13. 68% of SDLC Projects fail
McKinsey – 17% of large IT Projects fail miserably
Geneca - Large IT Projects run 45% over budget, 7%
over time, delivering 56% less value 75% Project
participants lack confidence in their project
14. No “Silver Bullet” method that would solve project
problems for everyone, everywhere
Selecting SDLC
16. Waterfall Model
Assumptions:
• big requirements up front (BRUF),
• small enough change at reqs (no revisit),
• SI goes well,
• sw innovation and the research can work on predictable schedule…more
17. Issues With Waterfall Method
it is difficult to react to changes
Iterations are expensive
21. Agile Umbrella
Agile
Crystal
XPScrum
DSDM
FDD
Kanban RUP
RUP (120+)
XP (13)
Scrum (9)
Kanban (3)
Do Whatever!! (0)
More Prescriptive
More Adaptive
and few more…
* Check wikipedia for list of all Agile methods
RUP has over 30 roles, over 20
activities, and over 70 artifacts
more rules to follow
fewer rules to follow
22. Scrum
A light-weight agile process tool
Split your work
Split your organization
Scrum Team
Scrum Master
Product/ Project
Owner
Split time (usually 2 – 4 weeks)
Jan May
Optimize the release plan and priority
Optimize the process
23. Scrum in a nutshell
So instead of a large group spending a long time building a
big thing, we have a small team spending a short time
building a small thing.
24. “Better-Than-Not-Doing-It” Results
• 88% of respondents to the VersionOne State of Agile
Development Survey 2013 said that their organizations were
practicing agile development. 92% of the respondents
reported year-over-year improvements in all areas measured
by the survey, with the leading categories being the ability
to manage changing priorities (92%), increased
productivity (87%), improved project visibility
(86%), improved team morale (86%), and enhanced
software quality (82%).
31. Code Vulnerability - SQLI
SQL injection (SQLI) is considered one of the top 10 web application vulnerabilities of
2007 and 2010
If the web code doesn’t treat input well before
sending SQL query to database
32. SQL Injection Based on 1=1 or ""=""
Attacker can smuggle to change app behaviour
For example, bypass login authentication
Code Vulnerability – SQLI (cont)
34. why vulnerability is so matter but code
is still unsecured
I know when I’m writing code I’m not
thinking about evil, I’m just trying to think
about functionality» (с) Scott Hanselman
Developer
May Know bout OWASP Top 10
but only care about 1 threat (DEADLINE fail)
36. Common way in security audit
Than start process of re-Coding, re-Building, re-Testing, re-Auditing
3rd party or internal audit
Tone of
security
defects
BACK to re-Coding, re-Building, re-Testing, re-Auditing
Security should be designed into a system, difficult
to make secured afterward
38. How it should look – secure SDLC
Automated
security
Tests
CI
integrated
Manual
security
Tests
OWASP methodology
Secure
Coding
trainings
Regular
Vulnerability
Scans
security defects should decrease from phase to phase
45. Planning
• 3 days
• 1 day readout for points (5/9?)
• 1 day prepare slide (5/10?)
• 1 day practice (當天?)
• May 11 – 4 day = May 7 ~ 8
No – prepare no latter than 5/8
• ME – 2 pages
• What’s SDLC? - 1
• Why Agile SDLC? -2
• HowTo -2
• What -1
• Why security? - 2
• How -2
• What - 1
• 2 thing together – 2
• Extends – standard -3
Conclusion – 1
19 pages
46. Outline
• SDLC
• What’s – core activities/people
• Why’s that
• How – sequence/interative, incremental / doc driven (Waterfall, RUP, Sprial,
Agileze…more )
• for comparision, must mention waterfall
• Explain what/how
• However, the problems it create
• Problem -> Impacts
• Agile way
• Benefits problems but there’s also problem there
• Expalin how it fix
• Problem 有座跟沒做好一點?
• Why: 重形不重義
• What SCRUM really is – sefl org /
• Why each
• 只是 why Agile coach doesn’t tell – time and also is caused by betacuy issue
• Conclusion Agile coach actually changes DNA of company - self-org / collective commitment
47. Outline
• SECURITY in SDLC
• What/WHY’s that
• Secure code/DDD /XXX /XXXX/ XXXX/… more
• Why: IMPACT
• WHY: ppl don’t know
• Awareness by geo and biz --- analogy (like sick will you locked the door in city / culture)
• Why put it into the process?
• Beforehand ppl Bolt it and treat it especial -> cause problem (recode, retest redo…)
• HOW
• The strategy to do ABC
• The product(flow/standard) to do, MS, SDD, DWQDQW
• The infrastructure to do
• Conclusion: depend company budget
• Synergy between Agile and security
• Embedded security’s DNA into Agile component,
• Q&A
53. What’s – core activities/people
systems development life cycle (SDLC)
Core actoivities
Requirements Design
Construction Testing Debugging
Deployment Maintenance
Engineering Process
- Core Activities
- Paradigms (set of methods and methodologies)
- Philosophy & Values
- Methodologies (frameworks)
- Principles
- Roles
- WorkFlows
- Artifacts
- Tools
- Standards
54. What’s – core activities/people
• control points
• Sos
• Sprint review
• Daily Scrum
• activities
• Approach
• Cycle
• Planning: formal
• Scope
• Artifacts
• Type of Project/Product: Recommed
55. Additional tools
Open Software Assurance Maturity Model (OpenSAMM)
Open Source Security Testing Methodology Manual (OSSTMM 3)
The Open Web Application Security Project (OWASP)
Secure-SDLC
Software Assurance Metrics and Tool Evaluation (SAMATE)
Software Engineering Institute Carnegie Mellon - CERT
Systems Security Engineering Capability Maturity Model (SSE-CMM)
59. PRE SDL TRAINING:
• Introduction to Microsoft SDL
• Essential Software Security Training for the
Microsoft SDL
• Basics of Secure Design, Development and Test
• Introduction to Microsoft SDL Threat Modeling
• SDL Quick Security References
• SDL Developer Starter Kit
Training
60. • SDL Practice #2: Establish Security and Privacy
Requirements (one time practice)
• SDL Practice #3: Create Quality Gates/Bug Bars
• SDL Practice #4: Perform Security and Privacy
Risk Assessments (one time practice)
Requirements Phase
61. • Establish Design Requirements (one time
practice)
• Attack Surface Analysis/Reduction (one time
practice)
• Use Threat Modeling
• Mitigation of threats
• Secure Design
• Formulating security guidelines
• Security Design Review
Design
62. • SDL Practice #8: Use Approved Tools
• SDL Practice #9: Deprecate Unsafe Functions
• SDL Practice #10: Perform Static Analysis
Implementation
63. Bucket practices:
• SDL Practice #11: Perform Dynamic Analysis
• SDL Practice #12: Fuzz Testing
• SDL Practice #13: Attack Surface Review
Verification Phase
64. • SDL Practice #14: Create an Incident Response
Plan (one time practice)
• SDL Practice #15: Conduct Final Security Review
• SDL Practice #16: Certify Release and Archive
Release Phase
65. • SDL Practice #17: Execute Incident Response Plan
• Analysis vulnerability information
• Risk calculation
• Patch release
• Clients notification
• Information publishing
Response Phase