• Home

  • Documents

  • Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is...
12
http://secse.org/ Oxford, June 4 2019 Frank Aakvik [email protected] Security and Privacy Officer, Telenor Soſtware Lab Empowering Secure Agile Teams 1

Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

  • Upload
    others

  • View
    6

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

http://secse.org/ Oxford, June 4 2019Frank Aakvik [email protected]

Security and Privacy Officer, Telenor Software Lab

Empowering Secure Agile Teams

1

http://secse.org/
mailto:[email protected]
Page 2: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

Telenor Software Lab

2

• ...• ...• ...• ...

Client Team (8 ppl.)• Client logic• Web, Native Mobile, Legacy

Backend Team (4 ppl.)• Business logic• Client endpoints (proxy)• Authentication/Authorisation

Solutions Engineering (9 ppl.)• Quality Assurance/Test• Continuous Integration• Facilities Management• Security/Privacy

Operations (4 ppl.)• Remote/Local Storage• Remote/Local Hosting• Local Infrastructure

TSL

Marketing (2 ppl.)• Product Strategies• A/B Testing• Customer communications

Page 3: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

Work Environment

3

Page 4: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

Roles

4

Developer

QAPO

CI Engineer

Security/Privacy

Designer

Page 5: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

Security Processes in Agile

5

1. Situation / Challenges

2. Implications / Consequences

3. Solution / Plan of Approach

Page 6: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

Challenges

6

Situation / Observation Implication / Consequences

• Need for continuously reviewing the design• Cannot wait for an open time slot with specialists

• Difficult to verify adequate security-/privacy coverage• Difficult to communicate need for a security focus• Difficult to place responsibility for sufficient control

• Security/Privacy (features) should be “owned” by the PO?

• E.g. technical complexity frightens PO from addressing-> assumptions are made on coverage

• Wait until someone else fixes the problem

• Continuous Delivery/Continuous Deployment

• Lacking documentation on security-/privacy requirements (specific for the business)

• Agile manifesto “dictates” (feature) ownership (PO)

• Security features are difficult to understand

• Security is “outside our control”/Not my job

Page 7: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

Security Requirements

7

• Control (confidentiality, integrity)• Availability• Privacy (Authorisation)

• Governance○ Confidentiality/Sourcing

• Data Regulation Authorities (National/International)○ GDPR

• Coding guidelines• Test methods• Data classification

End User Req.Company Req.

Laws and Regulations

Best Practices

• Incident reports• Static Analysis• Dynamic Analysis/Testing

Lessons Learned

Page 8: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61 8

Performers/Stakeholders

Product Team

Developers

Test/QA

Security Team

v. 0.9.1a

Lessons Learned!!

Page 9: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

Threat Modelling

9

Conclusion: Allows the developers to discover threat earlier!

Security Champions

SPOOFING

TAMPERING

REPUDIATION

INFORMATIONDISCLOSURE

DENIAL OFSERVICE

ELEVATION OFPRIVILEGE

STRIDE

• Provide for security awareness/competency• Implements security/privacy by design• Data flow perspective (relevancy)

Page 10: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

Risk Assessment and Mitigation Planning

10

Triggered on incidents

Triggered by (static) security requirements

• Doesn’t necessarily have to be a relevant risk at the time• Requirements may change as security awareness matures

• Relies on bad stuff happening -> #notonmywatch• Only discovered when bad stuff happens!!

Page 11: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

Tracking changes

11

Page 12: Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Position Helpline15,42

Position Helpline

15,42

Position Auxiliary line8,32

Position Auxiliary line5,33

Position Auxiliary line6,61

2019 OKRs

12

Objective : Spread security awareness (identify and report).

KR: Complete a security "hackathon"KR: Number of identified incidents that are actual threats = 100%KR: Register relevant security tests for all managed modules

Objective: Integrate security management into development process

KR: Compete 1 threat modelling workshop with all Security ChampionsKR: Introduce static code analysis for all managed repositoriesKR: Create tests for all identified threat scenariosKR: Complete risk assessment and mitigation planning with all employees


Arizona drug addiction helpline

Arizona drug addiction helpline

Healthcare
2014 HelpLine Annual Report

2014 HelpLine Annual Report

Documents
Helpline Skills Refresher For Experienced Helpline Workers - Helplines Ireland

Helpline Skills Refresher For Experienced Helpline Workers - Helplines Ireland

Education
Race car helpline

Race car helpline

Technology
Spiritual Helpline

Spiritual Helpline

Health & Medicine
1. 15,42. Draft Policies - April

1. 15,42. Draft Policies - April

Documents
Child Helpline International

Child Helpline International

Documents
Refuah Helpline Auction Booklet

Refuah Helpline Auction Booklet

Documents
certificate of - Flying Helpline

certificate of - Flying Helpline

Documents
Overview Telephone Helpline Online Helpline Text For Info Self-care App Safe HelpRoom

Overview Telephone Helpline Online Helpline Text For Info Self-care App Safe HelpRoom

Documents
Florida depression helpline

Florida depression helpline

Healthcare
CM HELPLINE

CM HELPLINE

Documents
Club Hp Helpline

Club Hp Helpline

Documents
NTSE Helpline

NTSE Helpline

Documents
Helpline and Community Resources · Helpline and Community Resources I. Helpline and Online Counselling Services A. Services for Children and Adolescents Organisation Telephone/ Online

Helpline and Community Resources · Helpline and Community Resources I. Helpline and Online Counselling Services A. Services for Children and Adolescents Organisation Telephone/ Online

Documents
Coronavirus · • Helpline Email: ncov2019@gmail.com • Helpline by Centre: 011-23978046 • Department of Health and Family Welfare Helpline: 1800-180-5145 For further assistance

Coronavirus · • Helpline Email: [email protected] • Helpline by Centre: 011-23978046 • Department of Health and Family Welfare Helpline: 1800-180-5145 For further assistance

Documents
Madadgaar National Helpline

Madadgaar National Helpline

Documents
Preschool Booklet - Helpline Center

Preschool Booklet - Helpline Center

Documents
LEGAL HELPLINE SERVICE FACTSHEET

LEGAL HELPLINE SERVICE FACTSHEET

Documents
SOP for Helpline

SOP for Helpline

Documents
Helpline Counsellors

Helpline Counsellors

Documents
Printer helpline phone number

Printer helpline phone number

Internet
GNYR Help Line Orientation Package€¦ · Web viewGNYR HELPLINE Orientation Package February 2019 Table of Contents Welcome to the Helpline pg2 Orientation checklistpg3 Helpline

GNYR Help Line Orientation Package€¦ · Web viewGNYR HELPLINE Orientation Package February 2019 Table of Contents Welcome to the Helpline pg2 Orientation checklistpg3 Helpline

Documents
Perinatal Anxiety & Depression Helpline

Perinatal Anxiety & Depression Helpline

Documents
TATOC 2015 - The TATOC Consumer Helpline Review by Mark Caldicott, Helpline manager

TATOC 2015 - The TATOC Consumer Helpline Review by Mark Caldicott, Helpline manager

Travel
GOVERNMENTOFKARNATAKA ORDER - COVID HELPLINE …

GOVERNMENTOFKARNATAKA ORDER - COVID HELPLINE …

Documents
SECSE Invitation Package

SECSE Invitation Package

Documents
SECSE Croatia 2016: Invitation Package

SECSE Croatia 2016: Invitation Package

Documents
DoD Safe Helpline

DoD Safe Helpline

Documents
MMSA-Malta Application for SECSE 2013

MMSA-Malta Application for SECSE 2013

Documents