1 / 31

10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security. Author : Yair Rovek . Challenged by Agile. “It is a well known and acknowledged fact that Agile processes are extremely difficult to combine with any existing security frameworks ”

hachi
Télécharger la présentation

10 Steps To Agile Development Without Compromising Enterprise Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 10 Steps To Agile Development Without Compromising Enterprise Security Author : Yair Rovek

  2. Challenged by Agile “It is a well known and acknowledged fact that Agile processes are extremely difficult to combine with any existing security frameworks” -- Extract from a blog of a very popular software provider “The good news is that our retroactive security is very good…” -- Extract from the same blog as above

  3. About Me Yair Rovek • 20+ years in the industry • 4 years Security Specialist @ • Leading the SDLC Program • Design security and new technologies within our products Contact Me! yairr@liveperson.com @lione_heart Hosted by OWASP & the NYC Chapter

  4. LivePerson ID What we do? • 16 years in business • SaaS from day 1. • NASDAQ & TASE (LPSN) • ~8500 Customers • ~800 employees SaaS platform for creation of meaningful connections through real-time engagement How it works? Monitor web visitor’s behavior(Over 1.5 B visits each month) Conductbehavioralranking Providetheengagementplatform(Over 10 M chats each month) Security is NOT optional… SaaS & Cloud only Hosted by OWASP & the NYC Chapter

  5. Who are the key players? Sales & Product System Architects Software Architects R&D Scrum teams CI environment Artifact Production Hosted by OWASP & the NYC Chapter

  6. Agile Framework

  7. Agile Framework RETROSPECTIVE

  8. Add Security to the Agile Process • Release Planning Scrum Actions • Sprint Planning • Coding • Code Freeze • Q&A – Regression Tests • Release

  9. Add Security to the Agile Process • Release Planning Scrum Actions Security Control • Sprint Planning • Security High-Level Design • Coding • Code Freeze • Q&A – Regression Tests • Release

  10. Add Security to the Agile Process • Release Planning Scrum Actions Security Control • Security High-Level Design • Sprint Planning • Guide-in the teams On-Demand • Coding • Code Freeze • Q&A – Regression Tests • Release

  11. Add Security to the Agile Process • Release Planning Scrum Actions Security Control • Security High-Level Design • Sprint Planning • Coding • Guide-in the teams On-Demand • ESAPI & SCA checks for each build • Code Freeze • Q&A – Regression Tests • Release

  12. Add Security to the Agile Process • Release Planning Scrum Actions Security Control • Security High-Level Design • Sprint Planning • Guide-in the teams On-Demand • Coding • ESAPI & SCA checks for each build • Code Freeze • Automated Security Tests • Q&A – Regression Tests • Release

  13. Add Security to the Agile Process • Release Planning Scrum Actions Security Control • Security High-Level Design • Sprint Planning • Coding • Guide-in the teams On-Demand • ESAPI & SCA checks for each build • Code Freeze • Automated Security Tests • Q&A – Regression Tests • Automated Security Tests • Release

  14. Add Security to the Agile Process • Release Planning Scrum Actions Security Control • Security High-Level Design • Sprint Planning • Q&A On-Demand • Coding • ESAPI & SCA checks for each build • Code Freeze • Automated Security Tests • Q&A – Regression Tests • Automated Security Tests • Release • External Pen-Test

  15. Add Security to the Agile Process • Release Planning Scrum Actions Security Control • Security High-Level Design • Sprint Planning • Coding • Guide-in the teams On-Demand • ESAPI & SCA checks for each build • Code Freeze • Automated Security Tests • Q&A – Regression Tests • Automated Security Tests • Release • External Pen-Test

  16. Screening Code in 3D Delivered Dependencies and Open Source POM File Developer Code • ESAPI/AntiSamy/CSRF Guard… • Utilities • SCA Open Source Policy

  17. ESAPI Building Blocks

  18. Where Do I put my validation Controller UserInterface Business Functions Data Layer Any Interpreter Web Service Any Encoding Database Mainframe User Etc… File System

  19. Where Do I put my validation Controller UserInterface Business Functions Data Layer Any Interpreter Specific Validate Web Service Any Encoding Database Mainframe User Etc… File System Validate Encode For HTML

  20. API example Define Relevant Filters

  21. Automated Test Example Integrating Automated Testing: ExamplePreventing RegExDoS and Performance Issues Filter Black/ White Listing

  22. LivePerson ESAPI implementation For Each Product Live Person Security API (LPSAPI) - In-House Security Package based on ESAPI project

  23. CI environment • Deploy to Test Env • Report • & • Notify • Code Commit • Source Control • (SVN) • TeamCity • (Build Trigger) • Maven Build Process (Unit tests) • Deploy • to • Production • Develop Publish to release repository

  24. Security in CI environment • Deploy to Test Env • SCA , Dynamic, OS • Report • & • Notify • Code Commit • Source Control • (SVN) • TeamCity • (Build Trigger) • Maven Build Process (Unit tests) • Deploy • to • Production • Develop Publish to release repository

  25. One Dashboard Results are integrated within TeamCity

  26. Dive into the results Results are integrated within TeamCity Developer has all required info. No need to involve the Security Team

  27. 10 Best Practices Secure Agile Development

  28. Key Success Factors

  29. Key Success Factors

  30. Never ending story …

  31. Q&A Contact Me! yairr@liveperson.com @lione_heart

More Related