SlideShare ist ein Scribd-Unternehmen logo

BSides Vienna 2015

D
Daniel Liber
1 von 32
Downloaden Sie, um offline zu lesen
Pole Vaulting over Agile Security Pits Daniel Liber
~whoami • Current: Security Leader @ CyberArk – Product security – Strategy and process driven – A pain in the insecurity’s a$$ • Past @ multiple places – Consulting, Research, PT
~whereami • CyberArk – Privileged account security – Look us up (we’re hiring ) www.cyberark.com/
~quote “Sometimes you just have to jump off the cliff without knowing where you will land”
~agenda • Agile, a reminder • SDLC and Agile • Collaboration with R&D for security • Crunching numbers – Why is this issue so important?
So… Agile? Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan
So… Agile? Sprint Backlog SprintProduct Backlog Deliverables Scrum:
So… Agile? Kanban:
Security Frameworks & Dev Reflecting on Agile: “Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.”
Security Frameworks & Dev • Vendor SDLC programs – Microsoft – SAP – Cisco – Etc.. • Maturity Models – OWASP SAMM – BSIMM • NIST <Compatibility issues>
Security Frameworks & Dev Bryan Sullivan (Microsoft) @ BlackHat 2010
Security Frameworks & Dev (Microsoft SDL for Agile)
Security Frameworks & Dev
Security Frameworks & Dev Reflecting on Agile: “Welcome changing requirements, even late in development.”  Threat modeling not only for new features, but also for CHANGED features
Security Frameworks & Dev Threat Modeling • Approach: – Attack / software / asset centric • Mapping – Assets / Actors / Entry points • Flow – Data / Process / Logic Not as lightweight as expected from a sprint task
Security Frameworks & Dev Coordinating with Product Owner Emperor of the backlog •Product’s roadmap •‘Sensitive’ features attention •Setting security sprints (bucket security tasks) •Cut-off for most important threats
Security Collaborations Reflecting on Agile: “The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.”
Security Collaboration
Security Collaborations Pop Quiz • Sprint of 2 weeks • Overlooking 4 teams • Participating in every daily (15 minutes long) 10 days X 4 teams X 15 min. = 10 hours ~ 1 day = 10% of your time
Security Frameworks & Dev Security Champions Team’s “security bouncer” • Why? – Probably knows the product better – Reports back on security aspects • Who? – Curious, security friendly • Growth potential – join the dark side
Security Collaborations Reflecting on Agile: “The best architectures, requirements, and designs emerge from self- organizing teams.”  Teams contain different positions, responsibilities, practices and quite versatile
Security Collaborations The Team Team Leader Developer / Architect QA System Analyst  The Security Guy
Security Collaborations Customized Training • Stop using ‘one session fits all’ • Create tracks per position • Use examples from your products • Track, certify, re-certify Flexibility in carrying out security tasks
Security Collaborations Training Name Developer Architects Functional Analyst Security Team QA Team Leaders PM Basic Security Training Yes Yes Yes Yes Yes Yes (no test) Optional Security Analysis Optional Optional Yes Yes Opt. Opt. Optional Secure Design Optional Yes Optional Yes Opt. Opt. Optional Secure Development Yes Yes Optional Yes Opt. Yes (no test) Optional Security Testing Optional Optional Optional Yes Yes Opt. Optional Adv. Security Testing Optional Optional Optional Yes Opt. Opt. Optional Risk Management Optional Optional Optional Yes Opt. Yes (no test) Yes (no test)
Crunching Numbers • Requirements • Design • Coding • Testing Development • Distributing • Deploying • Feedback / IR Release • Researching • Exploiting • Pivoting Abuse Track of insecure software:
Crunching Numbers “We will fix it post release!” Jeremiah Grossman WhiteHat Security AppSec Israel 2015
Crunching Numbers “Ok. BUT – if our software causes a breach, the customer will surely detect it.” Global Advanced Threat Landscape Survey CyberArk 2015
Crunching Numbers “I’m sure that there are other factors for a breach than bad practices of development and deployment” Global Advanced Threat Landscape Survey CyberArk 2015
Crunching Numbers “It doesn’t matter as a lot of companies secure their networks anyways against breaches” Analyzing Real-World Exposure to Windows Credential Theft Attacks CyberArk Labs 2015
Crunching Numbers (Size does not matter, in this case.) Analyzing Real-World Exposure to Windows Credential Theft Attacks CyberArk Labs 2015
Conclusions • Agile is a modern methodology for software development which is commonly used – In theory – security could be integrated – In practice – there are some glitches • Don’t be afraid to adjust (use the in this ppt) • There is a long chain of product security – SDLC is first in line – You really don’t want to experience security incident down the chain
Questions? Thank you! Daniel Liber Daniel.Liber@CyberArk.com https://il.linkedin.com/in/liberdaniel CyberArk http://www.cyberark.com/

Empfohlen

From rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaFrom rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaDevSecCon
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevSecCon
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About
OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About
OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About Daniel Liber
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorDevSecCon
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 

Empfohlen

From rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaFrom rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaDevSecCon
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevSecCon
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About
OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About
OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About Daniel Liber
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorDevSecCon
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017 Dinis Cruz
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgThe Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgDevSecOpsSg
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOpsIrina Kostina
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...Freek Kauffmann
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2Dinis Cruz
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Security Innovation
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs toolsGeoffrey Vaughan
 
Building Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFBuilding Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFMichael Kehoe
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Secure360 May 2018 Lessons Learned from OWASP T10 Datacall
Secure360 May 2018 Lessons Learned from OWASP T10 DatacallSecure360 May 2018 Lessons Learned from OWASP T10 Datacall
Secure360 May 2018 Lessons Learned from OWASP T10 DatacallBrian Glas
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 

Weitere ähnliche Inhalte

Was ist angesagt?

Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017 Dinis Cruz
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgThe Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgDevSecOpsSg
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...Freek Kauffmann
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2Dinis Cruz
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Security Innovation
 
Building Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFBuilding Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFMichael Kehoe
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Secure360 May 2018 Lessons Learned from OWASP T10 Datacall
Secure360 May 2018 Lessons Learned from OWASP T10 DatacallSecure360 May 2018 Lessons Learned from OWASP T10 Datacall
Secure360 May 2018 Lessons Learned from OWASP T10 DatacallBrian Glas
 

Was ist angesagt? (20)

Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgThe Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
 
Building Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFBuilding Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSF
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident Management
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Secure360 May 2018 Lessons Learned from OWASP T10 Datacall
Secure360 May 2018 Lessons Learned from OWASP T10 DatacallSecure360 May 2018 Lessons Learned from OWASP T10 Datacall
Secure360 May 2018 Lessons Learned from OWASP T10 Datacall
 

Ähnlich wie BSides Vienna 2015

Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019Stefan Streichsbier
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Moving Security to the Left
Moving Security to the LeftMoving Security to the Left
Moving Security to the LeftJavier Godinez
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_programShannon Lietz
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 

Ähnlich wie BSides Vienna 2015 (20)

Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
Product Security
Product SecurityProduct Security
Product Security
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Moving Security to the Left
Moving Security to the LeftMoving Security to the Left
Moving Security to the Left
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 

BSides Vienna 2015

  • 1. Pole Vaulting over Agile Security Pits Daniel Liber
  • 2. ~whoami • Current: Security Leader @ CyberArk – Product security – Strategy and process driven – A pain in the insecurity’s a$$ • Past @ multiple places – Consulting, Research, PT
  • 3. ~whereami • CyberArk – Privileged account security – Look us up (we’re hiring ) www.cyberark.com/
  • 4. ~quote “Sometimes you just have to jump off the cliff without knowing where you will land”
  • 5. ~agenda • Agile, a reminder • SDLC and Agile • Collaboration with R&D for security • Crunching numbers – Why is this issue so important?
  • 6. So… Agile? Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan
  • 9. Security Frameworks & Dev Reflecting on Agile: “Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.”
  • 10. Security Frameworks & Dev • Vendor SDLC programs – Microsoft – SAP – Cisco – Etc.. • Maturity Models – OWASP SAMM – BSIMM • NIST <Compatibility issues>
  • 11. Security Frameworks & Dev Bryan Sullivan (Microsoft) @ BlackHat 2010
  • 12. Security Frameworks & Dev (Microsoft SDL for Agile)
  • 14. Security Frameworks & Dev Reflecting on Agile: “Welcome changing requirements, even late in development.”  Threat modeling not only for new features, but also for CHANGED features
  • 15. Security Frameworks & Dev Threat Modeling • Approach: – Attack / software / asset centric • Mapping – Assets / Actors / Entry points • Flow – Data / Process / Logic Not as lightweight as expected from a sprint task
  • 16. Security Frameworks & Dev Coordinating with Product Owner Emperor of the backlog •Product’s roadmap •‘Sensitive’ features attention •Setting security sprints (bucket security tasks) •Cut-off for most important threats
  • 17. Security Collaborations Reflecting on Agile: “The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.”
  • 19. Security Collaborations Pop Quiz • Sprint of 2 weeks • Overlooking 4 teams • Participating in every daily (15 minutes long) 10 days X 4 teams X 15 min. = 10 hours ~ 1 day = 10% of your time
  • 20. Security Frameworks & Dev Security Champions Team’s “security bouncer” • Why? – Probably knows the product better – Reports back on security aspects • Who? – Curious, security friendly • Growth potential – join the dark side
  • 21. Security Collaborations Reflecting on Agile: “The best architectures, requirements, and designs emerge from self- organizing teams.”  Teams contain different positions, responsibilities, practices and quite versatile
  • 22. Security Collaborations The Team Team Leader Developer / Architect QA System Analyst  The Security Guy
  • 23. Security Collaborations Customized Training • Stop using ‘one session fits all’ • Create tracks per position • Use examples from your products • Track, certify, re-certify Flexibility in carrying out security tasks
  • 24. Security Collaborations Training Name Developer Architects Functional Analyst Security Team QA Team Leaders PM Basic Security Training Yes Yes Yes Yes Yes Yes (no test) Optional Security Analysis Optional Optional Yes Yes Opt. Opt. Optional Secure Design Optional Yes Optional Yes Opt. Opt. Optional Secure Development Yes Yes Optional Yes Opt. Yes (no test) Optional Security Testing Optional Optional Optional Yes Yes Opt. Optional Adv. Security Testing Optional Optional Optional Yes Opt. Opt. Optional Risk Management Optional Optional Optional Yes Opt. Yes (no test) Yes (no test)
  • 25. Crunching Numbers • Requirements • Design • Coding • Testing Development • Distributing • Deploying • Feedback / IR Release • Researching • Exploiting • Pivoting Abuse Track of insecure software:
  • 26. Crunching Numbers “We will fix it post release!” Jeremiah Grossman WhiteHat Security AppSec Israel 2015
  • 27. Crunching Numbers “Ok. BUT – if our software causes a breach, the customer will surely detect it.” Global Advanced Threat Landscape Survey CyberArk 2015
  • 28. Crunching Numbers “I’m sure that there are other factors for a breach than bad practices of development and deployment” Global Advanced Threat Landscape Survey CyberArk 2015
  • 29. Crunching Numbers “It doesn’t matter as a lot of companies secure their networks anyways against breaches” Analyzing Real-World Exposure to Windows Credential Theft Attacks CyberArk Labs 2015
  • 30. Crunching Numbers (Size does not matter, in this case.) Analyzing Real-World Exposure to Windows Credential Theft Attacks CyberArk Labs 2015
  • 31. Conclusions • Agile is a modern methodology for software development which is commonly used – In theory – security could be integrated – In practice – there are some glitches • Don’t be afraid to adjust (use the in this ppt) • There is a long chain of product security – SDLC is first in line – You really don’t want to experience security incident down the chain