validate

20 Define Relevant Filters
API example Define Relevant Filters

21 Automated Test Example
Filter Black/ White Listing Integrating Automated Testing: Example Preventing RegEx DoS and Performance Issues

22 LivePerson ESAPI implementation
For Each Product Live Person Security API (LPSAPI) - In-House Security Package based on ESAPI project Imports LPSAPI Enforces correct usage via Source Code Analysis (SCA) Enforce Open Source Policy Test your infra BB

23 Maven Build Process (Unit tests)
CI environment Develop Code Commit Source Control (SVN) TeamCity (Build Trigger) Maven Build Process (Unit tests) Deploy to Production Deploy to Test Env Report & Notify Publish to release repository

24 Security in CI environment
Develop Code Commit Source Control (SVN) TeamCity (Build Trigger) Maven Build Process (Unit tests) Deploy to Production Deploy to Test Env SCA , Dynamic, OS Report & Notify Publish to release repository

25 Results are integrated within TeamCity
One Dashboard Results are integrated within TeamCity

26 Dive into the results Results are integrated within TeamCity
Developer has all required info. No need to involve the Security Team

27 10 Best Practices Secure Agile Development

28 Key Success Factors Identify the process within R&D and set a plan to become part of it Set Security Package API to be consumed with each code (ESAPI AntiSamy CSRF Guard) Screen and enforce your policy on your code Open Source and platform Use automation to collaborate with the security dynamic test Allow customer to run a pen test and work as a community to succeed

29 Key Success Factors Engage tech leaders as security champions by showing them the value Train developers on a regular basis Create a knowledge base and discussions around security Break the build for any “High” or “Medium” findings Start small but think big

30 Never ending story …

31 Q&A Contact Me! @lione_heart

Download ppt "10 Steps To Agile Development Without Compromising Enterprise Security"

Similar presentations

LESSONS LEARNT IN MY TEN YEARS OF AGILE TESTING Baiju Joseph Director QE, Yahoo! 08 May 2012.

LESSONS LEARNT IN MY TEN YEARS OF AGILE TESTING Baiju Joseph Director QE, Yahoo! 08 May 2012.
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
DevOps and Security: It’s Happening. Right Now.

DevOps and Security: It’s Happening. Right Now.
THE CORE PROJECT Jose Jimenez (project manager). What is the Core platform?

THE CORE PROJECT Jose Jimenez (project manager). What is the Core platform?
1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.

1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.

Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.
<<replace with Customer Logo>>

<<replace with Customer Logo>>
© 2014 VMware Inc. All rights reserved. BlazeMeter Load Testing Solution with vCloud Air High-level Overview Jan 2015.

© 2014 VMware Inc. All rights reserved. BlazeMeter Load Testing Solution with vCloud Air High-level Overview Jan 2015.
Agile development By Sam Chamberlain. First a bit of history..

Agile development By Sam Chamberlain. First a bit of history..
GAI Proprietary Information

GAI Proprietary Information
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.

Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
Realising the Potential of Service Oriented Architecture Kris Horrocks Connected Systems Division Microsoft.

Realising the Potential of Service Oriented Architecture Kris Horrocks Connected Systems Division Microsoft.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
SaaS, PaaS & TaaS By: Raza Usmani

SaaS, PaaS & TaaS By: Raza Usmani
Troy Eversen | 19 May 2015 Data Integrity Workshop.

Troy Eversen | 19 May 2015 Data Integrity Workshop.
Applying MDA in the ATM: A practical approach Teodora Bozheva, Terry Bailey (ESI) Julia Reznik, Tom Ritter (Fraunhofer FOKUS)

Applying MDA in the ATM: A practical approach Teodora Bozheva, Terry Bailey (ESI) Julia Reznik, Tom Ritter (Fraunhofer FOKUS)
Presenter: NAME Date: MM/DD/YYYY www.t-sciences.com CUSTOMER NAME Presenter: Harris Date: 04/06/2013 www.t-sciences.com An extensible platform for creating.

Presenter: NAME Date: MM/DD/YYYY CUSTOMER NAME Presenter: Harris Date: 04/06/ An extensible platform for creating.

Similar presentations

Ads by Google