1 / 49

SDL-Agile: Microsoft's Approach to Security for Agile Projects

SDL-Agile: Microsoft's Approach to Security for Agile Projects. Bryan Sullivan Senior Security Program Mgr Microsoft SIA205. What does “Agile” mean, anyway?. www.goldenrice.org. The Agile Manifesto. Individuals and interactions Working software Customer collaboration

prisca
Download Presentation

SDL-Agile: Microsoft's Approach to Security for Agile Projects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SDL-Agile: Microsoft's Approach to Security for Agile Projects Bryan Sullivan Senior Security Program Mgr Microsoft SIA205

  2. What does “Agile” mean, anyway? www.goldenrice.org

  3. The Agile Manifesto • Individuals and interactions • Working software • Customer collaboration • Responding to change • Processes and tools • Comprehensive documentation • Contract negotiation • Following a plan

  4. Security Development Lifecycle The SDL: Microsoft’s industry leading software security assurance process designed to protect customers by reducing the number and severity of software vulnerabilities before release. Process Accountability Education Ongoing Process Improvements

  5. Challenges

  6. Challenges: Adapting SDL to Agile • Iterative nature of Agile • Projects may never end • Just-in-time planning/YAGNI mentality • General avoidance of project artifacts • Emphasis on project/iteration backlogs • General avoidance of automated tools

  7. Challenges: Adapting SDL to Agile • Iterative nature of Agile • Projects may never end • Just-in-time planning/YAGNI mentality • General avoidance of project artifacts • Emphasis on project/iteration backlogs • General avoidance of automated tools

  8. Security Development Lifecycle • SDL “Classic” phased approach • Fits spiral or waterfall… • …but Agile doesn’t have phases

  9. Idea: Move SDL to product backlog • Very Agile • But not secure!

  10. Idea: Do the full SDL every iteration • Very secure • But not Agile!

  11. Iterative nature of Agile • From the Principles Behind the Agile Manifesto: “Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.”

  12. Idea: Drop some requirements • But every requirement is, well, required • Need to keep all requirements • Need to reorganize into Agile-friendly form

  13. SDL-Agile process

  14. Three classes of requirements

  15. Requirements as backlog items • One-time requirements get added to the Product Backlog (with deadlines) • So do bucket requirements • Every-sprint requirements go to the Sprint Backlog directly

  16. Agile sashimi • At the end of every sprint: • All every-sprint requirements complete • No bucket items more than six months old • No expired one-time requirements • No open security bugs over the bugbar dinner.wordpress.com

  17. Bug bar

  18. Challenges: Adapting SDL to Agile • Iterative nature of Agile • Projects may never end • Just-in-time planning/YAGNI mentality • General avoidance of project artifacts • Emphasis on project/iteration backlogs • General avoidance of automated tools

  19. Security Incident Response • Because 2:00 AM Christmas morning is a poor time to hold a Scrum meeting…

  20. Challenges: Adapting SDL to Agile • Iterative nature of Agile • Projects may never end • Just-in-time planning/YAGNI mentality • General avoidance of project artifacts • Emphasis on project/iteration backlogs • General avoidance of automated tools

  21. Security bug tracking • Must track bug cause • Buffer overflow • XSS • Etc • And effect • STRIDE • Important for bugbar criteria

  22. Threat modeling • “The cornerstone of the SDL” • Data Flow Diagrams (DFDs) • STRIDE/element • Mitigations • Assumptions • External dependencies

  23. Sidebar: Exception workflow

  24. Challenges: Adapting SDL to Agile • Iterative nature of Agile • Projects may never end • Just-in-time planning/YAGNI mentality • General avoidance of project artifacts • Emphasis on project/iteration backlogs • General avoidance of automated tools

  25. Writing secure code • 90% Writing Secure Features • Overflow defense • Input validation • Output encoding • 10% Writing Security Features • Cryptography • Firewalls • ACLs

  26. Secure code does not featurize

  27. Taskifying the SDL • Some are straightforward... • Enable compiler switches • Run static analysis tools • …some are tougher (not actionable) • Avoid banned APIs • Access databases safely

  28. Two strategies • Verify these things by hand (alone or in pairs) • Verify these things with tools www.sondheim.com www.dow.com

  29. Challenges: Adapting SDL to Agile • Iterative nature of Agile • Projects may never end • Just-in-time planning/YAGNI mentality • General avoidance of project artifacts • Emphasis on project/iteration backlogs • General avoidance of automated tools

  30. Static analysis requirements • FxCop • CAT.NET • PREFast (/analyze) • And/or your alternative tool(s) of choice • These are “every-sprint” requirements • Better still: Continuous Integration

  31. Dynamic analysis requirements • Fuzzers(homegrown) • File parsers • RPC interfaces • ActiveX controls • COM objects • AppVerifier • Passive HTTP traffic analysis • And/or your alternative tool(s) of choice • These are “bucket” requirements • Or CI…

  32. Secure coding libraries • AntiXss • StrSafe • SafeInt • Use always, check every sprint <opinion> This is the future of the SDL </opinion>

  33. Strengths

  34. Strengths: Adapting SDL to Agile • Bucket activities easily move in & out of sprints • Teams self-select best security activities • SDL versioning is simpler and more current • Each iteration is a gate

  35. Strengths: Adapting SDL to Agile • Bucket activities easily move in & out of sprints • Teams self-select best security activities • SDL versioning is simpler and more current • Each iteration is a gate “Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage.”

  36. Strengths: Adapting SDL to Agile • Bucket activities easily move in & out of sprints • Teams self-select best security activities • SDL versioning is simpler and more current • Each iteration is a gate “At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.”

  37. Strengths: Adapting SDL to Agile • Bucket activities easily move in & out of sprints • Teams self-select best security activities • SDL versioning is simpler and more current • Each iteration is a gate

  38. SDL-Agile “versioning” SDL-Classic • Updated yearly • Grandfather clause SDL-Agile • Updated at any time • Automatic updating

  39. Strengths: Adapting SDL to Agile • Bucket activities easily move in & out of sprints • Teams self-select best security activities • SDL versioning is simpler and more current • Each iteration is a gate

  40. Each iteration is a gate “Security and privacy are most effective when ‘built-in’ throughout the entire development lifecycle” “Security is most effective when it is ‘baked-in’ from the start” • This fits Agile perfectly

  41. The Agile Manifesto • Individuals and interactions • Working software • Customer collaboration • Responding to change • Processes and tools • Comprehensive documentation • Contract negotiation • Following a plan

  42. The SDL-Agile Manifesto • Continuous, incremental effort • Automated tasks • Planned incident response • Heroic pushes • Manual processes • Ad-hoc response

  43. announcing Security Development Lifecycle v4.1a- including SDL for Agile Development Guidance

  44. More Resources • http://www.microsoft.com/sdl • http://blogs.msdn.com/sdl • My alias: bryansul

  45. question & answer

  46. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Resources • www.microsoft.com/teched Sessions On-Demand & Community • www.microsoft.com/learning • Microsoft Certification & Training Resources • http://microsoft.com/technet • Resources for IT Professionals • http://microsoft.com/msdn Resources for Developers

  47. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

  48. Required Slide © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related