Agile and Secure Can we do both?
OWASP
Jerry Hoff Antisamy .NET project lead Aspect Security
[email protected]
Oct 30, 2009
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org
Quick Security Overview http://example.com/search?q=Alessandra+ Ambrosio You searched for Alessandra Ambrosio … OWASP Brazil 2009
2
Quick Security Overview: XSS http://example.com/search?q=/*evil*/ You searched for /*evil*/ … OWASP Brazil 2009
3
4
Quick Security Overview
OWASP Brazil 2009
5
Quick Security Overview: CSRF
OWASP Brazil 2009
6
Quick Security Overview http://example.com/viewStatement? custid=123153
OWASP Brazil 2009
Quick Security Overview: Access Control http://example.com/viewStatement? custid=123154 SELECT * FROM statements WHERE CustomerID=123154
OWASP Brazil 2009
7
Quick Security Overview: SQL Injection http://example.com/viewStatement?custid=1; DROP TABLE statements; SELECT * FROM statements WHERE CustomerID=1; DROP TABLE statements;
OWASP Brazil 2009
8
Agenda About Us Waterfall Process Background Agile Process Background Leveraging Agile Characteristics Accounting for Agile Traits Putting It All Together
OWASP Brazil 2009
9
Traditional Waterfall Process
Requirements Design Implementation Verification Maintenance OWASP Brazil 2009
10
Security in the Waterfall Process
Requirements
• Security Requirements
Design
• Security Architecture Review
Implementation
• Secure Code Review
Verification
• Application Vulnerability Testing
Maintenance
• External Application Security Testing
Advantages: – Well understood process – Leverages subject matter experts to identify security concerns
Disadvantages: – Findings from early security reviews are often ignored as “theoretical” – Costly to go backwards in the development timeline OWASP Brazil 2009
11
Agile Process Begin Iteration #N
Choose User Stories
Deploy
Unit Testing
Implement Stories
OWASP Brazil 2009
12
Traditional Security + Agile Process? Begin Iteration # N
Gather Security Requirements
Choose User Stories
Security Code Review
Implement Stories
Security Architecture Review
Perform Unit Testing
Application Vulnerability Testing
Deploy
External Application Security Testing
OWASP Brazil 2009
13
Traditional Security + Agile Process?
OWASP Brazil 2009
14
Leverage User Stories • I should be able to update my profile with a birth date to receive discounts on my birthday
• I should be able to update my profile with a valid birth date to receive discounts on my birthday
> User stories useful for access control, encryption, logging, and several other security areas
• Controls: Input Validation
As a User…
As a User …
• I want to be the only one who can edit employee salaries so that I can prevent fraud
• I want to be able to track and monitor all transactions, so that attacks can be detected
• Controls: Function Layer Access Control
• Controls: Logging and Intrusion Detection
As a Manager…
As a Business Owner…
> Some technical risks need extra consideration to be represented by user stories – XSS – CSRF
OWASP Brazil 2009
15
Creating User Security Stories Threat Agent
Attack
Vulnerability
Control
Technical Impact
Business Impact
Control
Asset
Business Impact
Missing Control
Asset
Business Impact
Function
Business Impact
Vulnerability Attack Vulnerability Attack Vulnerability Attack Vulnerability Attack
Control
Asset
Attack
OWASP Brazil 2009
16
Require Security Training Attacks continuously evolve – Developers must understand the attacks and controls to properly mitigate the threats Agile developers write their own tests – Must test security adequately Ultimately, everyone on the team responsible for security
A1: Cross Site Scripting (XSS)
A2: Injection Flaws
A3: Malicious File Execution
A4: Insecure Direct Object Reference
A5: Cross Site Request Forgery (CSRF)
A6: Information Leakage and Improper Error Handling
A7: Broken Authentication and Session Management
A8: Insecure Cryptographic Storage
A9: Insecure Communications
A10: Failure to Restrict URL Access
– Therefore, all developers should have a background in web application security
OWASP Brazil 2009
17
Leverage Unit Testing Continuous testing done by all team members – Unit tests should include security mechanisms – Integrate peer code reviews Check for common security flaws – Test input validation by verifying behavior in edge cases – Test access control by verifying behavior from multiple roles
OWASP Brazil 2009
18
Use Standard Security Controls OWASP Enterprise Security API (ESAPI)
http://www.owasp.org/index.php/ESAPI
Custom Enterprise Web Application Enterprise Security API Validator
User
Security configuration
Randomizer
Logger
Log Factory
Intrusion Detector
HTTP Utilities
Executor
Encryptor
Encrypted Properties
Encoder
Authenticator
Access Reference Map
Access Controller
Existing Enterprise Security Services/Libraries OWASP Brazil 2009
19
Leverage Sprints
Password Security Story
User Login Story
User Profile Story
Sprint # N
OWASP Brazil 2009
20
Putting It All Together
Create Threat Model Define Security Stories Create Unit Security Tests Consolidate Sprints
• Capture key threats to the application
• Encapsulate threat model in user stories • Test edge cases for inputs • Verify use of security controls • Combine related security stories
OWASP Brazil 2009
21
Putting It All Together
Use Standard Security Controls
• Developers should use standard controls • See the OWASP ESAPI Project
Secure Coding Standards
• Avoid patterns that lead to security flaws • How to use security controls correctly
Provide Security Training
• Developers need application security awareness • Train developers to use your controls
Leverage Security Experts
• Even with training and standard, security is hard
OWASP Brazil 2009
22
References Integrating Application Security into Agile Methodologies Aspect Security http://www.aspectsecurity.com/documents/ Agile_Security_White_Paper.pdf
Beyond Functional Requirements On Agile Projects Scott W. Ambler - September 16, 2008 http://www.ddj.com/security/210601918
Agile Security Requirements Engineering Johan Peters http://secappdev.org/handouts/2008/abuser%20stories.pdf OWASP Brazil 2009
23
Questions? Aspect Security http://www.aspectsecurity.com Jerry Hoff
[email protected]
OWASP Brazil 2009
24