Agile and Secure Can we do both? - OWASP Foundation · 2020-01-17 · Agile Process Background ......
Transcript of Agile and Secure Can we do both? - OWASP Foundation · 2020-01-17 · Agile Process Background ......
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Agile and Secure Can we do both?
Jerry Hoff Antisamy .NET project lead Aspect Security [email protected]
Oct 30, 2009
OWASP Brazil 2009 2
Quick Security Overview
http://example.com/search?q=Alessandra+ Ambrosio
<html> <body> You searched for Alessandra Ambrosio <li>…</li>
</body> </html>
OWASP Brazil 2009 3
Quick Security Overview: XSS
http://example.com/search?q=<script>/*evil*/</script>
<html> <body> You searched for <script>/*evil*/</script> <li>…</li>
</body> </html>
OWASP Brazil 2009
4
Quick Security Overview
<img src=“http://mail.example.com/logo.gif”>
OWASP Brazil 2009
5
Quick Security Overview: CSRF
<img src=“http://mail.example.com/logo.gif”>
<img src=“http://mail.example.com/deleteAllMsgs?confirm=true”>
OWASP Brazil 2009
6
Quick Security Overview
http://example.com/viewStatement? custid=123153
OWASP Brazil 2009
7
Quick Security Overview: Access Control
http://example.com/viewStatement?custid=123154
SELECT * FROM statements WHERE CustomerID=123154
OWASP Brazil 2009
8
Quick Security Overview: SQL Injection
http://example.com/viewStatement?custid=1; DROP TABLE statements;
SELECT * FROM statements WHERE CustomerID=1; DROP TABLE statements;
OWASP Brazil 2009
Agenda
About Us Waterfall Process Background Agile Process Background Leveraging Agile Characteristics Accounting for Agile Traits Putting It All Together
9
OWASP Brazil 2009
Traditional Waterfall Process
10
Requirements
Design
Implementation
Verification
Maintenance
OWASP Brazil 2009
Security in the Waterfall Process
11
• Security Requirements
Requirements
• Security Architecture Review
Design
• Secure Code Review Implementation
• Application Vulnerability Testing
Verification
• External Application Security Testing
Maintenance
Advantages: – Well understood process – Leverages subject matter
experts to identify security concerns
Disadvantages: – Findings from early security
reviews are often ignored as “theoretical”
– Costly to go backwards in the development timeline
OWASP Brazil 2009
Agile Process
12
Begin Iteration
# N
Choose User
Stories
Implement Stories
Unit Testing
Deploy
OWASP Brazil 2009
Traditional Security + Agile Process?
13
Begin Iteration # N
Gather Security Requirements
Choose User Stories
Security Architecture Review
Implement Stories
Security Code Review
Perform Unit Testing
Application Vulnerability Testing Deploy
External Application Security Testing
OWASP Brazil 2009
Traditional Security + Agile Process?
14
OWASP Brazil 2009
Leverage User Stories
15
• I should be able to update my profile with a birth date to receive discounts on my birthday
As a User…
• I should be able to update my profile with a valid birth date to receive discounts on my birthday
• Controls: Input Validation
As a User …
• I want to be the only one who can edit employee salaries so that I can prevent fraud
• Controls: Function Layer Access Control
As a Manager…
• I want to be able to track and monitor all transactions, so that attacks can be detected
• Controls: Logging and Intrusion Detection
As a Business Owner…
> User stories useful for access control, encryption, logging, and several other security areas
> Some technical risks need extra consideration to be represented by user stories – XSS – CSRF
OWASP Brazil 2009
Creating User Security Stories
16
Attack
Attack
Vulnerability
Vulnerability
Vulnerability
Control
Missing Control
Asset
Asset
Business Impact
Business Impact
Business Impact Function
Control Asset
Vulnerability
Attack
Attack
Attack
Threat Agent Attack Vulnerability Control
Technical Impact
Business Impact
OWASP Brazil 2009
Require Security Training
17
Attacks continuously evolve – Developers must understand the
attacks and controls to properly mitigate the threats
Agile developers write their own tests – Must test security adequately
Ultimately, everyone on the team responsible for security – Therefore, all developers should
have a background in web application security
A1: Cross Site Scripting (XSS)
A2: Injection Flaws
A3: Malicious File Execution
A4: Insecure Direct Object
Reference
A5: Cross Site Request Forgery
(CSRF)
A6: Information Leakage and
Improper Error Handling
A7: Broken Authentication
and Session Management
A8: Insecure Cryptographic
Storage
A9: Insecure Communications
A10: Failure to Restrict URL
Access
OWASP Brazil 2009
Leverage Unit Testing
18
Continuous testing done by all team members – Unit tests should include
security mechanisms – Integrate peer code reviews
Check for common security flaws – Test input validation by verifying
behavior in edge cases – Test access control by verifying
behavior from multiple roles
OWASP Brazil 2009
Use Standard Security Controls
19
OWASP Enterprise Security API (ESAPI) http://www.owasp.org/index.php/ESAPI
Custom Enterprise Web Application
Enterprise Security API
Access
Controller
Access
Reference M
ap
Au
then
ticator
Encoder
Encrypted P
roperties
Encryptor
Executor
HTTP
Utilities
Intrusion D
etector
Log Factory
Logger
Random
izer
Security configuration
User
Validator
Existing Enterprise Security Services/Libraries
OWASP Brazil 2009
Leverage Sprints
20
Sprint # N
User Profile Story
Password Security
Story
User Login Story
OWASP Brazil 2009
Putting It All Together
21
• Capture key threats to the application Create Threat Model
• Encapsulate threat model in user stories Define Security Stories
• Test edge cases for inputs • Verify use of security controls
Create Unit Security Tests
• Combine related security stories Consolidate Sprints
OWASP Brazil 2009
Putting It All Together
22
• Developers should use standard controls • See the OWASP ESAPI Project
Use Standard Security Controls
• Avoid patterns that lead to security flaws • How to use security controls correctly
Secure Coding Standards
• Developers need application security awareness • Train developers to use your controls
Provide Security Training
• Even with training and standard, security is hard
Leverage Security Experts
OWASP Brazil 2009
References
Integrating Application Security into Agile Methodologies Aspect Security
http://www.aspectsecurity.com/documents/Agile_Security_White_Paper.pdf
Beyond Functional Requirements On Agile Projects Scott W. Ambler - September 16, 2008
http://www.ddj.com/security/210601918
Agile Security Requirements Engineering Johan Peters
http://secappdev.org/handouts/2008/abuser%20stories.pdf
23
OWASP Brazil 2009
Questions?
Aspect Security http://www.aspectsecurity.com
Jerry Hoff [email protected]
24