navigating agile automotive software development

Navigating Agile automotive software development

June 24, 2015

Presenters

Jeff Hildreth, Automotive Account Manager Rogue Wave Software

Ahmed Abdelrahman, Release Engineer Rogue Wave Software

John Chapman, Solutions ArchitectRogue Wave Software

2© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

Agenda

• A holistic approach to cybersecurity

• Blending DevOps and Agile for security

• How to implement a Jenkins CI system

• Examples of security defects

• Q&A

3© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

A holistic approach to cybersecurity

A holistic approach to cybersecurity

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 5

Information overload Develop an adaptive threat model

Threat Model

External Data

Internal Threat Metric

Action

6© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

Threat model

Most breaches result from input trust issues

Threat modeling identifies, quantifies, and addresses security risks by:

1. Understanding the application & environment 2. Identifying & prioritizing threats 3. Determining mitigation actions

Identify assets

System overview

Decompose

applicationIdentify threats

Prioritize threats

7© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

Security overload

NewsBlogs, social media

conferences

Security standardsOWASP, CWE, CERT, etc.Senator Markey report

NVD, White Hat, Black Hat OEMs, internal

Media More and more software running inside your carStandards and legislation

Research Requirements

Developers don’t know security

(80% failed security knowledge survey)

8

Developing a threat metric

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

Build score

• Automated and functional testing can give you a pass fail metric on every run of the test suite

• A metric can be generated from penetration testing based on the number of exploitable paths in your code base

• Software quality tools can give you a count of critical static analysis and compiler warnings

• A metric can be developed based on the presence of snippets of open source code previously undetected or open source with new known vulnerabilities

• All of these metrics can be generated on every build of your software

DevOps & Agile for security

Agile development: Integrated security

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

10

Adaptive

AcceptSprint 1

Sprint 2

Sprint nRelease

ChangeAdjust and Track

FeedbackReview

Next Iteration

No!

Yes!

Release to

Market

Integrate and Test

Integrate and TestIntegrate

and Test

Multiple testing points

Rapid feedback required

“Outside” testing does

not meet Agile needs

DevOps SDLC

11

Continuous Integration

SDLC Step

UAT/exploratory

testing

Functional testing

Performance load security

Release Deploy

Metric

UnderstandNeedsInvent

Solution

DevelopBuild

CommitIdea

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

Jenkins CI

13

Jenkins CI

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

Security example

15

Load, Performance, Security…Testing phase

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

Load, Performance, Security, … Testing

16

Develop, commit & build

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

17

Develop, commit & build

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

DevOps SDLC

18

Continuous Integration

SDLC Step

UAT/exploratory

testing

Functional testing

Performance load security

Release Deploy

Metric

UnderstandNeedsInvent

Solution

DevelopBuild

CommitIdea

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

19

Conclusions

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

The application security world is fluid Create concrete,

actionable strategies(Threat Metric, analysis & scanning)

Delivery cycles are short Update regularly with well-defined process

(Agile, CI)

See us in action:

www.roguewave.com

Jeff Hildreth | jeff.hildreth@roguewave.com

Q&A