Upload
perforce
View
375
Download
0
Embed Size (px)
Citation preview
Grab testing by the horns and move
September 22, 2015Steve Howard, Safety & Security
Engineer
Agenda
• A holistic approach to security
• Blending DevOps and Agile for security
• Examples of security defects
• Best practices for Agile teams
• Q&A
2© 2015 Rogue Wave Software, Inc. All Rights Reserved
A holistic approach to security
4
Security information overload
NewsBlogs, social media
conferences
Security standardsOWASP, CWE, CERT, etc.Senator Markey report
NVD, White Hat, Black Hat OEMs, internal
Media More and more software running inside your carStandards and legislation
Research Requirements
Developers don’t know security
(80% failed security knowledge survey)
© 2015 Rogue Wave Software, Inc. All Rights Reserved
A holistic approach to security
5
Information overload Develop an adaptive process
Process External Data
Internal Threat Metrics
Action
© 2015 Rogue Wave Software, Inc. All Rights Reserved
7
Developing a threat metric
Build score
• Automated and functional testing can give you a pass fail metric on every run of the test suite
• A metric can be generated from penetration testing based on the number of exploitable paths in your code base
• Software quality tools can give you a count of critical static analysis and compiler warnings
• A metric can be developed based on the presence of snippets of open source code previously undetected or open source with new known vulnerabilities
• All of these metrics can be generated on every build of your software
© 2015 Rogue Wave Software, Inc. All Rights Reserved
Blending DevOps and Agile for security
Traditional development: Security as a service
9
Adaptive
Separation of duties for testing and auditing
Separate testing tools, results fed to development
Traditional secure development lifecycle activities
Design
• Establish design Requirements
• Analyze attack surface
• Threat modeling
Build
• Use approved tools
• Deprecate unsafe functions
Test
• Static analysis• Dynamic
analysis• Fuzz testing• Attack surface
review• Open source
review
Deploy
• Incident response plan
• Final security review
• Release archive
Development, compliance, and security are independent functions
Req's
• Establish security requirements
• Create quality gates
• Risk assessments
© 2015 Rogue Wave Software, Inc. All Rights Reserved
Consequences of security as a service
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
10
Adaptive
Cost of Remediation Source: Barry Boehm, “Equity Keynote Address” March 19, 2007
Cost of Remediation
Increased remediation
costsDelayed releases
Security and development become adversarial
5x
Design
• Establish design requirements
• Analyze attack surface
• Threat modeling
10x
Build
• Use approved tools
• Deprecate unsafe functions
20x50x
Test
• Static analysis• Dynamic
analysis• Fuzz testing• Attack surface
review• Open source
review
150x
Deploy
• Incident response plan
• Final security review
• Release archive
1x
Reqs
• Establish security requirements
• Create quality gates
• Risk assessments
Agile development: Integrated security
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
11
Adaptive
AcceptSprint 1
Sprint 2
Sprint nRelease
ChangeAdjust and Track
FeedbackReview
Next Iteration
No!
Yes!
Release to
Market
Integrate and Test
Integrate and TestIntegrate
and Test
Multiple testing points
Rapid feedback required
“Outside” testing does
not meet Agile needs
DevOps SDLC
12
Continuous Integration
SDLC Step
UAT/exploratory
testing
Functional testing
Performance load security
Release Deploy
Metric
UnderstandNeedsInvent
Solution
DevelopBuild
CommitIdea
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Security example
14
Load, performance, security…testing phase
Load, Performance, Security, … Testing
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
15
Develop, commit & build
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
16
Develop, commit & build
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Best practices for Agile teams
Best practices for Agile teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
18
Adaptive
Context for remediation
Integrate security and compliance testing 1 Enforce standards that relate to the project 2 Context for remediation 3 Continuous improvement 4 Reporting for all stakeholders5
Best Practice 1.
Integrate security and compliance testing
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
19
AdaptiveGive Agile teams tools & responsibility for testing
Self-sufficiency is required for rapid
reaction
Run tests on development
schedule
Embed security with Agile team for triage and
assistance
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
20
Adaptive
Best Practice 1.
Integrate at IDE and Build Server
Do what works best
for each team
Run separately
Integrate at IDEIntegrate at build server
Testing and remediation on the
fly
Testing at the end of each
sprint
Testing with each sprint test build
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
21
Adaptive
Best Practice 2.
Enforce standards that relate to the project
Understand the
objectives
Risk varies with
application deployments
Use flexible rule sets
Compliance rules (e.g.,
PCI)
Language and framework
specific rules
Custom rules for custom frameworks
High/low security
requirements
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
22
Adaptive
Best Practice 2.
Compliance rule sets
PCI-DSS v 3The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.
Specific rule sets
SANS Top 25
Reporting for regulatory audits
OWASP Top 10
Provide information needed to act
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
23
Best Practice 3.
Context for remediation
What needs architectural
review?
Provide actionable results
Prioritize results to accelerate triage
Eliminate “noise” from reporting
What can I fix quickly?
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
24
Adaptive
Best Practice 3.
Minimize code changes after code check-in
Trace errors to root causes
Input validation
Manifests itself when
tainted data is used
A single error can result in 10’s or 100’s of issues
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
25
Adaptive
Best Practice 4.
Continuous improvement
Help developers learn on the job
Move from training “events” to a training
“process”Source: https://uwaterloo.ca/counselling-services/curve-forgetting
Push remediation advice to the IDE
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
26
Adaptive
Best Practice 5.
Enterprise reporting
Development
Security reporting
Compliance reporting
Legal reporting
Identify security training needs
Maintain independence of audits
Testing for OWASP/SANS bugs
Audits and reporting for OSSTraceability for security risks
28
Conclusions
The application security world is fluid Create concrete,
actionable strategies(Threat Metric, analysis & scanning)
Delivery cycles are short Update regularly with well-defined process
(Agile, CI)
© 2015 Rogue Wave Software, Inc. All Rights Reserved