Embed Size (px)
Citation preview
München/HQ Dresden
Going the Agile Path Securely – Lektionen aus proaktiver Sicherheit in agiler Software-EntwicklungOOP 2017
Dr. Bastian Braun
München, 02.02.2017
02.02.2017 2
What is Agile Software Development?
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
src: Manifesto for Agile Software Development, http://www.agilemanifesto.org
02.02.2017 3
The Security Development Lifecycle
src: https://www.microsoft.com/en-us/SDL/process/training.aspx
02.02.2017 4
Changes & Processes
RequirementsWaterfall(process-driven)
Design Implementation Verification Release Response
RequirementsAgile(value-driven)
Release
Requirements
Release
Project Timeline
Design
Implementation
Verification
Design
Implementation
Verification
02.02.2017 5
Changes & Processes
RequirementsContinuous
De*(performance-driven)
Design
Implementation
Verification
Release
Response
Project Timeline
02.02.2017 6
Integration of Security - no Re-definition of Processes
Security Training for Developers / ScrumMaster / PO
Awareness Seminar for Decision Makers
Making Security Requirements part of Definition of Done
Evaluating Results of automatic testing, e.g. SAST
Advisor-as-a-Service (AaaS)
on demand: Penetration Testing, manual Code Review
Lessons Learned – How to Introduce Security
02.02.2017 7
Integration of Security - no Re-definition of Processes
Security Training for Developers / ScrumMaster / PO
Awareness Seminar for Decision Makers
Making Security Requirements part of Definition of Done
Evaluating Results of automatic testing, e.g. SAST
Advisor-as-a-Service (AaaS)
on demand: Penetration Testing, manual Code Review
Lessons Learned – How to Introduce Security
02.02.2017 8
Integration of Security - no Re-definition of Processes
Security Training for Developers / ScrumMaster / PO
Awareness Seminar for Decision Makers
Making Security Requirements part of Definition of Done
Evaluating Results of automatic testing, e.g. SAST
Advisor-as-a-Service (AaaS)
on demand: Penetration Testing, manual Code Review
Lessons Learned – How to Introduce Security
02.02.2017 9
Integration of Security - no Re-definition of Processes
Security Training for Developers / ScrumMaster / PO
Awareness Seminar for Decision Makers
Making Security Requirements part of Definition of Done
Evaluating Results of automatic testing,
e.g. SAST, automatic DAST
Advisor-as-a-Service (AaaS)
on demand: Penetration Testing, manual Code Review
Lessons Learned – How to Introduce Security
02.02.2017 10
Lessons Learned – How to Introduce Security
02.02.2017 11
Lessons Learned – How to Introduce Security
02.02.2017 12
Lessons Learned – How to Introduce Security
This is the major field of
action – but it‘s
TEAMWORK!
02.02.2017 13
Lessons Learned – How to Introduce Security
Utilize framework-level
security functions +
AUTOMATED testing!
02.02.2017 14
Applying Testing Phases of Waterfall Model to Agile Development
e.g. mandatory code review/pentests during sprint
avoid security-bottleneck
Security as a „One-man Show“ without knowledge and awareness by developers
don‘t fight an uphill battle
Lessons Learned – How NOT to Introduce Security
02.02.2017 15
Get used to ad-hoc Planning
Business Consultants advise long-term Planning
Feature Planning Weeks and Months in advance is not agile!
Product Owner becomes Development Team Member
No Controller but Contributor
Regular Verification / Approval of Tickets required
Implications for the Management
02.02.2017 16
Long-term Planning & Deadlines vs Agilility
Project Timeline
GoLiveBeginn
Regression Tests/
Penetration Tests
Implementation
of Feature Z
must start
Implementation
of Feature Y
must start
Requirements Design Implementation Verification Release Response
Concept &
Design of
Features Y & Z
We are back with Waterfall!
02.02.2017 17
Wir machen Software. Sicher.
München
mgm security partners gmbhFrankfurter Ring 105a80807 MünchenTel.: +49 (89) 35 86 80-880Fax: +49 (89) 35 86 80-338http://www.mgm-sp.com
Dresden
Bei Fragen bitte eine Email an
