Microsoft SDL: Agile Development - OWASP

2y ago
179 Views
4 Downloads
2.35 MB
43 Pages
Last View : 18d ago
Last Download : 4m ago
Upload by : Laura Ramon
Transcription

Microsoft SDL: AgileDevelopmentOWASPNovember 11, 2010Nick Coblentz, CISSP, Microsoft MVPSenior Security ConsultantAT&T t The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.The OWASP Foundationhttp://www.owasp.org

Bio AT&T Consulting: Application Security Penetration testing Code review Architecture and designreviews Application securityprogram development Secure developmentmethodologyimprovement Research & Presentations OWASP AppSec Research &Ireland 2010 Conferences ISSA Journal: WebApplication Security Portfolios SAMM Interview Template Reducing Info Disclosure inASP.NET Web Services andWCF Data Services Turn Application AssessmentReports into Training Classes Observed Secure SoftwareDevelopment Stages Vulnerability Tracking, Workflow,and Metrics with Redmine Using Microsoft's AntiXSS Library3.1OWASP

“ Agile hurts secure code development.”Adrian nd-security/OWASP

Microsoft SDL For Agile ReleasedSource: OWASP

Microsoft SDLOWASP

Microsoft Security Development Lifecycle(SDL)Components: Best Practices Processes Standards Security Activities ToolsGoal:“minimize security-relatedvulnerabilities in the design,code, and documentation andto detect and eliminatevulnerabilities as early aspossible in the developmentlife cycle.”OWASP

Which Software?SDL applies to softwarethat: Is used in Businessenvironments Stores or transmits PII Communicates over theInternet or other networksSource: Microsoft’s Product WebsiteOWASP

SDL Principles and ProcessSD3 C Secure by Design Secure by Default Secure in Deployment CommunicationsPD3 C Privacy by Design Privacy by Default Privacy in Deployment CommunicationsOWASP

What is Agile Development?Source: http://www.scrumalliance.org/pages/what is scrumOWASP

SDLC (Waterfall RequirementsAugustAprilSeptemberImplementation emberDecemberReleaseResponseOWASP

This Is NOT Agile entation (cont.)TrainingRequirementsImplementation onseImplementationVerificationReleaseResponseOWASP

Agile DevelopmentSprint 2Sprint 1JanuaryUser Story 1User Story 2UserUser Story 3User Story 6User Story 7User Story 5 (Cont.)User Story 1User Story 2UserUser Story 3User Story 6User Story 7User Story 5 (Cont.)Story 4User Story 5User Story 8Story 4User Story 5User Story 8OWASP

Agile DevelopmentSource: http://www.scrumalliance.org/pages/what is scrum Cross-functional, selforganizing teams Short, time-boxeddevelopmentiterations Delivery of smallfunctional stories No extensive up frontdesign ordocumentationOWASP

Planning and P

Planning and Design SP

User Stories and oOWASP

SDL SECURITY ACTIVITIESSource: Simplified Implementation of the Microsoft SDL OWASP

SDL Security Activities Training Requirements Verification Dynamic Program Analysis Fuzz Testing Threat Model and AttackSurface Review Security Requirements Quality Gates/Bug Bars Security and Privacy RiskAssessment Release Design Requirements Attack Surface Reduction Threat Modeling Optional Activities Design Implementation Use Approved Tools Deprecate UnsafeFunctions Static Analysis Incident Response Plan Final Security Review Release/Archive Manual Code Review Penetration Testing Vulnerability Analysis ofSimilar ApplicationsOWASP

Traditional SDL Pain Points forAgile Can’t complete all SDL activities in each sprint Requirements, architecture, and design evolves overtime Threat model/documentation becomes dated quickly Data sensitivity, protection, and connections to thirdparties may not be immediately known Teams don’t include application security specialistsOWASP

Microsoft SDL For Agile DevelopmentSDL RequirementCategories: Every-Sprint Bucket Verification Tasks Design Review Tasks Response PlanningTasks One-TimeSource: Microsoft SDL v4.1aOWASP

Every-Sprint SDL RequirementsExamples:“ so essential tosecurity that nosoftware should ever bereleased without theserequirements beingmet.” Update the threat model Communicate privacyimpacting design changes tothe team’s privacy advisor Fix all issues identified bycode analysis tools forunmanaged code Follow input validation andoutput encoding guidelinesto defend against cross-sitescripting attacksOWASP

Bucket SDL RequirementsExamples: Teams prioritize the poolof tasks over manysprints Each sprint, one taskfrom each bucketcompleted Each tasks must becompleted at least every6 months Security Verification Tasks Run fuzzing tools Manual and automated codereview Design Review Tasks Conduct privacy review In-depth threat model Response Planning Tasks Define security/privacy bugbar Create support documentsOWASP

One-Time RequirementsWhy? Repetition not necessary Must occur at thebeginning of the project Not possible at thebeginning of the projectExamples: Configure bug trackingsystem (3 months) Identify security/privacyexperts (1 month) Baseline threat model (3months) Establish a securityresponse plan (6 months)OWASP

SDL-Agile AppendixOWASP

SDL-Agile Appendix: DeadlinesOWASP

Final Security Review Occurs at the end of every sprint Checklist: All every-sprint requirements have been completed No one-time requirements have exceeded deadline At least one requirement from each bucket categoryhas been completed No bucket requirements exceed the six monthdeadline No security or privacy bugs are open that exceed theseverity thresholdOWASP

meVerif.Verif.Verif.Verif.Verif.DesignResp. anResp.PlanResp.PlanResp.PlanSprint 1Every SprintSprint 2Every SprintSprint 3Every SprintIn yEverySprintSprintSprintSprintSprintSprintIn SprintSprintSprintSprintIn SprintSprintSprintSprintOWASP

Sprint 1BacklogIn icationVerif.Every SprintSprint 2Every SprintDesignDesignResp. PlanResp.PlanResp.Plan rintSprintSprintIn .Verif.DesignPlanOneTimeFinal Security ReviewSprint 3Final Security Review rintSprintSprintIn Resp.Verif.Verif.DesignDesignPlanEvery SprintFinal Security Review rintSprintSprintOWASP

Making SDL-Agile Manageable Documentedstandards Security training Automation Continuous Integration Secure Configuration Security Unit Tests Automated Secure CodeAnalysis AutomatedDeployment andVulnerability Scanning Process Continuous updates tothe threat model SDL ProcessTemplates for VSTS MSF-Agile SDLProcess Template Light on securityartifacts/documentationOWASP

Making SDL-Agile Manageable Tooling CodeAnalysis/Scanning CAT.NET MiniFuzz BinScope BinaryAnalyzer Fiddler w/ Watcher FxCop MS Threat ModelingToolOWASP

CAT.NET: Cross-site Scripting VulnerabilityOWASP

Making SDL-Agile Manageable Libraries Web Protection Library(WPL) Encoder/Anti-XSSLibrary Security RuntimeEngine (SRE) Sanitizer.GetSafeHTMLOWASP

Web Protection Library - derOWASP

The Security Runtime Engine (SRE) “The Security Runtime Engine (SRE) is an HTTPmodule that acts like a gatekeeper to protectASP.NET web applications from cross-sitescripting (XSS) attacks.” “It works by inspecting each control that isbeing reflected by ASP.NET and thenautomatically encoding data of vulnerablecontrols in their appropriate context.” SRE Configuration Editor GUI ToolOWASP

The Security Runtime Engine (SRE)OWASP

The Security Runtime Engine (SRE)OWASP

Making SDL-Agile Manageable Deployment Web ApplicationConfiguration Analyzer(WACA) Microsoft BaselineSecurity Analyzer Web.config SecurityAnalyzer (WCSA)OWASP

Web Application Configuration AnalyzerOWASP

Web Application ConfigurationAnalyzerOWASP

Web Application Configuration AnalyzerOWASP

Web.config Security Analyzer (WCSA)OWASP

Making SDL-Agile Manageable Education, secure coding standards,automation and tools play a significant role inmaking secure Agile development efficient andeconomical Don’t forget: Periodic manual security activities are also a must All of this must fit within a repeatable, matureprocessOWASP42/23

Summary and QuestionsMore Information:http://www.microsoft.com/sdlNick Coblentz, CISSPSenior Consultant, AT&T tz.blogspot.comhttp://www.twitter.com/sekhmetn Microsoft releases SDLAgile Guidance in Nov.2009 Treats SDL Activitieslike team-prioritizedUser Stories 3 Categories: One-time,Every-time, and Bucket Increased success withthe implementation oftraining, automation,tools, and standardsOWASP

Nov 11, 2010 · User Story 1 User Story 2 User Story 4 User Story 5 User Story 5 (Cont.) User Story 3 User Story 6 User Story 7 rint 1 User Story 8 2 User Story 1 User Story 2 User Story 4 . Process Template Light on security artifacts/documentati on. OWASP Making SDL-Agile Manageable Toolin

Related Documents:

Thank you for purchasing a MoTeC SDL Dash / Logger. SDL The MoTeC SDL Dash / Logger is a combined LCD dash unit and high performance data logger. Note that a ‘display only’ version of the SDL is also available This Manual Covers: Overview of the SDL capabilities Installation Overview of the MoTeC SDL and Sport Dash Manager softwareFile Size: 415KB

OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish Project OWASP Application Security Desk Reference (ASDR) OWASP .NET Project Leader OWASP Education Project

1. The need for an agile way of working 6 2. The need for an agile way of working 9 3. Agile Core Values - Agile Project Management Vs. 10 Agile Event Management 4. Agile principles 12 _Agile Principles of Agile Project Management 13 _Agile Principles of VOK DAMS Agile Event Management 14 5. Agile Methods 16 _Scrum in Short 16 _Kanban in Short 18

Agile Estimating and Planning by Mike Cohn Agile Game Development with Scrum by Clinton Keith Agile Product Ownership by Roman Pichler Agile Project Management with Scrum by Ken Schwaber Agile Retrospectives by Esther Derby and Diana Larsen Agile Testing: A Practical Guide for Testers and Agile Teams by Lisa Crispin and .

5 SDL Trados GroupShare 2020 Release Notes Product Overview SDL Trados GroupShare is a translation management platform for teams of project managers, translators, reviewers and terminology workers. SDL Trados GroupShare enables you to easily share translation projects, translation memories and terminology with your team members, regardless of

SDL Trados Studio project and package compatibility All versions of SDL Trados Studio 2017, 2015 and 2014 have the same project and package format. Translation Memory Compatibility Software SDL Trados Studio 2017 can connect to any 2017 and 2015 ve

Afar (Eritrea) aa-ER . SDL Trados Studio 2017 SDL MultiTerm Desktop 2017 Windows operating sytem (OS) Not available Not available as Studio takes only main sublanguages Available Windows Server (OS) SDL Studio GroupShare 2017 Language

criminal case process; the philosophies and alterna-tive methods of corrections; the nature and processes of treating the juvenile offender; the causes of crime; and the role of government and citizens in finding solutions to America’s crime problems. 2. Develop, state, and defend positions on key issues facing the criminal justice system, including the treatment of victims, police-community .