sdl in an agile world
DESCRIPTION
SDL in an Agile World. MSSD-3 — третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного обеспечения при его разработке . . What does “Agile” mean, anyway?. What does “Agile” mean, anyway?. The Agile manifesto. - PowerPoint PPT PresentationTRANSCRIPT
SDL in an Agile World
MSSD-3 — третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного обеспечения при его разработке.
What does “Agile” mean, anyway?
What does “Agile” mean, anyway?
The Agile manifesto
• Individuals and interactions
• Processes and tools
• Working software • Comprehensive documentation
• Customer collaboration
• Contract negotiation
• Responding to change
• Following a plan
Security Development Lifecycle
Ongoing Process Improvements
ProcessEducation
Accountability
Microsoft’s industry leading software security assurance process designed to protect customers by reducing the number and severity of software vulnerabilities before
release.
Challenges
• Iterative nature of Agile• Projects may never end• Just-in-time planning/YAGNI mentality• Emphasis on project/iteration backlogs• General avoidance of automated tools
Challenges of adapting SDL to Agile
• Fits spiral or waterfall…• …but Agile doesn’t have phases
SDL “Classic” phased approach
• Very secure!• But not Agile.
Idea: Do the full SDL every iteration
• From the Principles Behind the Agile Manifesto:
Short timescale
“Deliver working software frequently, from a couple of weeks to a couple of months, with a
preference to the shorter timescale.”
• Very Agile!• But not secure.
Idea: Move SDL tasks to product backlog
• But every requirement is, well, required
• We need to keep all requirements• We need to reorganize into Agile-friendly form
Idea: Drop some requirements
SDL-Agile process
SDL-Agile process
Three classes of requirements
Every Sprint
Training
Threat modeling
etc...
One-Time Only
Set up tracking
Create response
plan
etc...
Bucket
Fuzz parsers
Refresh response
plan
etc…
• One-time requirements get added to the Product Backlog (with deadlines)
• So do bucket requirements
• Every-sprint requirements go to the Sprint Backlog directly
Requirements as backlog items
Product Backlog• Set up tracking system• Upgrade to VS2012• Fuzz image parser• Fuzz network parser• …
Sprint Backlog• Threat model new stored
procedures• Run static analysis• …
Agile “sashimi”
• All every-sprint requirements complete
• No bucket items more than six months old
• No expired one-time requirements
• No open security bugs
• Iterative nature of Agile• Projects may never end• Just-in-time planning/YAGNI mentality• Emphasis on project/iteration backlogs• General avoidance of automated tools
Challenges of adapting SDL to Agile
• 2:00 AM Christmas morning is a poor time to hold a Scrum meeting…
Security incident response
• Iterative nature of Agile• Projects may never end• Just-in-time planning/YAGNI mentality• Emphasis on project/iteration backlogs• General avoidance of automated tools
Challenges of adapting SDL to Agile
Writing secure code
• 90% Writing secure features• Overflow defense• Input validation• Output encoding
• 10% Writing security features• Cryptography• Firewalls• Access Control
Lists
Secure code cannot be a "feature"
Not a “User Story”
Doesn’t go in the Product
Backlog
Can’t get prioritized in or
out
Can’t decide to not do security
this sprint
• Some SDL requirements are straightforward...– Enable compiler switches– Run static analysis tools
• …some are more difficult (not actionable)– Avoid banned APIs– Access databases safely
Breaking the SDL into tasks
Two options
• Verify manually • Verify with tools
• Iterative nature of Agile• Projects may never end• Just-in-time planning/YAGNI mentality• Emphasis on project/iteration backlogs• General avoidance of automated tools
Challenges of adapting SDL to Agile
• FxCop• CAT.NET• PREFast (/analyze)• And/or your alternative tool(s) of choice
• These are “every-sprint” requirements• Better still: Continuous Integration
Static analysis requirements
• Fuzzers (homegrown)• AppVerifier• Passive HTTP traffic analysis• And/or your alternative tool(s) of choice
• These are “bucket” requirements• Or Continuous Integration
Dynamic analysis requirements
• Web Protection Library (a.k.a AntiXss)• StrSafe• SafeInt
• Use always, check every sprint
Secure coding libraries
Strengths
• Bucket activities easily move in & out of sprints
• Teams self-select best security activities• Each iteration is a gate
Strengths of Agile in SDL
• Bucket activities easily move in & out of sprints
• Teams self-select best security activities• Each iteration is a gate
Strengths of Agile in SDL
“Welcome changing requirements, even late in development. Agile processes harness change for the customer’s
competitive advantage.”
• Bucket activities easily move in & out of sprints
• Teams self-select best security activities• Each iteration is a gate
Strengths of Agile in SDL
“At regular intervals, the team reflects on how to become more effective, then
tunes and adjusts its behavior accordingly.”
• Bucket activities easily move in & out of sprints
• Teams self-select best security activities• Each iteration is a gate
Strengths of Agile in SDL
“Security and privacy are most effective when ‘built-in’ throughout the entire
development lifecycle”
The Agile manifesto
• Individuals and interactions
• Processes and tools
• Working software • Comprehensive documentation
• Customer collaboration
• Contract negotiation
• Responding to change
• Following a plan
The SDL-Agile manifesto
• Continuous, incremental effort
• Heroic pushes
• Automated tools • Manual processes
• Planned response • Ad-hoc response
• http://www.microsoft.com/sdl• http://blogs.msdn.com/b/sdl
More resources
Thank you
Спасибо за внимание