10 Steps To Agile Development Without Compromising Enterprise Security
description
Transcript of 10 Steps To Agile Development Without Compromising Enterprise Security
![Page 1: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/1.jpg)
10 Steps To Agile Development Without Compromising Enterprise SecurityAuthor : Yair Rovek
![Page 2: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/2.jpg)
Challenged by Agile
“It is a well known and acknowledged fact that Agile processes are extremely difficult to combine with any
existing security frameworks”-- Extract from a blog of a very popular software provider
“The good news is that our retroactive security is very good…”
-- Extract from the same blog as above
![Page 3: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/3.jpg)
About Me
Yair Rovek• 20+ years in the industry • 4 years Security Specialist @ • Leading the SDLC Program • Design security and new technologies within our products
Contact Me! [email protected] @lione_heart
Hosted by OWASP & the NYC Chapter
![Page 4: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/4.jpg)
Hosted by OWASP & the NYC Chapter
LivePerson ID
SaaS platform for creation of meaningful connections through real-time engagement
What we do? • 16 years in business• SaaS from day 1. • NASDAQ & TASE (LPSN)• ~8500 Customers • ~800 employees
How it works?
Monitor web visitor’s behavior(Over 1.5 B visits each month)
Conduct behavioral ranking
Provide the engagement platform(Over 10 M chats each month)
SaaS & Cloud onlySecurity is NOT optional…
![Page 5: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/5.jpg)
Hosted by OWASP & the NYC Chapter
Who are the key players?
Sales & Product
R&D Scrum teamsSystem
Architects
Software Architects
ArtifactCI environment Production
![Page 6: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/6.jpg)
Agile Framework
![Page 7: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/7.jpg)
RETROSPECTIVE
Agile Framework
![Page 8: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/8.jpg)
Scrum ActionsRelease Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Add Security to the Agile Process
![Page 9: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/9.jpg)
Scrum ActionsRelease Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level DesignSecurity Control
Add Security to the Agile Process
![Page 10: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/10.jpg)
Scrum ActionsRelease Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level DesignSecurity Control
Add Security to the Agile Process
Guide-in the teams On-Demand
![Page 11: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/11.jpg)
Scrum ActionsRelease Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design
ESAPI & SCA checks for each build
Security Control
Add Security to the Agile Process
Guide-in the teams On-Demand
![Page 12: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/12.jpg)
Scrum ActionsRelease Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design
Guide-in the teams On-Demand
ESAPI & SCA checks for each build
Automated Security Tests
Security Control
Add Security to the Agile Process
![Page 13: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/13.jpg)
Scrum ActionsRelease Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design
ESAPI & SCA checks for each build
Automated Security Tests
Automated Security Tests
Security Control
Add Security to the Agile Process
Guide-in the teams On-Demand
![Page 14: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/14.jpg)
Scrum ActionsRelease Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design
Q&A On-Demand
ESAPI & SCA checks for each build
Automated Security Tests
Automated Security Tests
External Pen-Test
Security Control
Add Security to the Agile Process
![Page 15: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/15.jpg)
Scrum ActionsRelease Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Security High-Level Design
ESAPI & SCA checks for each build
Automated Security Tests
Automated Security Tests
External Pen-Test
Security Control
Add Security to the Agile Process
Guide-in the teams On-Demand
![Page 16: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/16.jpg)
Screening Code in 3D
Delivered
Dependencies and Open Source
Developer Code POM File
Open Source
Policy• ESAPI/AntiSamy/CSRF Guard…• Utilities• SCA
![Page 17: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/17.jpg)
Custom Enterprise Web Application
Enterprise Security API
Auth
enti
cato
r
Use
r
Acce
ssCo
ntro
ller
Acce
ssRe
fere
nceM
ap
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Rand
omiz
er
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
ESAPI Building Blocks
![Page 18: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/18.jpg)
Controller
UserInterface
Business
Functions
Web Service
Database
Mainframe
File System
User Data Layer
Etc…
Any Encoding
Any Interpreter
Where Do I put my validation
![Page 19: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/19.jpg)
Controller
UserInterface
Business
Functions
Web Service
Database
Mainframe
File System
User Data Layer
Etc…
Encode For HTML
Any Encoding
Any Interpreter
Specific Validate
Validate
Where Do I put my validation
![Page 20: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/20.jpg)
Define Relevant Filters
API example
![Page 21: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/21.jpg)
Integrating Automated Testing: ExamplePreventing RegEx DoS and Performance Issues
Black/ White Listing
Filter
Automated Test Example
![Page 22: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/22.jpg)
For Each Product
Live Person Security API (LPSAPI) -
In-House Security Package based on
ESAPI project
Imports LPSAPI
Enforces correct usage via Source Code Analysis (SCA)
Enforce Open Source Policy
Test your infra BB
LivePerson ESAPI implementation
![Page 23: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/23.jpg)
Develop Code Commit
Source Control(SVN)
TeamCity (Build
Trigger)
Maven Build Process (Unit tests)
Deploy to
ProductionDeploy to Test Env
Report& Notify
Publish to release repository
CI environment
![Page 24: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/24.jpg)
Develop Code Commit
Source Control(SVN)
TeamCity (Build
Trigger)
Maven Build Process (Unit tests)
Deploy to
ProductionDeploy to Test Env
Report& Notify
Publish to release repository
SCA , Dynamic, OS
Security in CI environment
![Page 25: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/25.jpg)
Results are integrated within TeamCity
One Dashboard
![Page 26: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/26.jpg)
Results are integrated within TeamCity
Developer has all required info.
No need to involve the Security Team
Dive into the results
![Page 27: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/27.jpg)
10 Best PracticesSecure Agile Development
![Page 28: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/28.jpg)
Identify the process within R&D and set a plan to become part of it
Set Security Package API to be consumed with each code (ESAPI AntiSamy CSRF Guard)
Screen and enforce your policy on your code Open Source and platform
Use automation to collaborate with the security dynamic test
Allow customer to run a pen test and work as a community to succeed
Key Success Factors
![Page 29: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/29.jpg)
Engage tech leaders as security champions by showing them the value
Train developers on a regular basis
Create a knowledge base and discussions around security
Break the build for any “High” or “Medium” findings
Start small but think big
Key Success Factors
![Page 30: 10 Steps To Agile Development Without Compromising Enterprise Security](https://reader037.fdocuments.in/reader037/viewer/2022110104/5681685a550346895dde90b8/html5/thumbnails/30.jpg)
Never ending story …