• No results found

How We Implemented Security in Agile for 20 SCRUMs- and Lived to Tell

N/A
N/A
Protected

Academic year: 2021

Share "How We Implemented Security in Agile for 20 SCRUMs- and Lived to Tell"

Copied!
35
0
0

Loading.... (view fulltext now)

Full text

(1)

SESSION ID:

How We Implemented Security in Agile for 20

SCRUMs- and Lived to Tell

ASEC-R03

Yair Rovek

Security Specialist LivePerson @lione_heart

(2)
(3)

#RSAC

In the Next 45 Min

 LivePerson and Application Security  Where did it all Began

 LivePerson And Agile

 Security Checkpoints in the Process

 Bringing it All Together in the Continuous Integration  Summarize the Challenges

(4)

LivePerson ID

SaaS platform for creation of meaningful connections through real-time engagement What we do?

How it works?

Monitor web visitor’s behavior (Over 1.5 B visits each month)

Conduct behavioral ranking

Provide the engagement platform

(Over 10 M chats each month)

(5)
(6)

From Pen-Testing to SDLC

50

3rd Party Pen-Testing

Hand-On Training (R&D vs. QA) Secure Coding Baseline

# New Bugs/Year

100 150

Enforcement Dynamic Testing <–> LP Tools

Static Code Analysis Open Source Coverage Platform Tests

(7)

Who are the Key Players?

Sales & Product

R&D Scrum Teams

System Architects Software Architects Artifact CI environment Production

(8)
(9)

#RSAC RETROSPECTIVE

(10)

Scrum Actions

Release Planning Sprint Planning Coding

Code Freeze

Q&A – Regression Tests Release

(11)

Scrum Actions

Release Planning Sprint Planning Coding

Code Freeze

Q&A – Regression Tests Release

Security High-Level Design

Security Control

(12)

Scrum Actions

Release Planning Sprint Planning Coding

Code Freeze

Q&A – Regression Tests Release

Security High-Level Design

Security Control

Guide-in the teams On-Demand

(13)

Scrum Actions

Release Planning Sprint Planning Coding

Code Freeze

Q&A – Regression Tests Release

Security High-Level Design ESAPI & SCA checks for each build

Security Control

Guide-in the teams On-Demand

(14)

Scrum Actions

Release Planning Sprint Planning Coding

Code Freeze

Q&A – Regression Tests Release

Security High-Level Design Guide-in the teams On-Demand ESAPI & SCA checks for each build Automated Security Tests

Security Control

(15)

Scrum Actions

Release Planning Sprint Planning Coding

Code Freeze

Q&A – Regression Tests Release

Security High-Level Design ESAPI & SCA checks for each build Automated Security Tests Automated Security Tests

Security Control

Guide-in the teams On-Demand

(16)

Scrum Actions

Release Planning Sprint Planning Coding

Code Freeze

Q&A – Regression Tests Release

Security High-Level Design Q&A On-Demand ESAPI & SCA checks for each build Automated Security Tests Automated Security Tests External Pen-Test

Security Control

(17)

Scrum Actions

Release Planning Sprint Planning Coding

Code Freeze

Q&A – Regression Tests Release

Security High-Level Design ESAPI & SCA checks for each build Automated Security Tests Automated Security Tests External Pen-Test

Security Control

Guide-in the teams On-Demand

(18)

Screening Code in 3D

Delivered

Dependencies and Open Source Developer Code

(19)

Custom Enterprise Web Application Enterprise Security API

A u th en ti ca to r U se r A cc essCo n tr ol le r A cc es sR ef er en ce M ap Val id at or Enc ode r H TT P U ti lit ie s Enc ry pt or Enc ry pt edP ro pe rt ie s R ando m iz er Ex ce pt io n H andl ing Lo gge r Int rus io nD et ec to r Se curi ty C onf igu ra ti on

(20)

Controller User Interface Business Functions Web Service Database Mainframe File System

User Layer Data

Etc…

Any Encoding

Any Interpreter

(21)

Controller User Interface Business Functions Web Service Database Mainframe File System

User Layer Data

Etc… Encode For HTML Any Encoding Any Interpreter Specific Validate Validate

(22)

Define Relevant Filters

(23)

Integrating Automated Testing: Example

Preventing RegEx DoS and Performance Issues

Black/ White Listing

Filter

(24)

For Each Product

Live Person Security API (LPSAPI) - In-House Security Package based on ESAPI project Imports LPSAPI

Enforces correct usage via Source Code Analysis (SCA)

Enforce Open Source Policy Test your infra BB

(25)

Develop Commit Code Source Control (SVN) TeamCity (Build Trigger)

Maven Build Process (Unit tests)

Deploy to Production Deploy to Test Env Report & Notify Publish to release repository CI Environment

(26)

Develop Commit Code Source Control (SVN) TeamCity (Build Trigger)

Maven Build Process (Unit tests)

Deploy to Production Deploy to Test Env Report & Notify Publish to Release Repositor y SCA , Dynamic, OS Security in CI Environment

(27)

Results are Integrated within TeamCity

(28)

Results are integrated within CI environment

Developer has all required info.

No need to involve the Security Team

(29)

#RSAC

Challenges

 Management  Developers  Technology  HR

 Formal Training VS Coaching and Continues Education  Scale

(30)

Key Success Factor

(31)

Identify the process within R&D and set a plan to become part of it

Set Security Package API to be consumed with each code (ESAPI AntiSamy CSRF Guard)

Screen and enforce your policy on your code Open Source and platform

Use automation to collaborate with the security dynamic test

Allow customer to run a pen test and work as a community to succeed

(32)

Engage tech leaders as security champions by showing them the value

Train developers on a regular basis

Create a knowledge base and discussions around security

Break the build for any “High” or “Medium” findings

Start small but think big

(33)

Contact Me!

[email protected]

@lione_heart

(34)
(35)

#RSAC

Links to Resources

 OWASP – https://www.owasp.org/index.php/Main_Page

 AGILE & SDLC - http://www.ambysoft.com/essays/agileLifecycle.html  MS SDLC - http://www.microsoft.com/security/sdl/default.aspx

References

Related documents

• During each production run use data loggers or your plant equipment to monitor and record: production run duration, press motor voltage (measured between two phases), pellet

In the simplest pointwise approach, the instances are first assigned a relevance score using classical regression or classification techniques, and then ranked by posterior

The relationships between consensus and mixing time relate to the second eigenvalue of the updating matrix, and through our representative agent theorem, to the second eigenvalue of

In comparison of the four (4) selected markets in the study area, the result shows that the maximum average selling price and as well as the average profit were obtained in

This phenomenological qualitative research study examined the perceptions of African American women who successfully obtained the position of superintendents of schools in New

This discussion considers each of the elements as either an affirmative or adverse influence on an individual’s Overall Academic Confidence (OAC), suggesting a

Black Exceptionality in Academia: A Cultural- Historical Re-Conceptualization of Black Male Students Identified With Learning Disabilities in Higher Education Larry Love University

El objetivo del presente artículo es determinar en qué medida las campañas publicitarias que pueden ser tipificadas como transmedia incorporan el uso de redes sociales, qué tipos