SlideShare a Scribd company logo

Security Checkpoints in Agile SDLC

R
Rahul Raghavan

Product Engineering teams have started to realize the importance of software security. This has resulted in the trend where teams are taking efforts to include it as part of their software development life cycle; as opposed to treating it as another item in their checklist prior to release. However, the real challenge is in trying to find the balance between agility and quality which is where many team find this an uphill task. While there is no golden standard when it comes to implementing software security, product teams should focus on bringing about systematic and cultural practices within their teams. This should help them to bring about the required efficiency to enable software security as a market differentiator. This slide-deck on Software Security Initiative focuses on translating a plan of action into sustainable activities as part of the secure software development life cycle that can be adopted by engineering teams. The slides will delve deep into aspects like identifying and designing security checkpoints in the SDLC alongside concepts such as Threat Modelling in Agile, AppSec Toolchain and Security Regressions. This was presented as a we45 Webinar on April 12, 2018

Technology
1 of 27
Download to read offline
ENFORCING SECURITY CHECKPOINTS Rahul Raghavan Co Founder and DevSecOps Proponent, we45
Agenda Ø Software Security Initiative – A Quick Recap Ø Challenges in Application Security Ø The advent of DevSecOps Ø SDLC Security Checkpoints Ø Application Threat Modeling Ø Application Security Tooling Ø Regressions for Application Security
Software Security Initiative “Collection of activities that Measure, Maintain and Improve the state of Software Security”
Phases of an SSI Prepare to Kick Start / Improve your SSI Take Control and Implement your SSI Measure Success of your SSI Identify Continuous Improvements of your SSI PLAN DO CHECK ACT
In focus today… Application Team Mapping Gather Historic Current State Data Ascertain Compliance Legal Objectives Establish SSI Governance Identify Training Needs Organize Tool-chest Identify Security Checkpoints Toolchain implementation Enhance existing automation Build Internal Capability SIG Collaborations Transcend Beyond Penetration Tests Enforce Security Checkpoints PLAN DO
The Advent of DevSecOps Ø Security = Continuous Feedback + Improved Automation Ø End of the chain security activities broken down into piece-meal engagements Ø Division of security responsibilities – Dev, Ops, QA, Security Ø Transformation of engineering tools and platform – interfacing capabilities Ø Everyone needs to “get” code
DevSecOps : Gartner’s Infinite Loop
DevSecOps : The we45 Model
Security Checkpoints Ø Logical security turnstiles at every phase of development and deployment Ø Assimilate common security objectives across engineering teams Ø Establish traceability for identified security flaws
In simplespeak… Design Develop Deploy & Test Release & Monitor Plan Code Build Test Release Deploy Operate Monitor
SOFTWARE DESIGN “There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies” C.A.R Hoare
Threat Modeling Ø Identify, Enumerate and Prioritize - Security Risks Ø Systematic Breakdown of Attack Vectors and Attack Channels Ø Identifying Most Likely, Relevant Threats to a system Ø To identify controls and measures of risk treatment Ø Create a Security Playbook for the Product Team
Everything that’s wrong with Threat Modeling today Ø Assumption of frozen requirements => Very Waterfall! Ø Threat Models are not dynamic enough - Out of date with application delivery Ø Current Threat Modeling is not collaborative – Bunch of Security folks at the beginning of a project
The 1-2-3 of Threat Modeling Abuser Stories Attack Model Test Scenario User Story What can be done to abuse a functionality How to make your abuser story come to life Security checks you can formulate for each attack model
Threat Modeling :: Test Case Mapping User Story As a user I want to search for my notes using the Search functionality Abuser Story As an attacker, I will try to search for notes of other users so as to disclose potentially sensitive info As an attacker I will try to redirect users to malicious sites to compromise account credentials Attack Model Attacker can perform Man-In- The-Middle attacks Attacker can perform Injection attacks Test Scenarios Check if the application is always on HTTPS, across the application Check for SSL strength Check for HSTS header present in HTTP Headers while connecting to the application Check for SSL vulnerabilities like POODLE, BEAST…
Security in Design Ø Consolidate security requirements § Compliance mandates § Regulatory obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds / historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Design Checkpoint Abuser Stories linked to User Stories in JIRA/Confluence
DEVELOP & DEPLOY “The most secure code in the world is code which is never written” - Colin Percival
Develop Ø Table – Top code walkthroughs Ø SAST IDE Plugins Ø SCA runs as part of code review and build management Ø Peer-review prior to code commit Ø Evangelize use of Secure Coding Guidelines/checklist Ø Liaise security champions Develop Checkpoint SAST and SCA scans on local repo prior to code commit
AppSec Toolchain Ø Security tools (SAST, SCA and DAST) to work in conjunction with engineering platforms Ø “Force Multiplier Effect” through open source scanner components Ø Automated or scheduled triggers that kick off scan workflows Ø Transform from plain DAST to Parameterized DAST Ø Save critical security bandwidth by minimizing § Vulnerability Triaging § Testing common scenarios § Reconnaissance and Discovery Ø Transform vulnerabilities as “defects” routing them to the common defect pipeline system
AppSec Toolchain Architecture 1 2 3 4 5 6 78 9 10
Security Regression Ø Taking security one step closer to Quality Assurance (QA) Ø Leverage functional automation tools and resources to run security iterations with QA iterations Ø Extend and re-use automation scripts / technology to create “Security Regressions” Ø Increase efficiency of DAST scanners Ø Create security ”exploit scripts” for identified vulnerabilities Ø Automate security test case scenarios Ø Scale Security with QA Ø AppSec Toolchain + Security Regression = Savings in Resource Bandwidth
A sample regression architecture
Deploy and Test Ø Find bugs Early, Fix bugs Early! Ø Strategies for ‘Found bugs’ and ‘Yet to Find bugs’ Ø Threat Modeling :: Test cases mapping Ø Run Automated Tool Chain (DAST Scanners) Ø Leverage QA functional automation Ø Perform residual / iterative penetration tests Ø Non-Deterministic testing Ø Prioritize vulnerabilities based on impact Deploy & Test Checkpoint Piggyback on existing release gates (include security thresholds)
PRODUCT RELEASE AND MONITORING “When we launch a product, we’re already working on the next one. And possibly even the next, next one” - Tim Cook
Release & Monitor Ø Shift Right Strategy – Self Protect or Fail Safe Ø Use of RASP, WAF, Botnet Mitigation, Load Balancers, DDoS Ø Successful and failed attack metadata feedback as actionable intel Ø Integrate security cookbooks with deployment cookbooks (config audits more than testing) Ø Assisted Bug Bounties Release & Monitor Checkpoint Establish feedback mechanisms from Production to Design
Iteration 2 and forward Ø Consolidate security requirements Ø Compliance mandates Ø Regulation obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds/historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Ø Identify design changes to address security vulnerabilities Ø Update design documents Ø Update coding guidelines Design Checkpoint ➤ Table – top code walkthroughs ➤ SAST IDE Plugins ➤ SCA runs as part of code review and build management ➤ Peer-review prior to code commit ➤ Evangelize use of Secure Coding Guidelines/checklist ➤ Liaise security champions ➤ Code changes to remediate security vulnerabilities Develop Checkpoint Deploy & Test Checkpoint ➤ Find bugs Early, Fix bugs Early! ➤ Strategies for ”Found bugs” and “Yet to find bugs” ➤ Threat Modeling :: Test case mapping ➤ Run Automated Tool Chain (DAST Scanners) ➤ Leverage QA functional automation ➤ Perform residual/iterative penetration tests ➤ Non-deterministic testing ➤ Prioritize vulnerabilities based on impact ➤ Run regressions ➤ Compare scan results from previous iterations ➤ Shift Right Strategy – Self protect of Fail Safe ➤ Use of RASP, WAF Botnet mitigation, Load Balancers, DDoS ➤ Successful and failed attack metadata feedback as actionable intel ➤ Integrate security cookbooks with deployment cookbooks (config audits more than testing) ➤ Assisted Bug Bounties Release & Monitor Checkpoint
OPEN HOUSE Questions , Clarifications et all….. rahul@we45.com @rahul_raghav torahulraghavan we45.com/blog

Recommended

Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Xss ppt
Xss pptXss ppt
Xss pptpenetration Tester
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 

Recommended

Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Xss ppt
Xss pptXss ppt
Xss pptpenetration Tester
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software DevelopmentDevOps.com
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 

More Related Content

What's hot

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software DevelopmentDevOps.com
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 

What's hot (20)

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software Development
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 

Similar to Security Checkpoints in Agile SDLC

Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the HackersCheckmarx
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 

Similar to Security Checkpoints in Agile SDLC (20)

Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 

Recently uploaded

Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 

Recently uploaded (20)

Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 

Security Checkpoints in Agile SDLC

  • 1. ENFORCING SECURITY CHECKPOINTS Rahul Raghavan Co Founder and DevSecOps Proponent, we45
  • 2. Agenda Ø Software Security Initiative – A Quick Recap Ø Challenges in Application Security Ø The advent of DevSecOps Ø SDLC Security Checkpoints Ø Application Threat Modeling Ø Application Security Tooling Ø Regressions for Application Security
  • 3. Software Security Initiative “Collection of activities that Measure, Maintain and Improve the state of Software Security”
  • 4. Phases of an SSI Prepare to Kick Start / Improve your SSI Take Control and Implement your SSI Measure Success of your SSI Identify Continuous Improvements of your SSI PLAN DO CHECK ACT
  • 5. In focus today… Application Team Mapping Gather Historic Current State Data Ascertain Compliance Legal Objectives Establish SSI Governance Identify Training Needs Organize Tool-chest Identify Security Checkpoints Toolchain implementation Enhance existing automation Build Internal Capability SIG Collaborations Transcend Beyond Penetration Tests Enforce Security Checkpoints PLAN DO
  • 6. The Advent of DevSecOps Ø Security = Continuous Feedback + Improved Automation Ø End of the chain security activities broken down into piece-meal engagements Ø Division of security responsibilities – Dev, Ops, QA, Security Ø Transformation of engineering tools and platform – interfacing capabilities Ø Everyone needs to “get” code
  • 7. DevSecOps : Gartner’s Infinite Loop
  • 8. DevSecOps : The we45 Model
  • 9. Security Checkpoints Ø Logical security turnstiles at every phase of development and deployment Ø Assimilate common security objectives across engineering teams Ø Establish traceability for identified security flaws
  • 10. In simplespeak… Design Develop Deploy & Test Release & Monitor Plan Code Build Test Release Deploy Operate Monitor
  • 11. SOFTWARE DESIGN “There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies” C.A.R Hoare
  • 12. Threat Modeling Ø Identify, Enumerate and Prioritize - Security Risks Ø Systematic Breakdown of Attack Vectors and Attack Channels Ø Identifying Most Likely, Relevant Threats to a system Ø To identify controls and measures of risk treatment Ø Create a Security Playbook for the Product Team
  • 13. Everything that’s wrong with Threat Modeling today Ø Assumption of frozen requirements => Very Waterfall! Ø Threat Models are not dynamic enough - Out of date with application delivery Ø Current Threat Modeling is not collaborative – Bunch of Security folks at the beginning of a project
  • 14. The 1-2-3 of Threat Modeling Abuser Stories Attack Model Test Scenario User Story What can be done to abuse a functionality How to make your abuser story come to life Security checks you can formulate for each attack model
  • 15. Threat Modeling :: Test Case Mapping User Story As a user I want to search for my notes using the Search functionality Abuser Story As an attacker, I will try to search for notes of other users so as to disclose potentially sensitive info As an attacker I will try to redirect users to malicious sites to compromise account credentials Attack Model Attacker can perform Man-In- The-Middle attacks Attacker can perform Injection attacks Test Scenarios Check if the application is always on HTTPS, across the application Check for SSL strength Check for HSTS header present in HTTP Headers while connecting to the application Check for SSL vulnerabilities like POODLE, BEAST…
  • 16. Security in Design Ø Consolidate security requirements § Compliance mandates § Regulatory obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds / historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Design Checkpoint Abuser Stories linked to User Stories in JIRA/Confluence
  • 17. DEVELOP & DEPLOY “The most secure code in the world is code which is never written” - Colin Percival
  • 18. Develop Ø Table – Top code walkthroughs Ø SAST IDE Plugins Ø SCA runs as part of code review and build management Ø Peer-review prior to code commit Ø Evangelize use of Secure Coding Guidelines/checklist Ø Liaise security champions Develop Checkpoint SAST and SCA scans on local repo prior to code commit
  • 19. AppSec Toolchain Ø Security tools (SAST, SCA and DAST) to work in conjunction with engineering platforms Ø “Force Multiplier Effect” through open source scanner components Ø Automated or scheduled triggers that kick off scan workflows Ø Transform from plain DAST to Parameterized DAST Ø Save critical security bandwidth by minimizing § Vulnerability Triaging § Testing common scenarios § Reconnaissance and Discovery Ø Transform vulnerabilities as “defects” routing them to the common defect pipeline system
  • 21. Security Regression Ø Taking security one step closer to Quality Assurance (QA) Ø Leverage functional automation tools and resources to run security iterations with QA iterations Ø Extend and re-use automation scripts / technology to create “Security Regressions” Ø Increase efficiency of DAST scanners Ø Create security ”exploit scripts” for identified vulnerabilities Ø Automate security test case scenarios Ø Scale Security with QA Ø AppSec Toolchain + Security Regression = Savings in Resource Bandwidth
  • 22. A sample regression architecture
  • 23. Deploy and Test Ø Find bugs Early, Fix bugs Early! Ø Strategies for ‘Found bugs’ and ‘Yet to Find bugs’ Ø Threat Modeling :: Test cases mapping Ø Run Automated Tool Chain (DAST Scanners) Ø Leverage QA functional automation Ø Perform residual / iterative penetration tests Ø Non-Deterministic testing Ø Prioritize vulnerabilities based on impact Deploy & Test Checkpoint Piggyback on existing release gates (include security thresholds)
  • 24. PRODUCT RELEASE AND MONITORING “When we launch a product, we’re already working on the next one. And possibly even the next, next one” - Tim Cook
  • 25. Release & Monitor Ø Shift Right Strategy – Self Protect or Fail Safe Ø Use of RASP, WAF, Botnet Mitigation, Load Balancers, DDoS Ø Successful and failed attack metadata feedback as actionable intel Ø Integrate security cookbooks with deployment cookbooks (config audits more than testing) Ø Assisted Bug Bounties Release & Monitor Checkpoint Establish feedback mechanisms from Production to Design
  • 26. Iteration 2 and forward Ø Consolidate security requirements Ø Compliance mandates Ø Regulation obligations Ø Perform architecture design review Ø Perform Threat Modeling Ø Third party threat feeds/historic data Ø Identify relevant SAST, SCA & DAST tool-chest Ø Prioritize training needs Ø Identify design changes to address security vulnerabilities Ø Update design documents Ø Update coding guidelines Design Checkpoint ➤ Table – top code walkthroughs ➤ SAST IDE Plugins ➤ SCA runs as part of code review and build management ➤ Peer-review prior to code commit ➤ Evangelize use of Secure Coding Guidelines/checklist ➤ Liaise security champions ➤ Code changes to remediate security vulnerabilities Develop Checkpoint Deploy & Test Checkpoint ➤ Find bugs Early, Fix bugs Early! ➤ Strategies for ”Found bugs” and “Yet to find bugs” ➤ Threat Modeling :: Test case mapping ➤ Run Automated Tool Chain (DAST Scanners) ➤ Leverage QA functional automation ➤ Perform residual/iterative penetration tests ➤ Non-deterministic testing ➤ Prioritize vulnerabilities based on impact ➤ Run regressions ➤ Compare scan results from previous iterations ➤ Shift Right Strategy – Self protect of Fail Safe ➤ Use of RASP, WAF Botnet mitigation, Load Balancers, DDoS ➤ Successful and failed attack metadata feedback as actionable intel ➤ Integrate security cookbooks with deployment cookbooks (config audits more than testing) ➤ Assisted Bug Bounties Release & Monitor Checkpoint
  • 27. OPEN HOUSE Questions , Clarifications et all….. rahul@we45.com @rahul_raghav torahulraghavan we45.com/blog