this is to present the core concepts of SDLC, Agile and secure SDLC and the difference between them.

1. SDLC – Agile & Secure SDLC
/Paul 20160511

2. Agenda
1. SDLC
2. Agile
3. Secure SDLC

3. SDLC

4. I want to build a swing

5. I believe folks will help me to build that

6. But it turns out or even worse

7. That’s what I want Though I explained it at first

8. What’s SDLC
A process to cook system/application

9. Why uses SDLC
Manage the constraints of the “Golden Triangle”

10. Why uses SDLC (cont)
I want to make it quicker!

11. Why uses SDLC (cont)
I want to make it cheaper!

12. Why uses SDLC (cont)
I want to make it bigger!

13. 68% of SDLC Projects fail
McKinsey – 17% of large IT Projects fail miserably
Geneca - Large IT Projects run 45% over budget, 7%
over time, delivering 56% less value 75% Project
participants lack confidence in their project

14. No “Silver Bullet” method that would solve project
problems for everyone, everywhere
Selecting SDLC

15. Selecting SDLC (cont)
Core Activities
AnalysisPlanning Implementation Test DeploymentRequirement Maintain
Appoach/Type
Sequential Design Iterative Design
Models
AgileWaterfall SpiralV-model More..
Frameworks/Methodologies
SCRUM XPTDD BDD
Compiler Debugger Profiler GUI designer IDE Build automation
DDD RUP
Tools
CMMI, IEEE, ISO 9001..more
Standards
More..

16. Waterfall Model
Assumptions:
• big requirements up front (BRUF),
• small enough change at reqs (no revisit),
• SI goes well,
• sw innovation and the research can work on predictable schedule…more

17. Issues With Waterfall Method
it is difficult to react to changes
Iterations are expensive

18. Iterative ways to tackle

19. AGILEIterative
AdaptableRapid
Cooperative
Quality-driven
Not a process, it's a philosophy or set of values

20. Agile Manifesto

21. Agile Umbrella
Agile
Crystal
XPScrum
DSDM
FDD
Kanban RUP
RUP (120+)
XP (13)
Scrum (9)
Kanban (3)
Do Whatever!! (0)
More Prescriptive
More Adaptive
and few more…
* Check wikipedia for list of all Agile methods
RUP has over 30 roles, over 20
activities, and over 70 artifacts
more rules to follow
fewer rules to follow

22. Scrum
A light-weight agile process tool
Split your work
Split your organization
Scrum Team
Scrum Master
Product/ Project
Owner
Split time (usually 2 – 4 weeks)
Jan May
Optimize the release plan and priority
Optimize the process

23. Scrum in a nutshell
So instead of a large group spending a long time building a
big thing, we have a small team spending a short time
building a small thing.

24. “Better-Than-Not-Doing-It” Results
• 88% of respondents to the VersionOne State of Agile
Development Survey 2013 said that their organizations were
practicing agile development. 92% of the respondents
reported year-over-year improvements in all areas measured
by the survey, with the leading categories being the ability
to manage changing priorities (92%), increased
productivity (87%), improved project visibility
(86%), improved team morale (86%), and enhanced
software quality (82%).

25. “Better-Than-Not-Doing-It” Results (cont)
A Fractured Perspective, people only see what they want to see

26. How Scrum really works
collective commitment and self-organization

27. Secure SDLC

28. Security is a MUST-DO for your SW

30. Security Assurance
Discover and Avoid Vulnerability
Attack detection and elimination
Exposure limitation and recovery

31. Code Vulnerability - SQLI
SQL injection (SQLI) is considered one of the top 10 web application vulnerabilities of
2007 and 2010
If the web code doesn’t treat input well before
sending SQL query to database

32. SQL Injection Based on 1=1 or ""=""
Attacker can smuggle to change app behaviour
For example, bypass login authentication
Code Vulnerability – SQLI (cont)

33. Percentage of Total Infections

34. why vulnerability is so matter but code
is still unsecured
I know when I’m writing code I’m not
thinking about evil, I’m just trying to think
about functionality» (с) Scott Hanselman
Developer
May Know bout OWASP Top 10
but only care about 1 threat (DEADLINE fail)

35. Risks are for managers, not developers

36. Common way in security audit
Than start process of re-Coding, re-Building, re-Testing, re-Auditing
3rd party or internal audit
Tone of
security
defects
BACK to re-Coding, re-Building, re-Testing, re-Auditing
Security should be designed into a system, difficult
to make secured afterward

37. Large time you need to fix security
issue in app?

38. How it should look – secure SDLC
Automated
security
Tests
CI
integrated
Manual
security
Tests
OWASP methodology
Secure
Coding
trainings
Regular
Vulnerability
Scans
security defects should decrease from phase to phase

39. Microsoft SDL
Lifecycle Model / frameworks/ Standards
NIST SP 800-64 Rev. 2
NIST SP 800-53 Rev 4,
NIST Cybersecurity Framework

40. Additional tools
Software Engineering Institute Carnegie Mellon - CERT
Open Software Assurance Maturity Model (OpenSAMM)
Software Assurance Metrics and Tool Evaluation (SAMATE)
Open Source Security Testing Methodology Manual (OSSTMM 3)
More…

41. Reference
http://online.husson.edu/software-development-cycle/
https://uk.pinterest.com/pin/266064290462173346/
http://www.infoq.com/resource/articles/scaling-software-agility/en/resources/ch02.pdf
http://www.slideshare.net/hareshkarkar/overview-of-agile-
methodology?from_action=save
http://resources.infosecinstitute.com/
http://www.slideshare.net/TjylenVeselyj/intro-to-security-in-sdlc
http://www.slideshare.net/NazarTymoshyk/agile-and-secure-sdlc
https://ics-cert.us-cert.gov/Standards-and-References
http://www.albany.edu/acc/courses/ia/acc661/NIST-SP800-64.pdf
https://www.bsimm.com
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

42. Q&A

43. Backup

44. Iterative ways to tackle

45. Planning
• 3 days
• 1 day readout for points (5/9?)
• 1 day prepare slide (5/10?)
• 1 day practice (當天?)
• May 11 – 4 day = May 7 ~ 8
No – prepare no latter than 5/8
• ME – 2 pages
• What’s SDLC? - 1
• Why Agile SDLC? -2
• HowTo -2
• What -1
• Why security? - 2
• How -2
• What - 1
• 2 thing together – 2
• Extends – standard -3
Conclusion – 1
19 pages

46. Outline
• SDLC
• What’s – core activities/people
• Why’s that
• How – sequence/interative, incremental / doc driven (Waterfall, RUP, Sprial,
Agileze…more )
• for comparision, must mention waterfall
• Explain what/how
• However, the problems it create
• Problem -> Impacts
• Agile way
• Benefits  problems but there’s also problem there
• Expalin how it fix
• Problem 有座跟沒做好一點?
• Why: 重形不重義
• What SCRUM really is – sefl org /
• Why each
• 只是 why Agile coach doesn’t tell – time and also is caused by betacuy issue
• Conclusion Agile coach actually changes DNA of company - self-org / collective commitment

47. Outline
• SECURITY in SDLC
• What/WHY’s that
• Secure code/DDD /XXX /XXXX/ XXXX/… more
• Why: IMPACT
• WHY: ppl don’t know
• Awareness by geo and biz --- analogy (like sick will you locked the door in city / culture)
• Why put it into the process?
• Beforehand ppl Bolt it and treat it especial -> cause problem (recode, retest redo…)
• HOW
• The strategy to do ABC
• The product(flow/standard) to do, MS, SDD, DWQDQW
• The infrastructure to do
• Conclusion: depend company budget
• Synergy between Agile and security
• Embedded security’s DNA into Agile component,
• Q&A

48. Synergy between Agile and Security

50. What’s SDLC
Process to create SW/SYS stuffs

51. Scrum vs. Waterfall
REQUIREMENTS
DESIGN
DEVELOPMENT
TESTING
MAINTENANCE

52. Iterative Scrum

53. What’s – core activities/people
systems development life cycle (SDLC)
Core actoivities
Requirements Design
Construction Testing Debugging
Deployment Maintenance
Engineering Process
- Core Activities
- Paradigms (set of methods and methodologies)
- Philosophy & Values
- Methodologies (frameworks)
- Principles
- Roles
- WorkFlows
- Artifacts
- Tools
- Standards

54. What’s – core activities/people
• control points
• Sos
• Sprint review
• Daily Scrum
• activities
• Approach
• Cycle
• Planning: formal
• Scope
• Artifacts
• Type of Project/Product: Recommed

55. Additional tools
Open Software Assurance Maturity Model (OpenSAMM)
Open Source Security Testing Methodology Manual (OSSTMM 3)
The Open Web Application Security Project (OWASP)
Secure-SDLC
Software Assurance Metrics and Tool Evaluation (SAMATE)
Software Engineering Institute Carnegie Mellon - CERT
Systems Security Engineering Capability Maturity Model (SSE-CMM)

56. AUTOMATED CODE ANALYSIS

57. LINEAR INTEGRATION APPROACH

58. Microsoft SDL

59. PRE SDL TRAINING:
• Introduction to Microsoft SDL
• Essential Software Security Training for the
Microsoft SDL
• Basics of Secure Design, Development and Test
• Introduction to Microsoft SDL Threat Modeling
• SDL Quick Security References
• SDL Developer Starter Kit
Training

60. • SDL Practice #2: Establish Security and Privacy
Requirements (one time practice)
• SDL Practice #3: Create Quality Gates/Bug Bars
• SDL Practice #4: Perform Security and Privacy
Risk Assessments (one time practice)
Requirements Phase

61. • Establish Design Requirements (one time
practice)
• Attack Surface Analysis/Reduction (one time
practice)
• Use Threat Modeling
• Mitigation of threats
• Secure Design
• Formulating security guidelines
• Security Design Review
Design

62. • SDL Practice #8: Use Approved Tools
• SDL Practice #9: Deprecate Unsafe Functions
• SDL Practice #10: Perform Static Analysis
Implementation

63. Bucket practices:
• SDL Practice #11: Perform Dynamic Analysis
• SDL Practice #12: Fuzz Testing
• SDL Practice #13: Attack Surface Review
Verification Phase

64. • SDL Practice #14: Create an Incident Response
Plan (one time practice)
• SDL Practice #15: Conduct Final Security Review
• SDL Practice #16: Certify Release and Archive
Release Phase

65. • SDL Practice #17: Execute Incident Response Plan
• Analysis vulnerability information
• Risk calculation
• Patch release
• Clients notification
• Information publishing
Response Phase

66. What’s SDLC