Agile and Secure Can we do both?

Agile and Secure Can we do both? OWASP Jerry Hoff Antisamy .NET project lead Aspect Security [email protected] Oct 30, 2009 Copyright ...

Author: Naomi Small

0 downloads 2 Views 1MB Size

Report

Download PDF

Recommend Documents

WHY CAN T WE LOVE THEM BOTH?

Agile Secure Development

What can we do while we wait?

We can indeed do better!

Concentrating what we can do

WHAT WE CAN DO CATALOG

Alone we can do so little, together we can do so much

Alone we can do so little; together we can do so much. Helen Keller

Do we still need a Test Manager in Agile Projects?

What can we do with XML?

WHAT CAN WE DO ABOUT CLIMATE CHANGE?

LFS-based and registered unemployment rates: Why do they differ and why do we need both?

Yes! We can do it. cnij.com

Can We Do Better than Microprogrammed Designs?

What We Can and What We Can t Do with fmri

What can we do to reduce stunting?

Health inequalities among Latinos: what do we know and what can we do? GUEST EDITORIAL

Genetics of Diabetes: What do we know and what can we do?

And What We Can Do About It Report

Can we do something great and valuable together?

Do agile methods increase productivity and quality?

Blueberries can contribute both flavor

Together We Can and We Will

A.L.P.S. Overview. Why we do this. What we can do for you. Apple Learning & Partnership Services

Agile and Secure Can we do both?

OWASP

Jerry Hoff Antisamy .NET project lead Aspect Security [email protected]

Oct 30, 2009

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation http://www.owasp.org

Quick Security Overview http://example.com/search?q=Alessandra+ Ambrosio You searched for Alessandra Ambrosio … OWASP Brazil 2009

2

Quick Security Overview: XSS http://example.com/search?q=/*evil*/ You searched for /*evil*/ … OWASP Brazil 2009

3

4

Quick Security Overview

OWASP Brazil 2009

5

Quick Security Overview: CSRF

OWASP Brazil 2009

6

Quick Security Overview http://example.com/viewStatement? custid=123153

OWASP Brazil 2009

Quick Security Overview: Access Control http://example.com/viewStatement? custid=123154 SELECT * FROM statements WHERE CustomerID=123154

OWASP Brazil 2009

7

Quick Security Overview: SQL Injection http://example.com/viewStatement?custid=1; DROP TABLE statements; SELECT * FROM statements WHERE CustomerID=1; DROP TABLE statements;

OWASP Brazil 2009

8

Agenda  About Us  Waterfall Process Background  Agile Process Background  Leveraging Agile Characteristics  Accounting for Agile Traits  Putting It All Together

OWASP Brazil 2009

9

Traditional Waterfall Process

Requirements Design Implementation Verification Maintenance OWASP Brazil 2009

10

Security in the Waterfall Process

Requirements

•  Security Requirements

Design

•  Security Architecture Review

Implementation

•  Secure Code Review

Verification

•  Application Vulnerability Testing

Maintenance

•  External Application Security Testing

Advantages: –  Well understood process –  Leverages subject matter experts to identify security concerns

Disadvantages: –  Findings from early security reviews are often ignored as “theoretical” –  Costly to go backwards in the development timeline OWASP Brazil 2009

11

Agile Process Begin Iteration #N

Choose User Stories

Deploy

Unit Testing

Implement Stories

OWASP Brazil 2009

12

Traditional Security + Agile Process? Begin Iteration # N

Gather Security Requirements

Choose User Stories

Security Code Review

Implement Stories

Security Architecture Review

Perform Unit Testing

Application Vulnerability Testing

Deploy

External Application Security Testing

OWASP Brazil 2009

13

Traditional Security + Agile Process?

OWASP Brazil 2009

14

Leverage User Stories • I should be able to update my profile with a birth date to receive discounts on my birthday

• I should be able to update my profile with a valid birth date to receive discounts on my birthday

>  User stories useful for access control, encryption, logging, and several other security areas

• Controls: Input Validation

As a User…

As a User …

• I want to be the only one who can edit employee salaries so that I can prevent fraud

• I want to be able to track and monitor all transactions, so that attacks can be detected

• Controls: Function Layer Access Control

• Controls: Logging and Intrusion Detection

As a Manager…

As a Business Owner…

>  Some technical risks need extra consideration to be represented by user stories –  XSS –  CSRF

OWASP Brazil 2009

15

Creating User Security Stories Threat Agent

Attack

Vulnerability

Control

Technical Impact

Business Impact

Control

Asset

Business Impact

Missing Control

Asset

Business Impact

Function

Business Impact

Vulnerability Attack Vulnerability Attack Vulnerability Attack Vulnerability Attack

Control

Asset

Attack

OWASP Brazil 2009

16

Require Security Training Attacks continuously evolve –  Developers must understand the attacks and controls to properly mitigate the threats Agile developers write their own tests –  Must test security adequately Ultimately, everyone on the team responsible for security

A1: Cross Site Scripting (XSS)

A2: Injection Flaws

A3: Malicious File Execution

A4: Insecure Direct Object Reference

A5: Cross Site Request Forgery (CSRF)

A6: Information Leakage and Improper Error Handling

A7: Broken Authentication and Session Management

A8: Insecure Cryptographic Storage

A9: Insecure Communications

A10: Failure to Restrict URL Access

–  Therefore, all developers should have a background in web application security

OWASP Brazil 2009

17

Leverage Unit Testing Continuous testing done by all team members –  Unit tests should include security mechanisms –  Integrate peer code reviews Check for common security flaws –  Test input validation by verifying behavior in edge cases –  Test access control by verifying behavior from multiple roles

OWASP Brazil 2009

18

Use Standard Security Controls OWASP Enterprise Security API (ESAPI)

http://www.owasp.org/index.php/ESAPI

Custom Enterprise Web Application Enterprise Security API Validator

User

Security configuration

Randomizer

Logger

Log Factory

Intrusion Detector

HTTP Utilities

Executor

Encryptor

Encrypted Properties

Encoder

Authenticator

Access Reference Map

Access Controller

Existing Enterprise Security Services/Libraries OWASP Brazil 2009

19

Leverage Sprints

Password Security Story

User Login Story

User Profile Story

Sprint # N

OWASP Brazil 2009

20

Putting It All Together

Create Threat Model Define Security Stories Create Unit Security Tests Consolidate Sprints

•  Capture key threats to the application

•  Encapsulate threat model in user stories •  Test edge cases for inputs •  Verify use of security controls •  Combine related security stories

OWASP Brazil 2009

21

Putting It All Together

Use Standard Security Controls

•  Developers should use standard controls •  See the OWASP ESAPI Project

Secure Coding Standards

•  Avoid patterns that lead to security flaws •  How to use security controls correctly

Provide Security Training

•  Developers need application security awareness •  Train developers to use your controls

Leverage Security Experts

•  Even with training and standard, security is hard

OWASP Brazil 2009

22

References  Integrating Application Security into Agile Methodologies   Aspect Security http://www.aspectsecurity.com/documents/ Agile_Security_White_Paper.pdf

 Beyond Functional Requirements On Agile Projects   Scott W. Ambler - September 16, 2008 http://www.ddj.com/security/210601918

 Agile Security Requirements Engineering   Johan Peters http://secappdev.org/handouts/2008/abuser%20stories.pdf OWASP Brazil 2009

23

Questions? Aspect Security http://www.aspectsecurity.com Jerry Hoff [email protected]

OWASP Brazil 2009

24