Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Agile and Secure Can we do both?

Jerry Hoff Antisamy .NET project lead Aspect Security jerry.hoff@aspectsecurity.com

Oct 30, 2009

OWASP Brazil 2009 2

Quick Security Overview

http://example.com/search?q=Alessandra+ Ambrosio

<html> <body> You searched for Alessandra Ambrosio <li>…</li>

</body> </html>

OWASP Brazil 2009 3

Quick Security Overview: XSS

http://example.com/search?q=<script>/*evil*/</script>

<html> <body> You searched for <script>/*evil*/</script> <li>…</li>

</body> </html>

OWASP Brazil 2009

4

Quick Security Overview

<img src=“http://mail.example.com/logo.gif”>

OWASP Brazil 2009

5

Quick Security Overview: CSRF

<img src=“http://mail.example.com/logo.gif”>

<img src=“http://mail.example.com/deleteAllMsgs?confirm=true”>

OWASP Brazil 2009

6

Quick Security Overview

http://example.com/viewStatement? custid=123153

OWASP Brazil 2009

7

Quick Security Overview: Access Control

http://example.com/viewStatement?custid=123154

SELECT * FROM statements WHERE CustomerID=123154

OWASP Brazil 2009

8

Quick Security Overview: SQL Injection

http://example.com/viewStatement?custid=1; DROP TABLE statements;

SELECT * FROM statements WHERE CustomerID=1; DROP TABLE statements;

OWASP Brazil 2009

Agenda

 About Us  Waterfall Process Background  Agile Process Background  Leveraging Agile Characteristics  Accounting for Agile Traits  Putting It All Together

9

OWASP Brazil 2009

Traditional Waterfall Process

10

Requirements

Design

Implementation

Verification

Maintenance

OWASP Brazil 2009

Security in the Waterfall Process

11

•  Security Requirements

Requirements

•  Security Architecture Review

Design

•  Secure Code Review Implementation

•  Application Vulnerability Testing

Verification

•  External Application Security Testing

Maintenance

Advantages: –  Well understood process –  Leverages subject matter

experts to identify security concerns

Disadvantages: –  Findings from early security

reviews are often ignored as “theoretical”

–  Costly to go backwards in the development timeline

OWASP Brazil 2009

Agile Process

12

Begin Iteration

# N

Choose User

Stories

Implement Stories

Unit Testing

Deploy

OWASP Brazil 2009

Traditional Security + Agile Process?

13

Begin Iteration # N

Gather Security Requirements

Choose User Stories

Security Architecture Review

Implement Stories

Security Code Review

Perform Unit Testing

Application Vulnerability Testing Deploy

External Application Security Testing

OWASP Brazil 2009

Traditional Security + Agile Process?

14

OWASP Brazil 2009

Leverage User Stories

15

• I should be able to update my profile with a birth date to receive discounts on my birthday

As a User…

• I should be able to update my profile with a valid birth date to receive discounts on my birthday

• Controls: Input Validation

As a User …

• I want to be the only one who can edit employee salaries so that I can prevent fraud

• Controls: Function Layer Access Control

As a Manager…

• I want to be able to track and monitor all transactions, so that attacks can be detected

• Controls: Logging and Intrusion Detection

As a Business Owner…

>  User stories useful for access control, encryption, logging, and several other security areas

>  Some technical risks need extra consideration to be represented by user stories –  XSS –  CSRF

OWASP Brazil 2009

Creating User Security Stories

16

Attack

Attack

Vulnerability

Vulnerability

Vulnerability

Control

Missing Control

Asset

Asset

Business Impact

Business Impact

Business Impact Function

Control Asset

Vulnerability

Attack

Attack

Attack

Threat Agent Attack Vulnerability Control

Technical Impact

Business Impact

OWASP Brazil 2009

Require Security Training

17

Attacks continuously evolve –  Developers must understand the

attacks and controls to properly mitigate the threats

Agile developers write their own tests –  Must test security adequately

Ultimately, everyone on the team responsible for security –  Therefore, all developers should

have a background in web application security

A1: Cross Site Scripting (XSS)

A2: Injection Flaws

A3: Malicious File Execution

A4: Insecure Direct Object

Reference

A5: Cross Site Request Forgery

(CSRF)

A6: Information Leakage and

Improper Error Handling

A7: Broken Authentication

and Session Management

A8: Insecure Cryptographic

Storage

A9: Insecure Communications

A10: Failure to Restrict URL

Access

OWASP Brazil 2009

Leverage Unit Testing

18

Continuous testing done by all team members –  Unit tests should include

security mechanisms –  Integrate peer code reviews

Check for common security flaws –  Test input validation by verifying

behavior in edge cases –  Test access control by verifying

behavior from multiple roles

OWASP Brazil 2009

Use Standard Security Controls

19

OWASP  Enterprise  Security  API  (ESAPI)  http://www.owasp.org/index.php/ESAPI  

Custom Enterprise Web Application

Enterprise Security API

Access

Controller

Access

Reference M

ap

Au

then

ticator

Encoder

Encrypted P

roperties

Encryptor

Executor

HTTP

Utilities

Intrusion D

etector

Log Factory

Logger

Random

izer

Security configuration

User

Validator

Existing Enterprise Security Services/Libraries

OWASP Brazil 2009

Leverage Sprints

20

Sprint # N

User Profile Story

Password Security

Story

User Login Story

OWASP Brazil 2009

Putting It All Together

21

•  Capture key threats to the application Create Threat Model

•  Encapsulate threat model in user stories Define Security Stories

•  Test edge cases for inputs •  Verify use of security controls

Create Unit Security Tests

•  Combine related security stories Consolidate Sprints

OWASP Brazil 2009

Putting It All Together

22

• Developers should use standard controls • See the OWASP ESAPI Project

Use Standard Security Controls

• Avoid patterns that lead to security flaws • How to use security controls correctly

Secure Coding Standards

• Developers need application security awareness • Train developers to use your controls

Provide Security Training

• Even with training and standard, security is hard

Leverage Security Experts

OWASP Brazil 2009

References

 Integrating Application Security into Agile Methodologies   Aspect Security

http://www.aspectsecurity.com/documents/Agile_Security_White_Paper.pdf

 Beyond Functional Requirements On Agile Projects   Scott W. Ambler - September 16, 2008

http://www.ddj.com/security/210601918

 Agile Security Requirements Engineering   Johan Peters

http://secappdev.org/handouts/2008/abuser%20stories.pdf

23

OWASP Brazil 2009

Questions?

Aspect Security http://www.aspectsecurity.com

Jerry Hoff jerry.hoff@aspectsecurity.com

24