microsoft sdl: agile development - owasp · each sprint, one task from each bucket completed each...
TRANSCRIPT
![Page 1: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Microsoft SDL: Agile Development
Nick Coblentz, CISSP
Senior Security Consultant
AT&T Consulting
http://nickcoblentz.blogspot.com
http://www.twitter.com/sekhmetnJune 24, 2010
![Page 2: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/2.jpg)
OWASP
Bio
AT&T Consulting:
Application Security
Penetration testing
Code review
Architecture and design reviews
Application security program development
Secure development methodology improvement
Research ISSA Journal: Web
Application Security Portfolios
SAMM Interview Template
Reducing Info Disclosure in ASP.NET Web Services and WCF Data Services
Turn Application Assessment Reports into Training Classes
Observed Secure Software Development Stages
Vulnerability Tracking, Workflow, and Metrics with Redmine
Using Microsoft's AntiXSS Library 3.1
![Page 3: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/3.jpg)
OWASP
“…Agile hurts secure code development.”
Adrian Lane: http://securosis.com/blog/agile-development-and-security/
![Page 4: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/4.jpg)
OWASP
Microsoft SDL For Agile Released
Source: http://blogs.msdn.com/sdl/archive/2009/11/10/announcing-sdl-for-agile-development-methodologies.aspx
![Page 5: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/5.jpg)
OWASP
Microsoft SDL
![Page 6: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/6.jpg)
OWASP
Microsoft Security Development Lifecycle (SDL)
Components:
Best Practices
Processes
Standards
Security Activities
Tools
Goal:“minimize security-related vulnerabilities in the design, code, and documentation and to detect and eliminate vulnerabilities as early as possible in the development life cycle.”
![Page 7: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/7.jpg)
OWASP
Which Software?
Source: Microsoft’s Product Website
SDL applies to software that:
Is used in Business environments
Stores or transmits PII
Communicates over the Internet or other networks
![Page 8: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/8.jpg)
OWASP
SDL Principles and Process
SD3+C
Secure by Design
Secure by Default
Secure in Deployment
Communications
PD3+C
Privacy by Design
Privacy by Default
Privacy in Deployment
Communications
![Page 9: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/9.jpg)
OWASP
What is Agile Development?
Source: http://www.scrumalliance.org/pages/what_is_scrum
![Page 10: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/10.jpg)
OWASP
SDLC (Waterfall Methodology)
February March April May JuneJanuary
August September October November DecemberJuly
Design Implementation
Implementation (cont.) Verification
Training Requirements
Release Response
![Page 11: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/11.jpg)
OWASP
January
This Is NOT Agile Development
Design ImplementationTraining Requirements
Implementation (cont.) Verification Release Response
Design ImplementationTraining Requirements
Implementation (cont.) Verification Release Response
![Page 12: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/12.jpg)
OWASP
Agile Development
JanuaryUser Story 1
User Story 2 User Story 4
User Story 5
User Story 5 (Cont.)
User Story 3
User Story 6
User Story 7
User Story 8
Sp
rin
t 1
Sp
rin
t 2
User Story 1
User Story 2 User Story 4
User Story 5
User Story 5 (Cont.)
User Story 3
User Story 6
User Story 7
User Story 8
![Page 13: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/13.jpg)
OWASP
Agile Development
Cross-functional, self-organizing teams
Short, time-boxed development iterations
Delivery of small functional stories
No extensive up front design or documentation
Source: http://www.scrumalliance.org/pages/what_is_scrum
![Page 14: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/14.jpg)
OWASP
Planning and Design
http://www.flickr.com/photos/acarlos1000
![Page 15: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/15.jpg)
OWASPhttp://www.flickr.com/photos/acarlos1000
Planning and Design (cont.)
![Page 16: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/16.jpg)
OWASP
User Stories and Documentationhttp://www.flickr.com/photos/fmcamargo
![Page 17: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/17.jpg)
OWASP
SDL SECURITY ACTIVITIES
Source: Simplified Implementation of the Microsoft SDL
![Page 18: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/18.jpg)
OWASP
SDL Security Activities
TrainingRequirementsSecurity RequirementsQuality Gates/Bug BarsSecurity and Privacy Risk
Assessment
DesignDesign RequirementsAttack Surface ReductionThreat Modeling
ImplementationUse Approved ToolsDeprecate Unsafe
FunctionsStatic Analysis
VerificationDynamic Program AnalysisFuzz TestingThreat Model and Attack
Surface Review
Release Incident Response PlanFinal Security ReviewRelease/Archive
Optional ActivitiesManual Code ReviewPenetration TestingVulnerability Analysis of
Similar Applications
![Page 19: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/19.jpg)
OWASP
Traditional SDL Pain Points for Agile
Can’t complete all SDL activities in each sprint
Requirements, architecture, and design evolves over time
Threat model/documentation becomes dated quickly
Data sensitivity, protection, and connections to third parties may not be immediately known
Teams don’t include application security specialists
![Page 20: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/20.jpg)
OWASP
Microsoft SDL For Agile Development
Source: Microsoft SDL v4.1a
SDL Requirement Categories:
Every-Sprint
Bucket
Verification Tasks
Design Review Tasks
Response Planning Tasks
One-Time
![Page 21: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/21.jpg)
OWASP
Every-Sprint SDL Requirements
“…so essential to security that no software should ever be released without these requirements being met.”
Examples:
Update the threat model
Communicate privacy-impacting design changes to the team’s privacy advisor
Fix all issues identified by code analysis tools for unmanaged code
Follow input validation and output encoding guidelines to defend against cross-site scripting attacks
![Page 22: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/22.jpg)
OWASP
Bucket SDL Requirements
Teams prioritize the pool of tasks over many sprints
Each sprint, one task from each bucket completed
Each tasks must be completed at least every 6 months
Examples:
Security Verification Tasks
Run fuzzing tools
Manual and automated code review
Design Review Tasks
Conduct privacy review
In-depth threat model
Response Planning Tasks
Define security/privacy bug bar
Create support documents
![Page 23: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/23.jpg)
OWASP
One-Time Requirements
Why?
Repetition not necessary
Must occur at the beginning of the project
Not possible at the beginning of the project
Examples:
Configure bug tracking system (3 months)
Identify security/privacy experts (1 month)
Baseline threat model (3 months)
Establish a security response plan (6 months)
![Page 24: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/24.jpg)
OWASP
SDL-Agile Appendix
![Page 25: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/25.jpg)
OWASP
SDL-Agile Appendix: Deadlines
![Page 26: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/26.jpg)
OWASP
Final Security Review
Occurs at the end of every sprint
Checklist:
All every-sprint requirements have been completed
No one-time requirements have exceeded deadline
At least one requirement from each bucket category has been completed
No bucket requirements exceed the six month deadline
No security or privacy bugs are open that exceed the severity threshold
![Page 27: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/27.jpg)
OWASP
Sprint 3 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Sprint 2 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Sprint 1 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Resp. Plan
Resp. PlanResp.
PlanResp. PlanResp.
PlanResp. Plan
Backlog
One-Time Verification
Design
Design
Design
Design
Design
Design
Verif.
Verif.
Verif.
Verif.
Verif.
One-TimeOne-
TimeOne-TimeOne-
TimeOne-Time
User StoryUser
StoryUser StoryUser
StoryUser Story
User StoryUser
StoryUser StoryUser
StoryUser Story
![Page 28: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/28.jpg)
OWASP
Sprint 3 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Sprint 2 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Sprint 1 In Progress QA Done
Every SprintEvery Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Every Sprint
Resp. Plan
Resp. PlanResp.
Plan
Backlog
One-Time Verification
Design
Design
Verif.
One-Time
User StoryUser
Story
Resp. Plan
DesignDesignVerif.Verif.
User Story
User Story
User Story
User Story
Resp. Plan
DesignVerif.
One-Time
One-Time
One-Time
User Story
Resp. Plan
DesignVerif.One-Time
User Story
User Story
User Story
Final Security Review
Final Security Review
Final Security Review
![Page 29: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/29.jpg)
OWASP
Making SDL-Agile Manageable
Documented standards
Security training
Automation
Continuous Integration
Secure Configuration
Security Unit Tests
Automated Secure Code Analysis
Automated Deployment and Vulnerability Scanning
Process
Continuous updates to the threat model
SDL Process Templates for VSTS
MSF-Agile + SDL Process Template
Light on security artifacts/documentation
![Page 30: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/30.jpg)
OWASP
Making SDL-Agile Manageable
Tooling
Code Analysis/Scanning
CAT.NET
MiniFuzz
BinScope Binary Analyzer
Fiddler w/ Watcher
FxCop
MS Threat Modeling Tool
![Page 31: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/31.jpg)
OWASP
CAT.NET: Cross-site Scripting Vulnerability
![Page 32: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/32.jpg)
OWASP
Making SDL-Agile Manageable
Libraries
Web Protection Library (WPL)
Encoder/Anti-XSS Library
Security Runtime Engine (SRE)
Sanitizer.GetSafeHTML
![Page 33: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/33.jpg)
OWASP
Web Protection Library - Encoder/AntiXSS
Microsoft.Security.Application.Encoder
![Page 34: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/34.jpg)
OWASP
The Security Runtime Engine (SRE)
“The Security Runtime Engine (SRE) is an HTTP module that acts like a gatekeeper to protect ASP.NET web applications from cross-site scripting (XSS) attacks.”
“It works by inspecting each control that is being reflected by ASP.NET and then automatically encoding data of vulnerable controls in their appropriate context.”
SRE Configuration Editor GUI Tool
![Page 35: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/35.jpg)
OWASP
The Security Runtime Engine (SRE)
![Page 36: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/36.jpg)
OWASP
The Security Runtime Engine (SRE)
![Page 37: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/37.jpg)
OWASP
Making SDL-Agile Manageable
Deployment
Web Application Configuration Analyzer (WACA)
Microsoft Baseline Security Analyzer
Web.config Security Analyzer (WCSA)
![Page 38: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/38.jpg)
OWASP
Web Application Configuration Analyzer
![Page 39: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/39.jpg)
OWASP
Web Application Configuration Analyzer
![Page 40: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/40.jpg)
OWASP
Web Application Configuration Analyzer
![Page 41: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/41.jpg)
OWASP
Web.config Security Analyzer (WCSA)
![Page 42: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/42.jpg)
OWASP
Making SDL-Agile Manageable
Education, secure coding standards, automation and tools play a significant role in making secure Agile development efficient and economical
Don’t forget:
Periodic manual security activities are also a must
All of this must fit within a repeatable, mature process
42/23
![Page 43: Microsoft SDL: Agile Development - OWASP · Each sprint, one task from each bucket completed Each tasks must be completed at least every 6 months Examples: Security Verification Tasks](https://reader030.vdocuments.us/reader030/viewer/2022040610/5ecedde4b16df9486562324a/html5/thumbnails/43.jpg)
OWASP
Summary and Questions
More Information:http://www.microsoft.com/sdl
Nick Coblentz, CISSPSenior Consultant, AT&T Consulting
http://nickcoblentz.blogspot.com
http://www.twitter.com/sekhmetn
Microsoft releases SDL-Agile Guidance in Nov. 2009
Treats SDL Activities like team-prioritized User Stories3 Categories: One-time,
Every-time, and Bucket
Increased success with the implementation of training, automation, tools, and standards