5
The AppSec How-To: 10 Steps to Secure Agile Development Security requirements should be considered as addional development checkpoints. Each benchmark needs to be achieved before proceeding to the next stage of an Agile process. For each step in Agile, associate a security milestone that needs to be achieved. Start already at the post-release planning to perform a security high-level design. This includes the following aspects: - Security in code development. For example, inspect the planned applicaon in terms of which APIs are going to be used. - Security in technologies. Idenfy technologies that are going to be used. For example, if system tesng is performed within a Maven process, security tests should be integrated within this system. - Security in features. For example, forecast any problems associated with regulaons. Say, when tracking cookies are used within a product delivered to the UK then prepare compliance to UK privacy regulaons. Source Code Analysis Made Easy 1 www.checkmarx.com In Agile’s fast-paced environment and frequent releases, security reviews and testing sound like an impediment to success. How can you keep up with Agile demands of continuous integration and continuous deployment without abandoning security best practices? Companies have found the following ten practices helpful to achieve a holistic secure Software Development Life Cycle (SDLC) process in an Agile SaaS world. The approaches taken by these companies follow a basic philosophy: keeping security as simple as possible and remove any unnecessary load from the development team. 1 Be part of the process 10 Steps 2 Enforce your policy by using a security package API in each product There are two aspects to this stage: a. Use a security package such as OWASP’s Enterprise Security API (ESAPI). ESAPI is a toolkit which enables the developers to easily consume various ulies. The toolkit provides a variety of out-of-the box ulies such as validators, encoders, encryptors, and randomizers. By using ESAPI, developers do not need to invesgate the best security pracces and spend me researching correct implementaon methods.

10 Steps To Secure Agile Development

Tags:

Embed Size (px)

Citation preview

Page 1: 10 Steps To Secure Agile Development

The AppSec How-To:10 Steps to Secure Agile Development

Security requirements should be considered as additional development checkpoints. Each benchmarkneeds to be achieved before proceeding to the next stage of an Agile process. For each step in Agile, associate a security milestone that needs to be achieved. Start already at the post-release planning to perform a security high-level design. This includes the following aspects: - Security in code development. For example, inspect the planned application in terms of which APIs are going to be used. - Security in technologies. Identify technologies that are going to be used. For example, if system testing is performed within a Maven process, security tests should be integrated within this system. - Security in features. For example, forecast any problems associated with regulations. Say, when tracking cookies are used within a product delivered to the UK then prepare compliance to UK privacy regulations.

Source Code Analysis Made Easy

1www.checkmarx.com

In Agile’s fast-paced environment and frequent releases, security reviews and testing sound like an impediment to success. How can you keep up with Agile demands of continuous integration and continuous deployment without abandoning security best practices?

Companies have found the following ten practices helpful to achieve a holistic secure Software Development Life Cycle (SDLC) processin an Agile SaaS world. The approaches taken by these companies follow a basic philosophy: keeping security as simple as possible and remove any unnecessary load from the development team.

1 Be part of the process

10 Steps

2 Enforce your policy by using a security package API in each product

There are two aspects to this stage:a. Use a security package such as OWASP’s Enterprise Security API (ESAPI). ESAPI is a toolkit which enables the developers to easily consume various utilities. The toolkit provides a variety of out-of-the box utilities such as validators, encoders, encryptors, and randomizers. By using ESAPI, developers do not need to investigate the best security practices and spend time researching correct implementation methods.

Page 2: 10 Steps To Secure Agile Development

Source Code Analysis Made EasyConsider hashing, as an example. Instead of relying on the developer to add a hash salt, the salt can already be implemented as part of the ESAPI configuration. The developer, in turn, is left simply to consume the provided API.

Particular emphasis should be made on validators because these prevent the most common Web application vulnerabilities, such as SQLi and XSS. Each organization needs to evaluate where to integrate the validators. Some businesses may decide to apply validators on the controller level (e.g. on the Apache layer or within the Tomcat filter). Other companies prefer to integrate validators within the development code to test each input. While each company needs to decide the right strategy for them, we have found that many companies choose to validate each input within their code. This decision is based on two main reasons: • All the regular expressions that are written to validate the input can be constructed as simple as possible in order to avoid any type of performance issue. These regular expressions are actually more similar to a business-oriented validation.• In case a problem arises- or a specific validator needs to be changed- only the specific input needs to be changed. On the other hand, a higher level validator requires a whole QA process to verify the entire system. One organization we worked with took code-level validation one step further. The particular organization implemented a validator that does not return the traditional true/ false boolean values, but rather returns null if the input is invalid. In this manner, the security team was able to prevent developers from mistakenly using that same value later on in the code.

b. Validate that the developers are using the right API. For each input, ensure that the developer uses the right validator as provided by the security team. This entails failure of the security test in case the developer chooses not to use the API. Enforcement can be achieved through source code analysis that is customized to the security team’s requirement.

Enforcing the security policy means that the developers cannot proceed with the build process if thechecked in code does not comply with policy. To keep up with the fast-paced development environment, the developers must be able to consume the policy without a long training period.

The way to address this challenge is by integrating SCA within the different stages of the development process. Particular aspects to pay attention to are: - Integrating the SCA within the build automation tool (such as Maven). Organizations typically run the SCA in two modes. The first is running the scan as incremental tests each time the developer performs a commit. In this way, only the change between the last scan and the current scan is checked. The second is running a full security scan within a full-system test, say during the nightly build. If the build fails, the developer has to fix the flaw before continuing with the development. - Presenting SCA findings within the build management and Continuous Integration server (such as within TeamCity). In case of an SCA alert, it’s more efficient for the developer to click on the finding and dynamically identify the specific vulnerability.

2www.checkmarx.com

3 Integrate Source Code Analysis (SCA) within the native processof code management

Page 3: 10 Steps To Secure Agile Development

- Enhancing the SCA with a knowledge base for the developer. Similarly to a developer fixing a compilation error, the developer needs to know how to fix the faulty code. For this, the SCA tool should also contain a knowledge base which describes the risk and the proper remediation advice.

Source Code Analysis Made Easy

3www.checkmarx.com

4 Break the build for any “high” or “medium” findings

Do not compromise security by releasing a product that contains any high or medium findings. This requires eliminating the flaw already at the build process. Meaning, if the developer checks in a few high security bugs, the build will break. Unless the vulnerabilities are fixed, the developer fails to build a package.

5 Use automation to collaborate with the security dynamic test

Dynamic testing within the product can be implemented through positive and negative unit tests. - Use positive testing to validate the input. For instance, a positive test validating input in the form of an email address will test that the characters “@” and “.” appear, but no other special characters. - Complement the positive test through a negative test. The negative test should “pick up” all input that does not conform to the positive test. Using the above scenario, an email address embedding a SQL Injection will be caught by the negative test. Essentially, the complementary negative test acts as the dynamic test.

6 Run a penetration test

Engage both professional and your customers as penetration testers: - Perform a penetration testing of the final product by an external vendor. This includes an automated or manual test of the product once it’s released in its Alpha stage. - Allow customers to run a penetration test and work as a community to succeed. The organization must perform all the necessary steps in order to release a secure product. That said, many customers are themselves subjected to regulation which requires running penetration testing on third-party products. The benefit to you? Gaining customer confidence. This is particularly important when talking about Software-as-a-Service (SaaS) products whose success is based on the trust that customers put on their providers.

Page 4: 10 Steps To Secure Agile Development

Source Code Analysis Made Easy

4www.checkmarx.com

7 Engage technology leaders as security champions by showing them the value

Even with large security teams, it is obvious that developers outnumber the security team. To extend security’s outreach, engage with the technology leaders and place them as the security champions. Gaining such cooperation with R&D guarantees that also when security is not physically present, security does come up in each and every scrum meeting.

8 Train developers on a regular basis

The point here is not necessarily to establish a formal training process where developers are sent to a Web application security course. There are other means for training, such as: - Providing developers with the security knowledge Enhancing the SCA with the knowledge base of a specific vulnerability, as recommended in one of the practices above, is part of this kind of training. By helping developers understand the risk and its mitigation, security awareness increases whereas developers start viewing security and code differently. - Being accessible to developers. Once security becomes an ingrained process, Q&A from the developers begin to pile up at the security team’s desk. The security team should have an open door policy to address all the developers’ concerns.

9 Provide a collaboration platform for security discussions

This practice goes hand in hand with the previous practice on training developers. The point here is to not only accumulate or disseminate information related to security practices. This practice focuses on establishing a security collaboration platform with the intent of sharing information and raising discussions surrounding security issues.

10 Start small but think big

Many of these practices, especially the practice of breaking the build for any “high” or “medium” finding,requires the management and superiors support. We recognize that gaining this type of trust is not an easy goal to achieve. Various companies have found the following steps helpful: - Take one small project and turn it to a success story. Listen to R&D during this process. Learn from mistakes and refine the process moving forward. - With one success story under the belt, move on to a new project. Continue refining, and learning from mistakes. Create 2-3 successful stories. - Review the security bugs that are returned by customers. Compare the number of vulnerabilities in one of these success stories with a different project that does not follow the security practices.

Page 5: 10 Steps To Secure Agile Development

Source Code Analysis Made Easy

5www.checkmarx.com

Show management how these vulnerabilities interfere with the normal delivery and maintenance of the product. - Progress to the big legacy project. At first, don’t break the build for security findings in this big project. It is enough at this stage to identify the gaps, close them and create a program of how development will fix the flaws. - Fix the flaws on the legacy system only after achieving confidence. Fix the flaws on the legacy systems only after understanding how to correctly deliver the security package (such as ESAPI), how to inspect it correctly, and where to correctly apply the validation without any impact to the product. - Proceed to the big project in-making. Naturally, this is the ultimate goal and security should already be integrated within the Agile process. At this step, the validators should already be packaged and set within a single framework.


Secure Your Financial Future In Three Steps

Secure Your Financial Future In Three Steps

Economy & Finance
Secure Agile - coveros.com€¦ · Secure Agile Thomas Stiehm, CTO ... surface to support application risk assessments and to determine appropriate security controls. This includes

Secure Agile - coveros.com€¦ · Secure Agile Thomas Stiehm, CTO ... surface to support application risk assessments and to determine appropriate security controls. This includes

Documents
10 Steps to a Secure WordPress Website

10 Steps to a Secure WordPress Website

Software
Agile traders, Proven Steps

Agile traders, Proven Steps

Documents
Agile Modular Secure Facility (SCIF) Fabrication

Agile Modular Secure Facility (SCIF) Fabrication

Documents
Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Empowering Secure Agile Teamssislab.no/secse/presentations/TSL - Secure Agile... · • Security is “outside our control”/Not my job. Position Helpline 15,42 Position Helpline

Documents
Five Steps to Secure Outsourced Application Development

Five Steps to Secure Outsourced Application Development

Documents
Do Agile Data in Just 5 Shocking Steps!

Do Agile Data in Just 5 Shocking Steps!

Data & Analytics
STEPS TO SECURE GRANT FUNDS - iwla.org

STEPS TO SECURE GRANT FUNDS - iwla.org

Documents
Agile BI: Three Steps to Analytic Heaven

Agile BI: Three Steps to Analytic Heaven

Documents
10 Practical steps for Agile transformation · 10 Practical steps for Agile transformation Nikola Bogdanov, Agile Coach 08/01/2018 Today only: 5 bonus!

10 Practical steps for Agile transformation · 10 Practical steps for Agile transformation Nikola Bogdanov, Agile Coach 08/01/2018 Today only: 5 bonus!

Documents
Agile yes, but secure? - OWASP · PDF fileAgile yes, but secure? OWASP Meeting Stuttgart ... Manifesto for Agile Software Development ... Responding to change over following a plan

Agile yes, but secure? - OWASP · PDF fileAgile yes, but secure? OWASP Meeting Stuttgart ... Manifesto for Agile Software Development ... Responding to change over following a plan

Documents
Cisco Secure Agile Exchange (SAE) Solution Guide

Cisco Secure Agile Exchange (SAE) Solution Guide

Documents
The OWASP Foundation OWASP AppSec Seattle Agile and Secure

The OWASP Foundation OWASP AppSec Seattle Agile and Secure

Documents
Six Steps for Successfully Scaling Agile

Six Steps for Successfully Scaling Agile

Technology
Agile in 10 Easy Steps

Agile in 10 Easy Steps

Documents
PMI Ireland Annual Conference 2012 - Agile First Steps

PMI Ireland Annual Conference 2012 - Agile First Steps

Business
Secure Development LifeCycles (SDLC) · Agile & Secure development: a mismatch ? Secure Development LifeCycles (SDLC) February 2014 40 Agile Dev. Security ... Secure Development LifeCycles

Secure Development LifeCycles (SDLC) · Agile & Secure development: a mismatch ? Secure Development LifeCycles (SDLC) February 2014 40 Agile Dev. Security ... Secure Development LifeCycles

Documents
Secure Agile Development - Securosis - Home · PDF fileFor security features or fixes to ... Secure Agile Development #5. During this amazing period of advancement in software development,

Secure Agile Development - Securosis - Home · PDF fileFor security features or fixes to ... Secure Agile Development #5. During this amazing period of advancement in software development,

Documents
Secure Agile Networks

Secure Agile Networks

Documents
Agile transformation: First Steps

Agile transformation: First Steps

Software
Cisco Secure Agile Exchange Solution verview Cisco ublic ... · Cisco Secure Agile Exchange ... The combination of software and hardware is then ... given that both the consumers

Cisco Secure Agile Exchange Solution verview Cisco ublic ... · Cisco Secure Agile Exchange ... The combination of software and hardware is then ... given that both the consumers

Documents
Forging an agile, secure supply chain - Ernst & Young...Using the following steps, firms can leverage performance improvement and risk management simultaneously to create agile, reliable,

Forging an agile, secure supply chain - Ernst & Young...Using the following steps, firms can leverage performance improvement and risk management simultaneously to create agile, reliable,

Documents
10 Steps to Mainframe Agile Development - NEDB2UG 10 Steps - NEDB2UG.pdf · 1 10 Steps to Mainframe Agile Development Mark Schettenhelm, Sr. Product Manager September 28, 2017

10 Steps to Mainframe Agile Development - NEDB2UG 10 Steps - NEDB2UG.pdf · 1 10 Steps to Mainframe Agile Development Mark Schettenhelm, Sr. Product Manager September 28, 2017

Documents
Gigamon enables your organization become more agile, secure

Gigamon enables your organization become more agile, secure

Documents
Agile Acquisition Roadmap for Secure Cloud & IT Infrastructure

Agile Acquisition Roadmap for Secure Cloud & IT Infrastructure

Documents
Agile steps to improve the status quo

Agile steps to improve the status quo

Education
Congreso CSTIC 2017 Be Agile, Be digital, Be Secure

Congreso CSTIC 2017 Be Agile, Be digital, Be Secure

Documents
9 steps to agile adoption – a proposal

9 steps to agile adoption – a proposal

Technology
Baby steps in an agile world

Baby steps in an agile world

Technology