1 / 63

Agile + SDL Concepts and Misconceptions

Agile + SDL Concepts and Misconceptions. Avi Douglen Aware Security avid@AwareID.com (972)-52-7891133 Nir Bregman Senior Project Manager, HP nir.bregman@hp.com (972)-54-5597038. 15/09/2011. Agenda. Introduction Misconceptions Problems Concepts Solution. Introduction.

devaki
Download Presentation

Agile + SDL Concepts and Misconceptions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Agile + SDL Concepts and Misconceptions Avi Douglen Aware Security avid@AwareID.com (972)-52-7891133 Nir Bregman Senior Project Manager, HP nir.bregman@hp.com(972)-54-5597038 15/09/2011

  2. Agenda • Introduction • Misconceptions • Problems • Concepts • Solution

  3. Introduction

  4. “Agile” – A Definition “… a group of software development methodologiesbased on iterativedevelopment, where requirements and solutions evolvethrough collaboration between self-organizing cross-functional teams.” – Wikipedia

  5. Agile Methodology – Key Features • Early feedback • Prioritized “backlog” • Inherent improvement process • Adaptive to changes • Short, incremental iterations or sprints • ‘Release like’ version every iteration • Team selects “user stories”

  6. “SDL” – A Definition “A Security Development Lifecycle is a software development process to reduce software maintenance costs and increase reliability of software concerning software security.” - Wikipedia

  7. SDL – Microsoft Model

  8. SDL – OWASP Model (CLASP)

  9. SDL – Key Features • Activities for each development phase • Relatively formal process • Carefully controlled development

  10. SDL – Main Activities • General • Designing SDLC model • Policies & guidelines • Training & education • Tools & products • Requirements Analysis • Classification • Security planning • Security requirements • Architecture • Initial Threat Modeling • Secure Architecture • Design • Detailed Threat Modeling • Mitigation of threats • Secure Design • Formulating security guidelines • Security Design Review • Coding • Secure Coding • Unit security tests • Initial security code review • Security push • Testing • Regression testing • Final security code review • Deployment inspection • Black box penetration tests • Final Security Review • Maintenance • Security response • Secure change management • Security bug tracking • Metrics • Process improvement

  11. Misconceptions

  12. Agile is… … really just “Waterfall”,repeated over and over again

  13. SDL is… Only good for “Waterfall” process

  14. Agile is… Like the “Wild West” of programming

  15. SDL is… Control freaks

  16. Agile is… Inconsistent

  17. SDL is… Not flexible

  18. Agile is… Out of control

  19. SDL is… Very heavy process

  20. Agile means… No documentation

  21. SDL means… lots of boring documents

  22. Agile is… An excuse to take shortcuts

  23. SDL is… Full of duplicate activities

  24. Agile means… No planning

  25. SDL is… Unnecessary, for good programmers

  26. Agile is… Never ending

  27. SDL is… Slowing down real development

  28. Agile is… a set of ceremonies and disconnected techniques

  29. SDL is… a set of ceremonies and disconnected tasks

  30. Problem

  31. Agile + SDL = FAIL! SDL  Heavy Agile  Light

  32. Agile + SDL = FAIL! SDL  Strict process Agile  Adaptive process

  33. Agile + SDL = FAIL! SDL  Structured phases Agile  Short iterations

  34. Agile + SDL = FAIL! SDL  Lots of activities Agile  “Just enough”

  35. Agile + SDL = FAIL! SDL  Predefined checkpoints Agile  Predefined priorities

  36. Agile + SDL = FAIL! SDL  Centralized control Agile  Independent teams

  37. Agile + SDL = FAIL! SDL  Lots o’ docs Agile  Not so much

  38. Agile + SDL = FAIL! SDL  Assurance Agile  Responsibility

  39. Agile + SDL = …? Putting SDL on top of Agile kind of feels like…

  40. We’ve been doing it wrong!

  41. Concepts

  42. Agile Philosophy For SDL • “Early Feedback” already built in • Add Security to cross-functional team • Always do “just enough” work • Focus on the current sprint backlog • Prioritize, don’t micro-manage

  43. Training Independent developers:Just teach them how to do things right

  44. Mapping SDL to Agile Discovery Security planning

  45. Mapping SDL to Agile Acceptance Tests Security requirements

  46. Mapping SDL to Agile Non-functional stories Security features

  47. Mapping SDL to Agile Integration QA Security testing

  48. Mapping SDL to Agile • UserStory “Done definition” • Sprint entry criteria • Release completion criteria Security tasks

  49. Mapping SDL to Agile “Abuser” stories Countermeasures

More Related