Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL...
Transcript of Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL...
![Page 1: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/1.jpg)
Nick Coblentz, CISSPSenior Consultant, AT&T Consulting
http://nickcoblentz.blogspot.com
http://www.twitter.com/sekhmetn
This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
![Page 2: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/2.jpg)
Microsoft SDL For Agile Released
Source: http://blogs.msdn.com/sdl/archive/2009/11/10/announcing-sdl-for-agile-development-methodologies.aspx
2/23
![Page 3: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/3.jpg)
Agenda Presenter Background
Microsoft SDL (High-level)
Agile Development (High Level)
Traditional SDL Activities and Pain points for Agile development
SDL-Agile Key Concepts
SDL-Agile in Detail
Tips for Making SDL-Agile Manageable
3/23
![Page 4: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/4.jpg)
Bio AT&T Consulting:
Application Security Penetration testing
Code review
Architecture and design reviews
Application security program development
Secure development methodology improvement
4/23
![Page 5: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/5.jpg)
Microsoft Security Development Lifecycle (SDL)
Components:
Best Practices
Processes
Standards
Security Activities
Tools
Goal:“minimize security-related vulnerabilities in the design, code, and documentation and to detect and eliminate vulnerabilities as early as possible in the development life cycle.”
5/23
![Page 6: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/6.jpg)
Which Software?
Source: Microsoft’s Product Website
SDL applies to software that:
Is used in Business environments
Stores or transmits PII
Communicates over the Internet or other networks
6/23
![Page 7: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/7.jpg)
SDL Principles and ProcessSD3+C PD3+C
Secure by Design
Secure by Default
Secure in Deployment
Communications
Privacy by Design
Privacy by Default
Privacy in Deployment
Communications
7/23
![Page 8: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/8.jpg)
Agile Development
Cross-functional, self-organizing teams
Short, time-boxed development iterations
Delivery of small functional stories
No extensive up front design or documentation
Source: http://www.scrumalliance.org/pages/what_is_scrum
8/23
![Page 9: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/9.jpg)
Planning and Designhttp://www.flickr.com/photos/acarlos1000
9/23
![Page 10: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/10.jpg)
http://www.flickr.com/photos/acarlos1000
Planning and Design (cont.)
10/23
![Page 11: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/11.jpg)
User Stories and Documentation
http://www.flickr.com/photos/fmcamargo
http://www.flickr.com/photos/fmcamargo
11/23
![Page 12: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/12.jpg)
Traditional SDL Pain Points for Agile Can’t complete all SDL activities for each sprint
Requirements, architecture, and design evolves over time
Threat model becomes dated quickly
Data sensitivity and connection to third parties may not be immediately known
12/23
![Page 13: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/13.jpg)
Microsoft SDL For Agile Development SDL Requirement
Categories:
Every-Sprint
Bucket Verification Tasks
Design Review Tasks
Response Planning Tasks
One-Time
Source: Microsoft SDL v4.1a
13/23
![Page 14: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/14.jpg)
SDL-Agile Appendix
14/23
![Page 15: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/15.jpg)
SDL-Agile Appendix: Deadlines
15/23
![Page 16: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/16.jpg)
Every-Sprint SDL RequirementsExamples:
“…so essential to security that no software should ever be released without these requirements being met.”
Update the threat model
Communicate privacy-impacting design changes to the team’s privacy advisor
Fix all issues identified by code analysis tools for unmanaged code
Follow input validation and output encoding guidelines to defend against cross-site scripting attacks
16/23
![Page 17: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/17.jpg)
Bucket SDL RequirementsExamples:
Teams prioritize the pool of tasks over many sprints
Each sprint, one task from each bucket completed
Each tasks must be completed at least every 6 months
Security Verification Tasks Run fuzzing tools
Manual and automated code review
Design Review Tasks Conduct privacy review
In-depth threat model
Response Planning Tasks Define security/privacy bug
bar
Create support documents
17/23
![Page 18: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/18.jpg)
One-Time RequirementsWhy? Examples:
Repetition not necessary
Must occur at the beginning of the project
Not possible at the beginning of the project
Configure bug tracking system (3 months)
Identify security/privacy experts (1 month)
Baseline threat model (3 months)
Establish a security response plan (6 months)
18/23
![Page 19: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/19.jpg)
Final Security Review Occurs at the end of every sprint
Checklist:
All every-sprint requirements have been completed
No one-time requirements have exceeded deadline
At least one requirement from each bucket category has been completed
No bucket requirements exceed the six month deadline
No security or privacy bugs are open that exceed the severity threshold
19/23
![Page 20: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/20.jpg)
Sprint 3 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Sprint 2 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Sprint 1 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Resp. Plan
Resp. PlanResp.
PlanResp. PlanResp.
PlanResp. Plan
Backlog
One-Time Verification
Design
Design
Design
Design
Design
Design
Verif.
Verif.
Verif.
Verif.
Verif.
One-TimeOne-
TimeOne-TimeOne-
TimeOne-Time
User StoryUser
StoryUser StoryUser
StoryUser Story
User StoryUser
StoryUser StoryUser
StoryUser Story
20/23
SDL-Agile Process Demonstration
![Page 21: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/21.jpg)
Sprint 3 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Sprint 2 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Sprint 1 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Resp. Plan
Resp. PlanResp.
Plan
Backlog
One-Time Verification
Design
Design
Verif.
One-Time
User StoryUser
Story
Resp. Plan
DesignDesignVerif.Verif.
User Story
User Story
User Story
User Story
Resp. Plan
DesignVerif.
One-Time
One-Time
One-Time
User Story
Resp. Plan
DesignVerif.One-Time
User Story
User Story
User Story
Final Security Review
Final Security Review
Final Security Review
21/23
SDL-Agile Process Demonstration
![Page 22: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/22.jpg)
Making SDL-Agile Manageable Automation
CI server, unit testing that include security
Tooling
Automated code analysis and pen testing tools
Continuous updates to the threat model
Documented standards
Security training
Light on security artifacts
22/23
![Page 23: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/23.jpg)
TeamCity SDL-Agile Demonstration TeamCity Continuous Integration Server
Continuous Build
FxCop
CAT.NET
BinScope
Commercial Penetration Testing or Code Review Tools
Security Unit Testing
23/23
![Page 24: Nick Coblentz, CISSP - OWASP...Dec 01, 2009 · Agenda Presenter Background Microsoft SDL (High-level) Agile Development (High Level) Traditional SDL Activities and Pain points for](https://reader036.fdocuments.us/reader036/viewer/2022062610/610cbd03a37ee45bbe3c915d/html5/thumbnails/24.jpg)
Summary and QuestionsMore Information:http://www.microsoft.com/sdl
Nick Coblentz, CISSPSenior Consultant, AT&T Consulting
http://nickcoblentz.blogspot.com
http://www.twitter.com/sekhmetn
Microsoft releases SDL-Agile Guidance in Nov. 2009
Treats SDL Activities like team-prioritized User Stories 3 Categories: One-time,
Every-time, and Bucket
Increased success with the implementation of training, automation, tools, and standards
24/23