navigating agile automotive software development
TRANSCRIPT
![Page 1: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/1.jpg)
Navigating Agile automotive software development
June 24, 2015
![Page 2: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/2.jpg)
Presenters
Jeff Hildreth, Automotive Account Manager Rogue Wave Software
Ahmed Abdelrahman, Release Engineer Rogue Wave Software
John Chapman, Solutions ArchitectRogue Wave Software
2© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
![Page 3: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/3.jpg)
Agenda
• A holistic approach to cybersecurity
• Blending DevOps and Agile for security
• How to implement a Jenkins CI system
• Examples of security defects
• Q&A
3© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
![Page 4: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/4.jpg)
A holistic approach to cybersecurity
![Page 5: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/5.jpg)
A holistic approach to cybersecurity
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 5
Information overload Develop an adaptive threat model
Threat Model
External Data
Internal Threat Metric
Action
![Page 6: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/6.jpg)
6© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Threat model
Most breaches result from input trust issues
Threat modeling identifies, quantifies, and addresses security risks by:
1. Understanding the application & environment 2. Identifying & prioritizing threats 3. Determining mitigation actions
Identify assets
System overview
Decompose
applicationIdentify threats
Prioritize threats
![Page 7: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/7.jpg)
7© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Security overload
NewsBlogs, social media
conferences
Security standardsOWASP, CWE, CERT, etc.Senator Markey report
NVD, White Hat, Black Hat OEMs, internal
Media More and more software running inside your carStandards and legislation
Research Requirements
Developers don’t know security
(80% failed security knowledge survey)
![Page 8: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/8.jpg)
8
Developing a threat metric
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Build score
• Automated and functional testing can give you a pass fail metric on every run of the test suite
• A metric can be generated from penetration testing based on the number of exploitable paths in your code base
• Software quality tools can give you a count of critical static analysis and compiler warnings
• A metric can be developed based on the presence of snippets of open source code previously undetected or open source with new known vulnerabilities
• All of these metrics can be generated on every build of your software
![Page 9: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/9.jpg)
DevOps & Agile for security
![Page 10: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/10.jpg)
Agile development: Integrated security
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
10
Adaptive
AcceptSprint 1
Sprint 2
Sprint nRelease
ChangeAdjust and Track
FeedbackReview
Next Iteration
No!
Yes!
Release to
Market
Integrate and Test
Integrate and TestIntegrate
and Test
Multiple testing points
Rapid feedback required
“Outside” testing does
not meet Agile needs
![Page 11: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/11.jpg)
DevOps SDLC
11
Continuous Integration
SDLC Step
UAT/exploratory
testing
Functional testing
Performance load security
Release Deploy
Metric
UnderstandNeedsInvent
Solution
DevelopBuild
CommitIdea
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
![Page 12: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/12.jpg)
Jenkins CI
![Page 13: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/13.jpg)
13
Jenkins CI
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
![Page 14: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/14.jpg)
Security example
![Page 15: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/15.jpg)
15
Load, Performance, Security…Testing phase
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
Load, Performance, Security, … Testing
![Page 16: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/16.jpg)
16
Develop, commit & build
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
![Page 17: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/17.jpg)
17
Develop, commit & build
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
![Page 18: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/18.jpg)
DevOps SDLC
18
Continuous Integration
SDLC Step
UAT/exploratory
testing
Functional testing
Performance load security
Release Deploy
Metric
UnderstandNeedsInvent
Solution
DevelopBuild
CommitIdea
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
![Page 19: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/19.jpg)
19
Conclusions
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED
The application security world is fluid Create concrete,
actionable strategies(Threat Metric, analysis & scanning)
Delivery cycles are short Update regularly with well-defined process
(Agile, CI)
![Page 21: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/21.jpg)
Q&A
![Page 22: Navigating agile automotive software development](https://reader036.vdocuments.us/reader036/viewer/2022062302/58781d431a28aba12d8b5d73/html5/thumbnails/22.jpg)