Are Agile Development Methodologies Eroding your Application's Security?

Are Agile Development Methodologies

Eroding your Application's Security?

Tony RiceCisco InfoSec

Photo: Katie Lips

Agile vs. Waterfall

“The Homer” courtesy of Fox

Sprint 2

Waterfall

Sprint 1 Sprint 3

Backlog

BacklogBacklog

Does Agile promote Security?

Security in the Software Lifecycle (1.2) - Department of Homeland Security

Satisfy customer with early and continuous delivery of software

Welcome changing requirements, even late in development.

Deliver working software frequently on a shorter timescale.

both management and customers trust developers

Hire motivated individuals &trust them Face-to-face conversation is the most efficient communication method

Working software is the primary measure of progress.

Should be able to maintain a constant pace indefinitely.

Continuous attention to design and technical excellence design enhances agility. Simplicity is essential.

The best architectures, requirements, and designs emerge from self-organizing teams.

The team must reflect and adjust at regular intervals

© 2016 Cisco. All rights reserved. Cisco Public 4

Pro

• Coding Standards • Continuous testing • Design simplicity • Automation • Progress measured and

reflected on

Con

• Customer is the only driver • Requirements focus solely on

functionality • Security tests don’t fit well into

unit tests • Insulated customer-team focus • Measure progress in

functionality • Trust

Maintaining Security while Staying Agile





Deliver working software frequently on a shorter timescale. both management and customers trust developers

Hire motivated individuals & trust them Face-to-face conversation is the most efficient communication method










Deliver working software frequently on a shorter timescale. both management and customers trust developers
































The Solution

xkcd#327 courtesy Randall Munroe

1. Introduce fewer bugs 2. Discover them earlier


Cost to Fix

$1

$100-1000

$15

$30

Source: Software Engineering Economics, Barry W. Boehm

30%18%

Requirements Design Coding Test Deploy

Functional Defect Introduction

© 2016 Cisco. All rights reserved. Cisco Public

Security Vulnerability Introduction


11


60%


Cost to Fix

$1

$100-1000

$15

$30


86%

Requirements Design Coding Test

Defect/Vulnerability Discovery


© 2016 Cisco. All rights reserved. Cisco Public


13

Cost to Fix

$1

$100-1000

$15

$30

Sources: Software Engineering Economics, Barry W. Boehm, Error Cost Escalation Through the Project Life Cycle.”, Haskins, Bill, et al.. NASA JSC, 2004

$1

$100-1000

$15

$30

Cost to Fix


Keeping up with DevOps


Requirements & Design Coding Integration Test Deploy

✗ Code merged by hand (senior developer) ✗ Ad hoc manual builds, manual tests ✗ little or no security requirements

Measurement: customer complaints

Manual Everything



✔ Automated builds✔ Automated integration testing✔ Automated Vulnerability Scanning

Measurement: build quality, vulnerability remediation

Continuous Integration


CI Platform

CI Platform

Static/Dynamic Vulnerability

Analysis

Rest API

Code Change

DB

Developer Feedback

Continuous Security – in Stage

InfoSec Analytics

Training



✔ Security included in requirements ✔ Threat modeling✔ Common security libraries

Measurement: adoption

Secure by Design


✔ Zero manual intervention from check-in to deployment✔ Only inputs: code, configs and tests✔ Test driven development✔ Fuzz testing

Measurement: code coverage

End to End Continuous Security



Continuous Security – in Dev


• Make security stories a priority • Assess security early and often • Shorten feedback loops to developers • Security vulnerabilities are serious defects, treat them as such • Automate everything

• Don’t just build working software, build secure working software

TakeawaysDon’t allow Agile’s pace to divert security focus

SECURE



Additional Reading

• How Cisco IT Developed a Self-Service Model for Build and Deploy – Cisco IT

• Haskins, Bill, et al.. "8.4.2 Error Cost Escalation Through the Project Life Cycle." INCOSE International Symposium 14.1 (2004): 1723-737. NASA Technical Reports Server. NASA Johnson Space Center.

• Boehm, Barry W. Software Engineering Economics. Englewood Cliffs, NJ: Prentice-Hall, 1981. ISBN 0138221227

• Puppet Labs. State of DevOps Report (2016)

• Martin, James. An Information Systems Manifesto. Englewood Cliffs, NJ: Prentice-Hall, 1984. ISBN 0134647696.

• Security in the Software Lifecycle, Department of Homeland Security (August 2006)

• Moving Targets: Security and Rapid-Release in Firefox, Sandy Clark, et al.

• Risk, Loss and Security Spending in the Financial Sector, Sans Institute

http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/cs-boit-02032016-self-service-model-for-build-and-deploy.pdf

http://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20100036670.pdf

http://csse.usc.edu/TECHRPTS/1984/usccse84-500/usccse84-500.pdf

http://csse.usc.edu/TECHRPTS/1984/usccse84-500/usccse84-500.pdf

https://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf

http://resources.sei.cmu.edu/asset_files/WhitePaper/2006_019_001_52113.pdf

http://seclab.upenn.edu/sandy/movingtargets_acmccs14_340.pdf

https://www.sans.org/reading-room/whitepapers/analyst/risk-loss-security-spending-financial-sector-survey-34690