navigating agile automotive software development
Post on 13-Jan-2017
285 Views
Preview:
TRANSCRIPT
Navigating Agile automotive software development
June 24, 2015
Presenters
Jeff Hildreth, Automotive Account Manager Rogue Wave Software
Ahmed Abdelrahman, Release Engineer Rogue Wave Software
John Chapman, Solutions ArchitectRogue Wave Software
2© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Agenda
• A holistic approach to cybersecurity
• Blending DevOps and Agile for security
• How to implement a Jenkins CI system
• Examples of security defects
• Q&A
3© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
A holistic approach to cybersecurity
A holistic approach to cybersecurity
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 5
Information overload Develop an adaptive threat model
Threat Model
External Data
Internal Threat Metric
Action
6© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Threat model
Most breaches result from input trust issues
Threat modeling identifies, quantifies, and addresses security risks by:
1. Understanding the application & environment 2. Identifying & prioritizing threats 3. Determining mitigation actions
Identify assets
System overview
Decompose
applicationIdentify threats
Prioritize threats
7© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Security overload
NewsBlogs, social media
conferences
Security standardsOWASP, CWE, CERT, etc.Senator Markey report
NVD, White Hat, Black Hat OEMs, internal
Media More and more software running inside your carStandards and legislation
Research Requirements
Developers don’t know security
(80% failed security knowledge survey)
8
Developing a threat metric
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Build score
• Automated and functional testing can give you a pass fail metric on every run of the test suite
• A metric can be generated from penetration testing based on the number of exploitable paths in your code base
• Software quality tools can give you a count of critical static analysis and compiler warnings
• A metric can be developed based on the presence of snippets of open source code previously undetected or open source with new known vulnerabilities
• All of these metrics can be generated on every build of your software
DevOps & Agile for security
Agile development: Integrated security
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
10
Adaptive
AcceptSprint 1
Sprint 2
Sprint nRelease
ChangeAdjust and Track
FeedbackReview
Next Iteration
No!
Yes!
Release to
Market
Integrate and Test
Integrate and TestIntegrate
and Test
Multiple testing points
Rapid feedback required
“Outside” testing does
not meet Agile needs
DevOps SDLC
11
Continuous Integration
SDLC Step
UAT/exploratory
testing
Functional testing
Performance load security
Release Deploy
Metric
UnderstandNeedsInvent
Solution
DevelopBuild
CommitIdea
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Jenkins CI
13
Jenkins CI
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Security example
15
Load, Performance, Security…Testing phase
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Load, Performance, Security, … Testing
16
Develop, commit & build
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
17
Develop, commit & build
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
DevOps SDLC
18
Continuous Integration
SDLC Step
UAT/exploratory
testing
Functional testing
Performance load security
Release Deploy
Metric
UnderstandNeedsInvent
Solution
DevelopBuild
CommitIdea
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
19
Conclusions
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
The application security world is fluid Create concrete,
actionable strategies(Threat Metric, analysis & scanning)
Delivery cycles are short Update regularly with well-defined process
(Agile, CI)
See us in action:
www.roguewave.com
Jeff Hildreth | jeff.hildreth@roguewave.com
Q&A
top related