32. Toolbox Schema (CWE) (CWE) (CAPEC) (Policy) Architectural
Elements Toolbox Item Lens or Filter Web Server (generic) Apache
(specific) Apache 2.0.29 (instance) IIS (specific) CVE Policy CWE
Internal Document CWE Mitigation (Backlog) Mitigation (Task)
Acceptance Criteria (Test) Component Whitelist*
33. Exercise
The Team
Three dev teams, each with a ScrumMaster
34. One Product Owner
35. Shared security consultant
Each dev team has
2-3 domain-knowledgable programmers
36. One QA engineer
37. One doc writer
38. One business analyst
39. Exercise
Customer Requirements for Online Comment System
Flexible, easy to use, nice looking
40. User at home or mobile with web browser
41. Storage in backend processing system
42. User name and email address stored for later follow-up
Acceptance Criteria Interface works on Windows and Mac Acceptance
Criteria User data goes from Interfaceto backend User Story User
with web browser enters data into interface and data is stored in
backend system. Acceptance Criteria User interface is visually
appealing (focus group).
43. Epic User with web browser enters data into interface and
data is stored in backend system. Story B UI process sends data to
backend store Points: 200 Story A User enters data into interface
Points: 500 Story C User gets response of successful upload Points:
100
44. WebBrowser HTTP Server Database Constraint - UI Technology
Choices HTML, Flash Constraint - Server Technology Choices LAMP
(Linux, Apache, MySQL, PHP) Constraint - DB Technology Choices
MySQL
45. Backlogs w/o Toolbox Product Sprint Task 1 (80 pts)
Construct Flash UI for user input Task 3 (30 pts) Validate UI input
Task 2 (40 pts) Enable connection to server via HTTP Task 4 (30
pts) Write user input to database Task S1 (25 pts) Create form with
user input fields in Flash/ActionScript Task S2 (25 pts) Check
input meets type/range criteria Task S3 (25 pts) Create submit()
function to send user data to server Task S4 (25 pts) Accept data
from web client and write to database Acceptance Test Validate test
data is stored in database after user hits submit button Acceptance
Test Validate user input field accepts only plain text input.
46. WebBrowser HTTP Server Database User Interface Flash Web
Server Apache Apache 2.0.29 Database MySQL HTML Server
HTTP/1.1
47. Web Server Apache Apache 2.0.29 Security Test: Sniffing
data communications (CAPEC-157) Task: Enable port 443 in firewall
Policy: Secure user communications Component Check: Apache 2.0.29
Backlog: SSLv3/TLSv1 Risk: High Cost: 10 Acceptance Test: Network
vulnerability scan reports 0 critical defects
48. HTTP/1.1 HTTP/1.1SSLv3 tcp/443 SPRINT 1 Without Toolbox
With Toolbox Flash UI Apache MySQL Flash UI Apache 2.0.29
MySQL
49. Now when you play that game...
Give teams hints to predict how the pieces come together
Avoid blank spaces
50. Avoid technical debt
51. Don't defer security
52. References
Keramati, H; Mirian-Hosseinabadi, S.H., Integrating Software
Development Security Activities with Agile Methodologies, IEEE,
2008
53. Siponen, M.; Baskerville, R.; Kuivalainen, T., Integrating
Security into Agile Development Methods, IEEE, 2005
54. Common Weakness Enumeration (CWE):
http://cwe.mitre.org/
55. Common Attack Pattern Enumeration and Classification
(CAPEC): http://capec.mitre.org/
56. Common Vulnerability Enumeration (CVE):
http://cve.mitre.org/
57. Microsoft Security Development Lifecycle (SDL):
http://go.microsoft.com/?linkid=9769715
58. Security Toolbox Discussion Q & A
59. Future Topics Areas for additional work
60. Adding and removing knowledge
Security knowledge as 'facts'
Apache X.Y.Z is vulnerable to a buffer overflow via the HTTP
version field (CVE-AAAA-BBBB):