Cyber Security testing in an agile environment
Transcript of Cyber Security testing in an agile environment
![Page 1: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/1.jpg)
![Page 2: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/2.jpg)
Arthur DonkersSecurity Officer
Interested in infosec, technology, organization and combining these all into one solution. Critical Security Architect Trainer for PECB (ISO27001, 27005, 31000) Convinced that Infosec is a means to an end, not a purpose in itself.
Contact Information
+ 31-6-53315102
www.1secure.nl
nl.linkedin.com/in/arthurdonkers
![Page 3: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/3.jpg)
Cyber Security Testing
How to align security testing to your agile cyber strategy
![Page 4: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/4.jpg)
Agenda
What is this all about?
Who am I?
Out with the old!
In with the new!
![Page 5: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/5.jpg)
Securitytesting in Cyber space
Does classical penetration testing still fit in the rapidly moving cyberspace?Or do we need a new approach?
![Page 6: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/6.jpg)
Who am I?
Arthur DonkersIndependent security consultantSecurity tester for mobile, IoT and hardwareTrainer for PECB (ISO27001, 27005, 31000)
![Page 7: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/7.jpg)
These are my opinions
This presentation is based on MY personal experiences with MY clients and MY projects.
Your mileage may vary, I just want to make you think about your current security testing strategy.
![Page 8: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/8.jpg)
… one more thing ...
I’m not a big fan of the term cyber, I think it is an empty term…
![Page 9: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/9.jpg)
Classic testing strategies
Classic security testing follows the waterfall project delivery model:
SECURITY TEST
![Page 10: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/10.jpg)
Classic testing strategies
this means:- Test after delivery of product (but hopefully
before actual deployment);- Within a set scope (only the product);- Within a limited timeframe (before release
date);- With limited resources (people and money)
![Page 11: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/11.jpg)
Classic testing strategies
which leads to:- time crunch (prioritizing individual tests, features
left untested);- limited security assessment (product is not
assessed in its final environment);- Too little time to test (time crunch);- No testers available due to time shift (limited
resource);- No time to fix things (no feedback).
![Page 12: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/12.jpg)
Classic testing strategies
Trying to swim upstream…
![Page 13: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/13.jpg)
Classic testing strategies
Same issues apply to regular testing as well, this is often part of a (mandatory) compliance program:- Limit scope (don’t test the scary stuff);- Limit time (need to be recertified yesterday);- Don’t care about the actual execution (having
ANY test executed often considered sufficient).
![Page 14: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/14.jpg)
Classic testing strategies
Tick in the box exercise!
![Page 15: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/15.jpg)
So now what?
Modern development of products needs to adapt quickly and follow a risk based approach.
This is often referred to as Agile Development
![Page 16: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/16.jpg)
Agile testing strategy
Security testing needs to be integrated into the incremental and continuous delivery cycle
![Page 17: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/17.jpg)
Agile testing strategy
Security testing is not a separate step anymore:- follow at least the risks identified in the agile
cycle (and any additional risks identified);- embed security testers in project (secure
development);- focus and prioritize (there is no 100%)- automate and tool up
![Page 18: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/18.jpg)
Agile testing strategy
Supporting environment (just an example):
![Page 19: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/19.jpg)
Agile security management
For your regular testing you should:- employ a red team (for continuous testing);- don’t limit the scope (let them think and work
like a hacker);- actively and continuously manage the
vulnerabilities and associated risks.
![Page 20: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/20.jpg)
Agile security management
What is ‘red team’ exactly?
“Penetration testers assess organization security, often unbeknownst to client staff. This type of Red Team provides a more realistic picture of the security readiness than exercises, role playing, or announced assessments. The Red Team may trigger active controls and countermeasures within a given operational environment.” (Wikipedia)
![Page 21: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/21.jpg)
Agile security management
So it is a simulated attack, without the limitations of a regular penetration test to yield better and more complete results:
A simulated hacker attack
![Page 22: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/22.jpg)
Agile security management
Continuous security testing uses the same approach, but in a continuous flow instead of an exercise.
![Page 23: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/23.jpg)
Agile security management
• Continuous security testing becomes part of your operational security process (vulnerability management) and gives you a realtime and continuous view on your current security posture.
• This helps you to prioritize risk mitigation and resource allocation (put $$$ where it has the most effect).
• And it fits very well into the continuous improvent which is part of ISO27001
![Page 24: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/24.jpg)
But wait! There’s more!
![Page 25: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/25.jpg)
What then?
All organizations have limited resources (people, time, money).Leverage the hacker community via a bugbounty program.
![Page 26: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/26.jpg)
Bug bounty program
Reward hackers for reporting bugs to you’They’ have the time and dedication to look for bugs.You must set the right terms and conditions.And make sure you can handle the bug reports that will be pouring in (both in volume and quality!).If done properly, this could be an addition to your continuous testing team!
![Page 27: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/27.jpg)
Bug bounty program
Make sure you have at least:
- set up a (responsible) disclosure policy;- set up a reward system (separate the wheat
from the chaff);- set up an incident handling process (things
may/will go wrong and/or trigger alarms).
![Page 28: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/28.jpg)
Responsible disclosure
Allow for people to report bugs and vulnerabilities to you:- without ‘punishing’ the reporter;- in a safe (and sometime anonymous) way;- using clear communication protocols.
So you can resolve these bugs and vulnerabilities before they bite you!
![Page 29: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/29.jpg)
Bug bounty program
You can run your own bug bounty program,Or have a specialized company do it for you, like
![Page 30: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/30.jpg)
Incident handling process
In a continuous security testing strategy, the incident handling is necessary to catch all things that slip through the cracks.This is not an omission, but a result of the fact that you cannot test and secure everything.But you should prepare yourself!
![Page 31: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/31.jpg)
Incident handling process
![Page 32: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/32.jpg)
Wrapping up
Old skool testing does not fit the bill anymore!
Perform continuous testing;Think like a hacker using red team approach;Leverage the hacker community through bug bounty program;Prepare for incidents.
![Page 33: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/33.jpg)
More info at:
www.agilesecurity.nl
![Page 34: Cyber Security testing in an agile environment](https://reader036.fdocuments.in/reader036/viewer/2022081520/58f9b36f760da3da068bd61c/html5/thumbnails/34.jpg)