Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 - - PowerPoint PPT Presentation
HOW TO EMBED SECURITY INTO AGILE? Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 PRESENTED BY: (A.K.A. THE WHO AM I SLIDE) Momchil Karov, MSc., CISSP Principal Security Architect Enterprise Risk and Compliance Best
1
HOW TO EMBED SECURITY INTO AGILE?
VanSecSIG Oct 12, 2018 Momchil Karov Best Buy Canada
PRESENTED BY: (A.K.A. THE “WHO AM I” SLIDE)
Momchil Karov, MSc., CISSP
Principal Security Architect Enterprise Risk and Compliance Best Buy Canada Ltd. (100% owned subsidiary of Best Buy Co., Inc.)
2
3
WHY DO WE NEED IT, WHAT DO WE NEED AND HOW TO IMPLEMENT IT SUCCESSFULLY? A SIMPLIFIED APPROACH ALIGNED WITH AGILE’S PHILOSOPHY.
4
WHY CHANGE? REASON #1 – THE ENEMY
Our enemy is already Agile and has been for a long time!
So why can’t we be like our enemy?
5
TRADITIONAL SECURITY – THE ENFORCEMENT WAY
Enforcing security policies, standards and requirements, usually working in silos has been the traditional way of security for a long time. This approach creates waste in the business processes, sometimes even bad cross-team relationships.
SECURITY INSIDE WALLS, REASON #2 – TEAMS
6
People Techno logy Proces ses & proce dures
Security surrounded by walls does not allow the flow of knowledge and awareness through the organization and also breeds shadow IT. People are afraid
OK, GOT IT, WE HAVE TO CHANGE
7
8
REASON #3 – THE CUSTOMER … OR DURABLE COMPETITIVE ADVANTAGE A very important concept by the greatest investor of our time – Warren Buffett. The main question is – for a company with a business based on a technological competitive advantage, can this advantage be durable without a strong information security program to protect it? Here’s where security interconnects deeply with business and becomes part of the durable competitive advantage!
9
WHAT IS AGILE?
incremental methodologies.
following a set of values and principles, where requirements and solutions can evolve through team collaboration.
process.
10
REALLY, WHAT IS AGILE?
VALUES ES & PRINCIPL CIPLES ES DECISION SIONS DEVELOP LOP WORKING NG SOFTW TWAR ARE
11
WHAT IS AGILE – A PENCIL ANALOGY Watch the YouTube video “Agile Explained... with a PENCIL!” https://www.youtube.com/watch?v=k_ndH7B-IS4
12
WATERFALL VS. AGILE
Quality Time Cost Functionality Time Cost Quality Functionality
Waterfall Agile
Fixed Variable
13
Waterfall methodology - first described back in 1970 by Winston Royce as “something you shouldn’t do" in his article "Managing the development of large software systems”.
HISTORY OF WATERFALL
Winston Walker Royce
(August 15, 1929 – June 7, 1995)
FOUR CORE VALUES OF AGILE OR AGILE MANIFESTO
14
We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: 1.Individual interactions over processes and tools. 2.Working software over comprehensive documentation. 3.Customer collaboration over contract negotiations. 4.Responding to change over following a plan. That is, while there is value in the items on the right, we value the items on the left more.
15
12 PRINCIPLES OF AGILE
16
12 PRINCIPLES OF AGILE
17
KEY FACTS ABOUT AGILE
18
THE SCRUM METHODOLOGY
Sprint planning Sprint review & retrospect
19
Product Owner
MAIN ROLES IN A PRODUCT STREAM
Scrum Master Team Members Business Users
WHAT IS A USER STORY?
20
As a < type of user >, I want < some function>, so that < some benefit >
Example: As a web site user, I want to be able to login, so I can access my personalized dashboard.
21
EFFECTIVE COLLABORATION IS PARAMOUNT
and without constrains.
the success as well as the failure.
22
Improve efficiency. Better use of resources. Empower the human talent. Don’t reinvent the wheel.
AUTOMATION EVERYWHERE
Popular automation tools:
SOLUTIONS THAT MATTER
23
How to make sure security becomes integral part of Agile? Key paradigm shift: Security – responsibility of EVERYONE!
24
SECURITY CHAMPIONS PROGRAM
25
INDUSTRY TRENDS
“By 2021, 35% of enterprises will implement a security champions program, up from less than 10% in 2017” Gartner
26
MAIN OBJECTIVES
27
OWASP DEFINITION
a team that may help to make decisions about when to engage the Security Team
product or team
team or area
28
SECURITY CHAMPION’S ROLE
knowledge back to the teams.
29
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Communicate – simplify the security concepts for the Agile teams and don’t reinvent the wheel, but utilize the full potential of popular Agile tools, such as Confluence/Jira. Step 1
30
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 2 Collaborate – make it easy for the Agile teams to engage security, again, by utilizing the full potential of the widely used Agile tools.
31
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 3 Coach – training and coaching is the key to achieve competence across the board and build trust. Coaching of security knowledge must follow the Agile values and principles in a complete sync.
32
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 4 Trust – build strong team relationship, based on mutual trust. It should come naturally as a result of executing successfully the above steps from 1 to 3.
33
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 5 Deputize – delegate responsibilities, based on the strong foundation of trust.
34
HOW TO RUN THE SECURITY CHAMPIONS PROGRAM? Step 6 Quantify – build statistics using easy to implement metrics in order to measure the progress and to provide adjustments that further improve the overall process.
SOME PRACTICAL TASKS
35
training (ex. Hacksplaining.com).
constantly updating the ‘Secure Code’ Confluence page, following the industry.
Stories within each sprint – i.e. Microsoft Threat Modeling Tool.
36
Agile and makes it easier to understand.
including security requirements in each sprint cycle.
for each Agile sprint in the backlog as security task to “fight evil”.
THE CONCEPT OF “EVIL STORIES”
37
EXAMPLE OF A SECURITY STORY
Security Story Backlog Tasks SAFECode Fundamental Practices CWE-ID As a(n) architect/developer, I want to ensure AND as QA, I want to verify that cross-site request forgery attacks are prevented. * Use one of the many available libraries and frameworks that takes CSRF into account. * Defend against cross-site scripting Story. * Do not use HTTP GET for any method that effects a change in system state. * Use Anti-Cross Site Scripting (XSS) Libraries * Validate Input and Output to Mitigate Common Vulnerabilities * Use Logging and Tracing CWE- 352
38
HELPFUL TOOLS
Microsoft Threat Modeling Tool 2016 (free to download)
SAFECode Practical Security Stories and Security Tasks for Agile Development Environments (34 pages PDF document)
Enterprise Tools Education and training https://www.hacksplaining.com/
39
FOCUS ON COACHING The Agile Security process is focused on iterative and self- adjusting coaching and general awareness initiatives towards the goal
making security everyone’s responsibility.
40
Evil stories To-Do: “Fight Evil” Security stories Code Analysis Secure Increment Definition of “Done” Acceptance Criteria
each sprint and are broken down to “fight evil” security stories and to-do tasks & components which represent the security requirements.
code scans are performed in each sprint cycle.
increments are released to production in an automated fashion.
SCRUM WITH EMBEDDED SECURITY
41
DO WE HAVE TO CHANGE AGILE? Not really. It’s all about interpretation of the “working and valuable software” phrase from customer’s perspective. Working and valuable also means SECURE! But even if you add “secure” to Agile’s values and principles, it still doesn’t change its philosophy!
42
Closing remarks
Security must be Agile and Agile adopts security naturally! Change is inevitable – embrace it! Everyone benefits from it!
QUESTIONS?
43
“The important thing is not to stop questioning. Curiosity has its own reason for existing.” Albert Einstein
THANK YOU!
44