Agile and Secure Can We Be Both? San Antonio AITP. August 15 th, 2007

Similar documents
Introduction to Agile/Extreme Programming

1. Organizational information (company and business unit): 2. How large is the organization (number of employees)? !25 8.7%

Agile Methods. Background

Agile Software Development. Agile Software Development Basics. Principles of the Agile Alliance. Agile Manifesto. Agenda. Agile software development

The Art of Agile Practice

Extreme Programming, an agile software development process

Agile Software Development

Introduction to Agile Life Cycles. CSCI 5828: Foundations of Software Engineering Lecture 07 09/13/2016

Agile Test Plan How to Construct an Agile Test Plan

Agile Methodology. Tech Focus. Agile Methodology: Characteristics. Techspace Home Tech Focus Case Study Trend Watch Thought Post

AGILE BASICS. All slides copyright Philip Japikse

Introduction to Software Life Cycles and Agile. CSCI 5828: Foundations of Software Engineering Lecture 03 09/02/2014

Management by Consensus

AGILE DEVELOPMENT AND ITS IMPACT ON PRODUCTIVITY

Scrum Test Planning. What goes into a scrum test plan?

PMI Agile Certified Practitioner (PMI-ACP) Duration: 48 Hours

BA25-Managing the Agile Product Development Life Cycle

Accenture Architecture Services. DevOps: Delivering at the speed of today s business

D25-4. How Intertech Uses Agile

Harnessing the power of agile development

Agile Quality Management

Agile Delivery Framework (ADF)

[control] [data] [process] [strategy] [partners] [testing] [validation]

Choose an Agile Approach

Session 11E Adopting Agile Ground Software Development. Supannika Mobasser The Aerospace Corporation

Accelerating Your DevOps Journey

Agile Surveillance Points

Software Engineering Lecture 5 Agile Software Development

Non-object-oriented design methods. Software Requirements and Design CITS 4401 Lecture 15

What is Continuous Integration. And how do I get there

AGILE TEST MANAGEMENT WITH VISUAL STUDIO

SOFTWARE DEVELOPMENT. Process, Models, Methods, Diagrams Software Development Life Cyles. Part - V

AGILE SOLUTIONS. Agile Basics

Agile Practices in Regulated Railway Software Development

1. The Case for Agile 2. The Scrum Process 3. Scaling Scrum

Agile Software Development

THE ADVANTAGES OF AGILE METHODOLOGIES APPLIED IN THE ICT DEVELOPMENT PROJECTS

SCRUM - LESSONS FROM THE TRENCHES

INTRO TO AGILE PRESENTED BY. Copyright Davisbase LLC

Improving Agile Execution in the Federal Government

Virtually Agile. Astro Sabre (Matt Ganis) IBM, Senior Technical Staff Member Hawthorne, NY - September 20, 2007

Rapid software development. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 17 Slide 1

Securing 100 Products - How Hard Can It Be?

SOFTWARE TESTING PROCESS IN AGILE DEVELOPMENT

Chapter 01 - The Process The Process Application Process ACP Qualifications Scheduling Your Exam Rescheduling/Cancelling Fees

SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)

In-House Agile Training Offerings

This course will explore how your projects can easily and successfully make the transition to an effective Agile environment.

Waterfall model is the earliest SDLC approach that was used for software development.

Processes and Life- Cycles. Kristian Sandahl

Introduction to Agile and Scrum

Finally! A Model for Evaluating Agile Performance: The Agile Performance Holarchy. Darian Poinsetta Senior Executive Agile CxO

Agile Transformation:

Software Development Life Cycle:

EXtreme Programming explained: embrace change by Kent Beck, Addison Wesley, September 1999.

Scaling Agile to the Enterprise

Addressing Enterprise Complexity with the

Development Environment Definition

Chapter 3 Agile Software Development

Preparation Guide. EXIN Agile Scrum Foundation

Agile, IT, and the Business Community

Did You Pack the 12 Agile Principles on Your Agile Journey?

Adopting to Agile Software Development

Certified Scrum Developer Program Introduction presented by. Copyright Davisbase LLC

A Guide to Critical Success Factors in Agile Delivery

ENGAGING A PRODUCT OWNER ON A GOVERNMENT CONTRACT

Achieving Balance: The New Pivotal Points of Software Development

Change Agile. Ben Linders, André Heijstek. veranderproject.nl

Scrum - Introduction. Petri Heiramo. Agile Coach, CST

PMBOK versus Agile (Is Agile the New PMBOK?)

Rekayasa Perangkat Lunak 2 (IN043): Pertemuan 10. * Construction, Installation and Operations * Agile Method Software Development

Standard Work and the Lean Enterprise Net Objectives Inc. All Rights Reserved.

Thriving in an Agile Environment. Kathryn Poe Rocky Mountain Chapter Feb 16, 2012

Waterfall to Agile: Flipping the Switch Bhushan Gupta Nike Inc. October 9, 2012

Agile & Lean / Kanban

Lecture 29: Agile Design and Extreme Programming

Can Your Proposal Process Be More Agile?

AGILE methodology- Scrum

18-642: Software Development Processes

Sample Exam ISTQB Agile Foundation Questions. Exam Prepared By

Learning Objectives. Agile Modeling and. Major Topics. Prototyping. Patched Up Prototype. Agile Modeling, but First. Prototyping

IT Revolution. foreword by Gene Kim

The XBOSoft 2012 Scrum Testing Survey

Introduction to Software Project Management. CITS3220 Software Requirements & Project Management

Two Branches of Software Engineering

"Charting the Course... Application Lifecycle Management Using Visual Studio 2010 (Agile) Course Summary

This tutorial also elaborates on other related methodologies like Agile, RAD and Prototyping.

Best Practices for Enterprise Agile Transformation

Agile Introduction for Leaders

Introduction to Agile (Scrum)

Agile Easy Read Snippets - Book 1. Agile Snippets. David Geoffrey Litten Agile Primer

agilesem an agile System Development Method at Siemens in CEE Eva Kišoňová, Ralph Miarka SW Quality Days Vienna January 2012

The Top 13 Organization Challenges of Agile Development and a Solution to Each

Risk Management and the Minimum Viable Product

SAP BUSINESS GROUP AGILE FOR SAP SOLUTIONS

Agile Development Methodologies:

Generalizing Agile Software Development Life Cycle

Enterprise Agile: Are You Ready?

TSP*-Agile Blend: The Gun Smoke Clears

Application of Agile Delivery Methodologies. Bryan Copeland Energy Corridor Brown Bag Event August 31, 2016

Transcription:

Agile and Secure Can We Be Both? San Antonio AITP August 15 th, 2007

Agenda Background Evolution of traditional software development methodologies Benefits of Agile development Requirement for Secure development Agile and Secure Questions 1

Background Programmer by background Both.NET and JEE: MCSD, Java 2 Certified Programmer Developer focused on security, not a security professional looking at development Denim Group Software Development:.NET and JEE Software / Application Security Vulnerability Assessments, Penetration Tests, Training, Mentoring Basis for this presentation: Work with our customers doing SDLC security mentoring Challenges facing our own agile development teams Deliver projects in an economically-responsible manner Uphold security goals 2

Evolution of Traditional Software Development Methodologies Ad Hoc Waterfall 3

Ad Hoc Software Development Early days of computing Focus was on hardware Software was secondary No structure cowboy coding Became unacceptable as software systems became larger and more critical 4

Waterfall Software Development Treat software engineering as any structure engineering process House building metaphor 5

Waterfall Software Development Requirements Architecture Design Coding Integration Testing Deployment 6

Problems with Waterfall Model Creating software is different than creating bridges or buildings Creativity required throughout the process not just at the outset Very documentation heavy Changes are expensive Must go back up the waterfall for impact analysis Business requirements change over time By the time you finish a system, the target has moved 7

Enter Agile Methods Be more responsive to business concerns Increase the frequency of stable releases Decrease the time it takes to deploy new features Do not waste time on superfluous documentation and planning 8

Notable Agile Methods extreme Programming (XP) Feature Driven Development (FDD) SCRUM MSF for Agile Software Development Agile Unified Process (AUP) Crystal 9

Manifesto for Agile Software Development Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan Source: http://www.agilemanifesto.org/ 10

Agile s Core Values Communication Simplicity Feedback Courage 11

Principles of Agile Development Rapid Feedback Simple Design The system is appropriate for the intended audience. The code passes all the tests. Incremental Change Embracing Change Quality Work The code communicates everything it needs to. Thecodehasthesmallestnumber has smallest of classes and methods. 12

Agile Practices The Planning Game The Driving Metaphor Customer:scope, priorities and release dates Developer: estimates, consequences and detailed scheduling Shared Vision On-Site Customer Small Releases Development iterations or cycles that last 1-4 weeks. Release iterations as soon as possible (weekly, monthly, quarterly). 13

More Agile Practices Collective Ownership Test Driven Continuous Integration Coding Standards Pair Programming 14

The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease the time it takes to deploy new features Do not waste time on superfluous documentation and planning Secure Forces: Comply with more aggressive regulatory environment Focus on need for security Traditional approaches to security require additional documentation and planning (D Oh!) 15

Definition of Secure A secure product is one that protects the confidentiality, integrity, and availability of the customers information, and the integrity and availability of processing resources under control of the system s stem s owner or administrator. -- Source: Writing Secure Code (Microsoft.com) com) 16

A Secure Development Process Strives To Be A Repeatable Process Requires Team Member Education Tracks Metrics and Maintains Accountability Sources: Writing Secure Code 2 nd Ed., Howard & LeBlanc The Trustworthy Computing Security Development Lifecycle by Lipner & Howard 17

Secure Development Principles SD 3 : Secure by Design, Secure by Default, and in Deployment Learn From Mistakes Minimize Your Attack Surface Assume External Systems Are Insecure Plan On Failure Never Depend on Security Through Obscurity Alone Fix Security Issues Correctly 18

Secure Development Practices Threat Modeling / Architectural Risk Assessment Education, Education, Education Secure Coding Via standards and practitioner knowledge Security Reviews Architecture t Design Code Security Testing (Penetration Testing) 19

Microsoft s s Secure Development Lifecycle (SDL) Requirements Design Implementation Verification Release (Waterfall!) 20

Dr. Dobb s says Agile Methods Are Catching On 41% of organizations have adopted an agile methodology Of the 2,611 respondents doing agile 37% using extreme Programming 19% using Feature Driven Development (FDD) 16% using SCRUM 7% using MSF for Agile Software Development Source: http://www.ddj.com/dept/architect/191800169 21

Agile Teams are Quality Infected 60% reported increased productivity 66% reported improved quality 58% improved stakeholder satisfaction 22

Adoption Rate for Agile Practices Of the respondents using an agile method 36% have active customer participation 61% have adopted common coding guidelines 53% perform code regression testing 37% utilize pair programming 23

An Integrated Process Making Agile Trustworthy 24

Project Roles Product Manager / Customer Program Manager / Coach Architect Developer Tester Security Adviser 25

Organization Setup Education & Training (include Security) Developers Testers Customers User Stories / Use Case Driven Processes Enterprise Architecture Decisions Organizational adoption of Threat Modeling 26

Project / Release Planning User Stories / Use Cases Drive Acceptance Test Scenarios Estimations may affect priorities and thus the composition of the release Inputs for Threat Modeling Security Testing Scenarios Determine the qualitative risk budget Keep the customer involved in making risk tradeoffs Finalize Architecture & Development Guidelines Common Coding Standards (include security) Crucial for collective code ownership Data Classification standards Conduct Initial Threat Modeling (assets & threats) Agree on STRIDE and DREAD classifications Designer s Security Checklist 27

Iteration Planning 1-4 Weeks in Length (2 weeks is very common) Begins with an Iteration ti Planning Meeting User Stories are broken down into Development Tasks Developers estimate their own tasks Document the Attack Surface (Story Level) Model the threats alongside the user story documentation Crucial in documentation-light processes Capture these and keep them Code will tell you what decision was made, threat models will tell you why decisions were made Crucial for refactoring in the face of changing security priorities Never Slip the Date Add or Remove Stories As Necessary 28

Executing an Iteration Daily Stand-ups Continuous Integration Code Scanning Tools Security Testing Tools Adherence to Common Coding Standards and Security Guidelines Crucial for communal code ownership Developer s Checklist 29

Closing an Iteration Automation of Customer Acceptance Tests Include negative testing for identified threats Security Code Review Some may have happened informally during pair programming 30

Stabilizing a Release Schedule Defects & Vulnerabilities Prioritize vulnerabilities with client input based on agreed-upon STRIDE and DREAD standards d Security Push Include traditional penetration testing 31

Compromises We ve Made Security Compromises: Short term, iterative focus removes top down control Focus on individual features can blind process to cross-feature security issues Agile Compromises: More documentation than is required in pure Agile development Security coding standards Data classification standards Project-specific STRIDE and DREAD standards User story threat models Additional tasks increase development time Forces customers to accept security (isn t this a good thing?) 32

Characteristics of an Agile and Secure Process Customer-focused Responsive Iterative Trustworthy 33

Questions Dan Cornell dan@denimgroup.com (210) 572-4400 Website: www.denimgroup.com Blog 1: www.agileandsecure.com Blog 2: denimgroup.typepad.com 34

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback