application security in an agile world - agile singapore 2016

44
Application Security In an Agile World

Upload: stefan-streichsbier

Post on 06-Jan-2017

181 views

Category:

Technology


0 download

TRANSCRIPT

Application SecurityIn an Agile World

Stefan StreichsbierCTO at Vantage PointTwitter: @s_streichsbier

A brief history of AppSec

✤ Let’s start with what it is not:

• Firewalls, secure network protocols,

• Antivirus and Phishing attacks

• Intrusion Detection

• SoCs, ...

What is AppSec?

Firewall is locked down tight, ...only 443 is open…

✤ Application Security is:

• A quality aspect of your application

• And contributes to the business success the same way UX Design, Usability and Performance do.

• In other words, is my application used the way it is intended to.

What is AppSec?

✤ Security was traditionally in the hands of Network folks

• Suddenly, they become responsible for applications...

• ... And applied the same audit-like principals.

Why AppSec == Pain?

✤ Things slowly evolved

• From performing “Penetration Tests” once a year

• To doing a Pentest for every release (a few times a year)

Pentest to the rescue

Great, we all love Pentests, right?

Pentesters after turning a report in...

Security

Meanwhile outside the security camp...

0

20

40

60

80

100

120

140

2005 2010 2015 2020

The frequency of releases over time

Releases per app per year

Towards CD

From Waterfall

The frequency increased

14

So many releases?!

Security

DevOps

16

Agile + DevOps + Security = DevSecOps

Step 1:Security as part of Agile

1-4Weeks

24 hours

Develop

Test

Design

Plan

Output

Shippable Increment

Product Backlog Sprint Backlog

Let’s look at SCRUM

Start with understanding the process

✤ No more pdf/doc/xls!

✤ Security uses the same language as the dev team.

✤ Security as part of existing environments/workflows.

✤ Security work is completed in-cycle.

✤ Not all apps have the same security requirements.

Some general hygiene

0x

5x

10x

15x

20x

25x

30x

35x

Requirements/Design Coding Integration Testing Acceptance Testing Production

Relative Cost to fix, based on time of detection

Penetration Testing

Source: NIST

Relative Cost

1-4Weeks

24 hours

Develop

Test

Design

Plan

Output

Shippable Increment

Product Backlog Sprint Backlog

Secure SCRUM

Security Training

Security Requirements

Security Activities

Threat Modelling

Design Review

Pairing

Manual Security Tests

Automatic Security Tests

Security Feature Demo Security Retrospective

Security Acceptance Criteria

(Security) Training

Are all security requirements non-functional?

✤ Functional security requirement are related to:- Authentication & Access Control- Data Integrity- Wrong password lockouts

✤ Non-functional requirements are related to:- Password policies- Characteristics of audit logs- Backups

Functional vs Non-Functional

• It all starts with the backlog & security is a part of this:

• 1. As an anonymous user I want to see the entire book selection, ...

• 2. As a logged-in user I want to see my entire purchase history, ...

• 3. As a customer I want to ensure my privacy when using a public wifi , ...

(Security) Requirements

- User Story and it’s acceptance criteria is unrelated to security

- User Story and it’s acceptance criteria is security sensitive [tagged]

- “One-off” (Security) User story [tagged]

v Architecture & Design Review & Threat Modelling Think like a hacker

v Design Guidelines are invaluable. Use existing design patterns

v Helps to reducing the ongoing amount of work

Secure by Design

✤ Assorted Secure Coding Guidelines in the repo

✤ Pairing for more complex stories

✤ Pull requests for security relevant stories are reviewed - Code reviews are important (especially for increased speed).

Secure Coding

99% of unit tests passed

✤ Code coverage is key aspect of quality100% is just the beginning

✤ Security related acceptance criteria makes a differenceBoth for manual and automated tests

✤ The more that is automated the better

Security Unit Tests

✤ Open source projects can help- Gauntlt- BDD-Security

Security Unit Tests

✤ Continue demonstrating the new attributes/features and their impact on users

✤ What were the security considerations for this new feature

✤ In the retrospective share those lessons learned

Sprint Review & Retro

Is security hard?

0

20

40

60

80

100

120

Jan March May July September November% Remaining Security work % App Robustness, Security Skills

Security Debt Burndown

Step 2: DevSecOps

VulnerabilityRepository

• Security Unit Tests

• SAST• SCA

• DAST• IAST• VA

• Security as Code• RASP• NG WAF

• Red Team• GOPT• Actual Attackers

• Sec Requirements• Design Review• Threat Modelling

AppSec Pipeline

Instead of this ...

...Let’s do this...

AnnouncementsDevSecCon Asia 2017

✤ Start with embedding your friendly AppSec guy

✤ Transfer knowledge, find a security champion

✤ Step back and advise

✤ Iterate continuously– don’t go for big bang

✤ Keep adding automation

✤ Churn out awesome (& secure) releases at the speed of DevOps

From Zero to Hero

[email protected]

@s_streichsbier

Stefan Streichsbier

https://devsecopssg.herokuapp.com

Questions?

References

• https://www.infoq.com/presentations/Facebook-Moving-Fast-at-Scale• Jeff Williams: 2013 Appsec USA: https://www.youtube.com/watch?v=cIvOth0fxmI&t=377• http://blog.diniscruz.com• https://www.owasp.org/index.php/OWASP_AppSec_Pipeline• http://www.slideshare.net/SeniorStoryteller/amy-demartine-7-habits-of-rugged-devops