![Page 1: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/1.jpg)
Create Agile confidence for better application security
Rogue Wave Accelerate Series
Part 2 of 3
![Page 2: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/2.jpg)
Christine Bottagaro, CMO
Presenter
Rogue Wave Software
2© 2015 Rogue Wave Software, Inc. All Rights Reserved.
![Page 3: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/3.jpg)
Agenda
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
• Agile Methodology • Security as a service • Integrated security goals • Best practices for Agile teams • How to get started
3
![Page 4: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/4.jpg)
Agile benefits
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
4
Adaptive
Integrated development teams
Fewer surprises when working in a cross-functional
environment
Faster feedback loop
Faster time to market
Constant feedback during development
Responds quickly to changing requirements
![Page 5: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/5.jpg)
Agile versus Waterfall
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
5
Fixed requirements Adaptive
Integrated teams
Best for…
Separation of duties
• Rapid development cycles• Frequent releases
• Cross-functional responsibilities • Cooperative decision making
• Fast time to market • Smaller projects • Websites, graphical interfaces
Best for…• Complicated systems • System and backend applications
• Development, security and compliance work independently
• Separate reporting
• Longer development cycles • Few releases per year • Patches
Agile Waterfall
![Page 6: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/6.jpg)
Traditional development: Security as a service
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
6
Adaptive
Separation of duties for testing and auditing
Separate testing tools, results fed to development
Traditional Secure Development Lifecycle Activities
Design
• Establish design Requirements
• Analyze attack surface
• Threat modeling
Build
• Use approved tools
• Deprecate unsafe functions
Test
• Static analysis• Dynamic
analysis• Fuzz testing• Attack surface
review• Open source
review
Deploy
• Incident response plan
• Final security review
• Release archive
Development, compliance, and security are independent functions
Req's
• Establish security requirements
• Create quality gates
• Risk assessments
![Page 7: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/7.jpg)
Consequences of security as a service
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
7
Adaptive
Cost of Remediation Source: Barry Boehm, “Equity Keynote Address” March 19, 2007
Cost of Remediation
Increased remediation
costsDelayed releases
Security and development become adversarial
5x
Design
• Establish design requirements
• Analyze attack surface
• Threat modeling
10x
Build
• Use approved tools
• Deprecate unsafe functions
20x50x
Test
• Static analysis• Dynamic
analysis• Fuzz testing• Attack surface
review• Open source
review
150x
Deploy
• Incident response plan
• Final security review
• Release archive
1x
Reqs
• Establish security requirements
• Create quality gates
• Risk assessments
![Page 8: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/8.jpg)
Agile development: Integrated security
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
8
Adaptive
AcceptSprint 1
Sprint 2
Sprint nRelease
ChangeAdjust and Track
FeedbackReview
Next Iteration
No!
Yes!
Release to
Market
Integrate and Test
Integrate and TestIntegrate
and Test
Multiple testing points
Rapid feedback required
“Outside” testing does
not meet Agile needs
![Page 9: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/9.jpg)
Integrated security goals
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
9
Adaptive
Build security into the Agile process
Adapt to the needs of each team
Provide information needed in a timely manner
Help teams improve over time
Maintain integrity of separation of duties
![Page 10: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/10.jpg)
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
10
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
![Page 11: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/11.jpg)
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
11
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
![Page 12: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/12.jpg)
Best Practice 1.
Integrate security and compliance testing
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
12
AdaptiveGive Agile teams tools & responsibility for testing
Self-sufficiency is required for rapid
reaction
Run tests on development
schedule
Embed security with Agile team for triage and
assistance
![Page 13: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/13.jpg)
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
13
Adaptive
Best Practice 1.
Integrate at IDE and Build Server
Do what works best
for each team
Run separately
Integrate at IDEIntegrate at build server
Testing and remediation on the
fly
Testing at the end of each
sprint
Testing with each sprint test build
![Page 14: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/14.jpg)
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
14
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
![Page 15: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/15.jpg)
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
15
Adaptive
Best Practice 2.
Enforce standards that relate to the project
Understand the
objectives
Risk varies with
application deployments
Use flexible rule sets
Compliance rules (e.g.,
PCI)
Language and framework
specific rules
Custom rules for custom frameworks
High/low security
requirements
![Page 16: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/16.jpg)
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
16
Adaptive
Best Practice 2.
Compliance rule sets
PCI-DSS v 3The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.
Specific rule sets
SANS Top 25
Reporting for regulatory audits
OWASP Top 10
![Page 17: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/17.jpg)
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
17
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
![Page 18: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/18.jpg)
Provide information needed to act
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
18
Best Practice 3.
Context for remediation
What needs architectural
review?
Provide actionable results
Prioritize results to accelerate triage
Eliminate “noise” from reporting
What can I fix quickly?
![Page 19: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/19.jpg)
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
19
Adaptive
Best Practice 3.
Minimize code changes after code check-in
Trace errors to root causes
Input validation
Manifests itself when
tainted data is used
A single error can result in 10’s or 100’s of issues
![Page 20: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/20.jpg)
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
20
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
![Page 21: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/21.jpg)
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
21
Adaptive
Best Practice 4.
Continuous improvement
Help developers learn on the job
Move from training “events” to a training
“process”Source: https://uwaterloo.ca/counselling-services/curve-forgetting
Push remediation advice to the IDE
![Page 22: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/22.jpg)
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
22
Adaptive
Best Practice 4.
Ongoing developer education
Remediation advice in the IDE
Specific to bug type
Specific to language rule set
![Page 23: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/23.jpg)
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
23
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
![Page 24: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/24.jpg)
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
24
Adaptive
Best Practice 5.
Enterprise reporting
Development
Security reporting
Compliance reporting
Legal reporting
Identify security training needs
Maintain independence of audits
Testing for OWASP/SANS bugs
Audits and reporting for OSSTraceability for security risks
![Page 25: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/25.jpg)
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
25
Adaptive
How to get started
Empower development with training,
processes, and technology to own
security testing
Build testing earlier into the development
process
Start with a pilot project
Develop coding and remediation standards
Close the loop
1 2
3 45
72% of developers think they are responsible for security
![Page 26: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/26.jpg)
See us in action:
www.roguewave.com
KlocworkOpenLogic
![Page 27: Create Agile confidence for better application security](https://reader035.vdocuments.us/reader035/viewer/2022070516/5873f4611a28abb1528b5d8f/html5/thumbnails/27.jpg)