S ECURITY AND R ISK M ANAGEMENT IN A GILE S OFTWARE D EVELOPMENT - - PowerPoint PPT Presentation

s ecurity and r isk m anagement
SMART_READER_LITE
LIVE PREVIEW

S ECURITY AND R ISK M ANAGEMENT IN A GILE S OFTWARE D EVELOPMENT - - PowerPoint PPT Presentation

Sep 03, 2022 171 likes •506 views

S ECURITY AND R ISK M ANAGEMENT IN A GILE S OFTWARE D EVELOPMENT SATURN 2012 Conference (#SATURN2012) Srini Penchikala (@srinip) 05.10.12 # WHOAMI Security Architect @ Financial Services Organization Location: Austin, TX Certified

slide-1
SLIDE 1

SECURITY AND RISK MANAGEMENT

IN AGILE SOFTWARE DEVELOPMENT

SATURN 2012 Conference (#SATURN2012) Srini Penchikala (@srinip) 05.10.12

slide-2
SLIDE 2

#WHOAMI

 Security Architect @ Financial Services Organization  Location: Austin, TX  Certified Scrum Master  TOGAF 9 Certified Architect  Co-Author: “Spring Roo in Action” Book  Editor (InfoQ.com)

2

slide-3
SLIDE 3

AGENDA

 Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions

3

slide-4
SLIDE 4

AGENDA

 Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions

4

slide-5
SLIDE 5

PROGRAM

 Goals:  Security & Risk Management at Enterprise level  Build Security In  Sustainable Compliance  Risk based Security Architecture Strategy  Architecture Framework  Process

5

slide-6
SLIDE 6

ORGANIZATIONAL AGILITY

 Vertical:  Strategy  Portfolio  Project  Release  Iteration/Sprint  Daily Sprints  Horizontal:  Process  People  Tools/Technologies

6

Source: VersionOne

slide-7
SLIDE 7

SECURITY ARCHITECTURE PROGRAM

Strategy Communication Plan / Metrics Stakeholder Matrix CoE Team Framework Disciplines Components Activities Process Initiatives / Engagements Projects R&D 7

slide-8
SLIDE 8

AGENDA

 Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions

8

slide-9
SLIDE 9

FRAMEWORK

 Defines “Structure” and “Lifecycle” of the Architecture

Strategy

 Structure: Framework Components  Structure:  Disciplines  Components  Activities  Lifecycle: Process Activities  Components’ mapping with Process Activities

9

slide-10
SLIDE 10

REFERENCE FRAMEWORKS

NIST 800-53 FISMA TOGAF 9 Microsoft Secure Development Lifecycle (SDL) BSIMM SAFECode OWASP Standards

10

slide-11
SLIDE 11

DISCIPLINES

Security Assessment & Authorization Security Architecture & Design Identity and Access Management (IAM) System & Information Integrity Systems & Communications Protection SIEM Technologies and Tools Governance

11

slide-12
SLIDE 12

COMPONENTS

Risk Assessment Threat Modeling Identification and Authentication Data Security Application Security Technologies and Tools Standards and Best Practices R&D

12

slide-13
SLIDE 13

DISCIPLINES V. COMPONENTS

  • Risk Assessment
  • Regulatory Compliance

Security Assessment & Authorization

  • Threat Modeling
  • Reference Architecture and RI
  • Model Driven Security

Architecture and Design

  • Identification and Authentication
  • Access Control
  • ESSO

Identity and Access Management

  • Data Security
  • Encryption
  • Application Security

System and Information Integrity

  • Standards and Best Practices
  • Reviews (Architecture, Design and Code)
  • R&D

Governance

13

slide-14
SLIDE 14

STANDARDS

 Standards at all levels of product development  Architecture  Design & Coding (based on OWASP Standards)  Technologies & Tools  Standards Enforcement  Automatic scans  Manual Reviews  Lifecycle:  Identify exceptions/waivers at beginning of project  Continuous feedback to refine standards (via Agile

retrospectives)

14

slide-15
SLIDE 15

AGENDA

 Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions

15

slide-16
SLIDE 16

ARCHITECTURE LIFECYCLE PROCESS

 Integrate security risk assessment and management

into all phases of product development

 Security touch-points with PMLC & SDLC processes  Reviews to ensure architecture compliance  Reviews v. Sign-offs

16

slide-17
SLIDE 17

PRODUCT LIFECYCLE (PMLC)

Product Vision Inception

Architectu re Design & Developme nt

Testing Implemen tation

Support & Maintenan ce

17

slide-18
SLIDE 18

PMLC W/ SECURITY TOUCHPOINTS

Product Vision

Risk Assessme nt

Inceptio n

Security Architect ure Assessme nt Architect ure Design & Developm ent Security Architect ure Review

Impleme ntation

Security Sign-off Support & Maintena nce

18

slide-19
SLIDE 19

AGENDA

 Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions

19

slide-20
SLIDE 20

ASSESSMENTS AND REVIEWS

Product Vision Risk Assessment Initial Check

20

Initial Check Privacy/ Info Security Assessment Product Initiation Architecture Security Architecture Review Design & Development Design & Development Security Code Review Functional Testing Functional Testing Security Architecture Impl Review Performance Testing Performance Testing Final Security Review and Sign-off Implementation

slide-21
SLIDE 21

AGENDA

 Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions

21

slide-22
SLIDE 22

CENTERS OF EXCELLENCE

 Cross-team Security Architecture and Risk

Management group

 Champion the management and governance of all

aspects of security architecture program

 Core and Extended Teams  Application, Security and Data  Business and Technology

22

slide-23
SLIDE 23

COE CHARTER

 Risk Assessments  Security Architecture and Design Consulting  Communicate architecture decisions & guidelines to project

teams

 Review & present security architecture related proposals to ARB  Escalate critical security issues  Awareness & Education (via Newsletters, Wiki, Brown Bag

sessions)

 Security Training  Security Reviews (Architecture, Design, and Development)  Threat Modeling (Future)  Guidance on Code Scans, Pre-deployment Scans & Penetration

Testing

 Assist in product development and product acquisition 23

slide-24
SLIDE 24

ENGAGEMENTS

 Collaboration between team members  Communication at the right places in the process  Security requirements & test cases during Sprint

Planning

 Security architecture walk-throughs  Architecture retrospectives (end of sprint)  Projects, Initiatives, Ad-Hoc Consulting  Governance Model  Research Labs (for R&D)

24

slide-25
SLIDE 25

AGENDA

 Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions

25

slide-26
SLIDE 26

TRAINING AND AWARENESS

 Education focused - Learning v. Teaching  Stakeholder specific  Business Analyst, Product / Project Manager  QA Testing Engineer  Technical Lead, Developer  DBA, Network Admin  Topic/Module Specific  Requirements Management  Testing and Validation  Development: User Interface, Services, Data, SQL

Injection, XSS

 Internal & External; Online & Classroom based

26

slide-27
SLIDE 27

AGENDA

 Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions

27

slide-28
SLIDE 28

LESSONS LEARNED

 Manual architecture, design and code reviews  Solution: Automated Static & Dynamic Code Analysis Tool  Skill set challenges  Solution: Enhancements to training program  Assessments overhead  Solution: Refinements based on project experience

28

slide-29
SLIDE 29

ROADMAP

 Current State: 2+ yrs since the start (3 yrs effort at

the previous organization)

 Threat Modeling (Agile Version)  Security & risk management aspects in:  Social Computing*  Mobile Development*  Cloud Computing  NoSQL Databases

29

* In progress

slide-30
SLIDE 30

AGENDA

 Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions

30

slide-31
SLIDE 31

CONCLUSIONS

 Get commitment from Senior Mgmt. team  Get involved in the strategic planning process  Process and Standards are critical  Automate the process as much as possible  Agile governance model  Community of best practices (CoE)  “Agile or Security” v. “Agile and Security”  “One Size Fits All” fits nothing

31

slide-32
SLIDE 32

RESOURCES

 Agile Threat Modeling

(http://www.infoq.com/articles/threat-modeling-express)

 TOGAF  SABSA  The Building Security In Maturity Model (BSIMM)

(http://bsimm.com)

 Software Security: Building Security In by Gary McGraw  Secure Programming with Static Analysis by Brian Chess

and Jacob West

 Security Metrics

(http://www.securitymetrics.org/content/Wiki.jsp)

32

slide-33
SLIDE 33

THANK YOU

 Contact Information  http://www.infoq.com/author/Srini-Penchikala  srinipenchikala@gmail.com  @srinip  http://srinip2007.blogspot.com  Spring Roo in Action Book  Questions?

33