Embed Size (px)
Citation preview
SESSION ID:
How We Implemented Security in Agile for 20 SCRUMs- and Lived to Tell
ASEC-R03
Yair Rovek Security Specialist
LivePerson @lione_heart
#RSAC
Challenged by Agile
#RSAC
In the Next 45 Min
LivePerson and Application Security
Where did it all Began
LivePerson And Agile
Security Checkpoints in the Process
Bringing it All Together in the Continuous Integration
Summarize the Challenges
Key Success Factors
3
#RSAC
LivePerson ID
SaaS platform for creation of meaningful connections through real-time engagement
What we do?
How it works?
Monitor web visitor’s behavior (Over 1.5 B visits each month)
Conduct behavioral ranking
Provide the engagement platform (Over 10 M chats each month)
SaaS & Cloud only Security is NOT optional…
#RSAC
5
#RSAC
From Pen-Testing to SDLC
2008 2009 2010 2011 2012 2013
50
3rd Party Pen-Testing
Hand-On Training (R&D vs. QA)
Secure Coding Baseline
# New Bugs/Year
100
150
Enforcement
Dynamic Testing <–> LP Tools Static Code Analysis Open Source Coverage Platform Tests Simplify & Scale - ESAPI
#RSAC
Who are the Key Players?
Sales & Product
R&D Scrum Teams System
Architects
Software Architects
Artifact CI environment Production
#RSAC
Agile Framework
#RSAC RETROSPECTIVE
Agile Framework
#RSAC
Scrum Actions Release Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Add Security to the Agile Process
#RSAC
Scrum Actions Release Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design Security Control
Add Security to the Agile Process
#RSAC
Scrum Actions Release Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design Security Control
Guide-in the teams On-Demand
Add Security to the Agile Process
#RSAC
Scrum Actions Release Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design
ESAPI & SCA checks for each build
Security Control
Guide-in the teams On-Demand
Add Security to the Agile Process
#RSAC
Scrum Actions Release Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design
Guide-in the teams On-Demand
ESAPI & SCA checks for each build
Automated Security Tests
Security Control Add Security to the Agile Process
#RSAC
Scrum Actions Release Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design
ESAPI & SCA checks for each build
Automated Security Tests
Automated Security Tests
Security Control
Guide-in the teams On-Demand
Add Security to the Agile Process
#RSAC
Scrum Actions Release Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design
Q&A On-Demand
ESAPI & SCA checks for each build
Automated Security Tests
Automated Security Tests
External Pen-Test
Security Control Add Security to the Agile Process
#RSAC
Scrum Actions Release Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design
ESAPI & SCA checks for each build
Automated Security Tests
Automated Security Tests
External Pen-Test
Security Control
Guide-in the teams On-Demand
Add Security to the Agile Process
#RSAC
Screening Code in 3D Delivered
Dependencies and Open Source
Developer Code
#RSAC
Custom Enterprise Web Application
Enterprise Security API
Au
then
tica
tor
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Val
idat
or
Enco
der
HTT
PU
tilit
ies
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usi
onD
etec
tor
Secu
rity
Con
figu
rati
on
ESAPI Building Blocks
#RSAC
Controller
User Interface
Business Functions
Web Service
Database
Mainframe
File System
User Data Layer Etc…
Any Encoding
Any Interpreter Where Do I Put my Validation ?
#RSAC
Controller
User Interface
Business Functions
Web Service
Database
Mainframe
File System
User Data Layer Etc…
Encode For HTML
Any Encoding
Any Interpreter Specific Validate
Validate
Where Do I Put my Validation ?
#RSAC
Define Relevant Filters
API Example
#RSAC
Integrating Automated Testing: Example Preventing RegEx DoS and Performance Issues
Black/ White Listing
Filter
Automated Test Example
#RSAC
For Each Product Live Person Security API
(LPSAPI) - In-House Security Package based on
ESAPI project
Imports LPSAPI
Enforces correct usage via Source Code Analysis (SCA)
Enforce Open Source Policy
Test your infra BB
LivePerson ESAPI Implementation
#RSAC
Develop Code Commit
Source Control (SVN)
TeamCity (Build
Trigger)
Maven Build Process (Unit tests) Deploy
to Production Deploy to
Test Env
Report & Notify
Publish to release repository
CI Environment
#RSAC
Develop Code Commit
Source Control (SVN)
TeamCity (Build
Trigger)
Maven Build Process (Unit tests) Deploy
to Production Deploy
to Test Env
Report & Notify
Publish to Release Repository
SCA , Dynamic, OS
Security in CI Environment
#RSAC
Results are Integrated within TeamCity
One Dashboard
#RSAC
Results are integrated within CI environment
Developer has all required info.
No need to involve the Security Team
Dive into the Results
#RSAC
Challenges
Management
Developers
Technology
HR
Formal Training VS Coaching and Continues Education
Scale
PenTest Quality
30
#RSAC
Key Success Factor Secure Agile Development
#RSAC
Identify the process within R&D and set a plan to become part of it Set Security Package API to be consumed with each code (ESAPI AntiSamy CSRF Guard) Screen and enforce your policy on your code Open Source and platform Use automation to collaborate with the security dynamic test Allow customer to run a pen test and work as a community to succeed
Key Success Factors
#RSAC
Engage tech leaders as security champions by showing them the value
Train developers on a regular basis
Create a knowledge base and discussions around security Break the build for any “High” or “Medium” findings
Start small but think big
Key Success Factors
#RSAC
#RSAC
Links to Resources
OWASP – https://www.owasp.org/index.php/Main_Page
AGILE & SDLC - http://www.ambysoft.com/essays/agileLifecycle.html
MS SDLC - http://www.microsoft.com/security/sdl/default.aspx
36
