Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1 SECURITY BY DESIGN in an Agile environment1
Security by DesignEasy talking ???
DevOn summit March 30 2017
Arjan van Breemen
March 23, 2017
Anticipate the difficult By managing the easy
(Lao Tzu)
2 SECURITY BY DESIGN in an Agile environment
Before start ingA short introduction
• Arjan van [email protected]
• Current role: Security Officer
• Ambition: Embedding a security, privacy and compliance attitude in an Agile / DevOps work environment including a safety net in case of “mistakes”
• Environment: and
• Started April 2014 with a lot of freedom, with (currently) 250 colleagues, 35 scrum teams. per April 2017 90 and > 600 colleagues.
3 SECURITY BY DESIGN in an Agile environment
Secur ity challenges outside …..
• As a security guard you must defend against all attacks• As attacker only one successful attack requires a breakthrough
ISF Threat Horizon 2019
4 SECURITY BY DESIGN in an Agile environment
as well as inside
Power to the process
5 SECURITY BY DESIGN in an Agile environment
The situat ion• Security a necessity through the centuries• Cyber threats: Its not about IF, but about WHEN• The race between attacker and target is a never ending story
• Innovation activities distributed over teams• Different awareness / knowledge of security• Frequent releases with minimum valuable products• Different level of risks
SO:• You cannot protect the organization from cyber threats• There are a lot of things in the organization you cannot influence
• FACE THOSE FACTS, start the journey, learn and adapt
6 SECURITY BY DESIGN in an Agile environment
Need for a changeFrom this
To this
7 SECURITY BY DESIGN in an Agile environment
While prevent ing this
or this
8 SECURITY BY DESIGN in an Agile environment
And aware of thisAgile KANO model
Area we are working in
Security by Design, not only a process but an interplay between:• Awareness, knowledge, architecture, process and requirements• CISO, Security experts, teams and businessBased on support and transparency
9 SECURITY BY DESIGN in an Agile environment
So, how to start???The basic essentials:
Organize Risk based
Process & tools
Act ive Support
Open your eyes
Prevent
And react fast
Architecture
10 SECURITY BY DESIGN in an Agile environment
How to organize
Basic knowledge of security covered within teams. Product Owner accountable for complying to policyIf security threats have medium impact than a “Trusted person” (Security specialist) is involved.
CISO Policy Advisors (knowledge ++)Interpretation of the Policy
Implementation of the policy
Med
ium
Hig
hLO
W
Scrum Team Basic Knowledge
“Trusted person” (Knowledge +)
“Trusted person” (Knowledge +)
“Trusted person” (Knowledge +)
Scrum Team Basic Knowledge
Scrum Team Basic Knowledge
KSP
Product
Portal Authority (part of CISO Red Team): Penetration test (prod)
If security threats have High impact than Policy advisor extra involved and by that an important stakeholder for Product owner.
11 SECURITY BY DESIGN in an Agile environment
Organisat ion From control to support
12 SECURITY BY DESIGN in an Agile environment
Risk Based approach
Scrum team
No extra security measurements or internal checks byscrum teams
Trusted person involved. VA_CR during sprint
Trusted person & PA involved. VA_CR during sprint
LowMediumHigh
• Awareness• Process• Change scope
• Location of application in architecture• Sensitivity of information processed/stored
Risk profiling
Risk profiling
SCRUM TEAM
Architecture
Important questions to ask: • How mature is this team concerning security during their innovation lifecycle• What is the “security sensitivity” of the applications working on• What is the “security health” of the applications working on
13 SECURITY BY DESIGN in an Agile environment
Risk based approach
Build / Test
“Pen Test” / CR_VA results
checkby Red Team
Final Security approval
Scrum team 1 Backlog
Scrum team 2
Scrum team …
Backlog
Backlog
Prod
KSP requirement tool
Classification tool
Maturity Tool
(Quaterly)
Abuse cases
Threat analysis
ARSA ARSA ARSA ARSA
Code Review / Vulnerability Assesment by 3rd party (iLionx) or internal (Burp Suite)
ARSA: Agile Risk Self Assessment
Risk & Requirements “Test / Review” Approval
New Systems and / or Major functional
changes on existing systems
Medium functional changes on existing
systems
changes on existing systems within
existing functionality
1. Trusted person involved2. CR/ VA by 3rd party
1. Trusted person involved2. CR/ VA by 3rd party
1. No extra steps necessary or internal scan (VA)
1. KSP Req tool2. Threat Analysis3. Abuse cases
1. KSP Req tool2. Threat Analysis3. Abuse cases
1. KSP Req tool2. Threat analysis
3. Final Check PA
3. Final Check Sec. Officer Digital
2. Final Check Scrum Team
High Security RiskMedium Security RiskLow Security Risk
“Pen Test” by Red Team
Periodically (Quaterly)
14 SECURITY BY DESIGN in an Agile environment
ProcessBased on KPN Security Policy (KSP)
Exception handling
Scope relevant KSP items Classify Risk Analyse Determine extra
requirements
Organisation, process, functional
KSP scanned on area’s applicable
and on req.
Organisationlevel
Online: High (Sec / BCM);C&C : High (Privacy / BCM)BI : High (Privacy / BCM)
Team level
Sprint level(during back
log refinement)
Result : depends on usrstory / sprint content
If result High
Sprint / usr story (during back log
refinement)
Extra processsteps
(CR/VA) or spec’s
Input :KSP
Proj. Class. toolASRA
ASRA
Classification tool (KSP FA06 template)Requirements selection tool (KSP FA06 template)ASRA: Agile Self Risk Assesment
CR : Code ReviewVA : Vulnerability Assesment
Trusted Person + support Product Owner + Team Support from Trustedperson
1 2
3
43
4
Sprint
97
Update BCM plan
Quality Assurance
7
8
89
If requirementscannot be met
6
6
10
Split your policiesKSP: Github.com KPN-CISO/kpn-security-policy
15 SECURITY BY DESIGN in an Agile environment
Process: 2 important i tems…..
16 SECURITY BY DESIGN in an Agile environment
What to do ?If requirements are not met
17 SECURITY BY DESIGN in an Agile environment
Agile Self Risk Assessment (ASRA)How does this look like
Action code Required action Nothing No action required CR Code review with focus on security issues VA Vulnarbility Assessment; scan on common security risk by security testers PT Full-scale penetration test by CISO RedTeam
Application Application Risk
Change Type Change Risk
Open pages without forms 0 Layout / content only 0
Open pages with forms 1 New data only (e.g. new field on form) 1
Mobile apps without user login 2
Changes in web server configuration, SSL, etc New connections (webservices, API, etc) to intranet
2
Closed environment with single customer information
(e.g. mijnKPN) 3
New functionality, new authorisation roles, etc 3
Closed environment with multiple customer information
(customer support portals) 4
New connections (webservices, API, etc) to internet 4
Poker Session Risk Assessment
Appl
icat
ion
Risk
4
CR CR + VA CR + VA CR + VA + PT CR + VA + PT
3
CR CR + VA CR + VA CR + VA + PT CR + VA + PT
2
Nothing CR CR + VA CR + VA + PT CR + VA + PT
1
Nothing CR CR + VA CR + VA CR + VA + PT
0
Nothing CR CR + VA CR + VA CR + VA
0 1 2 3 4 Change Risk
18 SECURITY BY DESIGN in an Agile environment
Act ive SupportYou are there to support the teams
Help teams & stakeholders.
• Balance the “need to protect the organization” against “ the need to run the business”• Every team member is responsible for security. So coach• Security skills are embedded in the teams, so teach• And above all: Always react fast and direct, so be alert
And beside this start with,• Putting together an overall security view• Actively inform stakeholders (management / CISO)• Connect frequently with teams, architects, testers and business• Give feedback to teams concerning operational issues• Let awareness grow by posting items from security forums
19 SECURITY BY DESIGN in an Agile environment
Support from managementImportant: Yes but this should be enough
Security
Do or
Die
20 SECURITY BY DESIGN in an Agile environment
Lessons Learned
• A strong team (trusted person) able to balance business benefit versus Security risk is a must;
• Make sure Privacy by Design activity / tools fits in the primary workflow of the teams;
• Support teams on their request;• Make sure there are requirements;• Be transparent in communication also if requirements are not met
or you are not able to decide about a certain risk
21 SECURITY BY DESIGN
Thank youFor your attention