SECURITY BY DESIGN - DevOn Summit · 5 SECURITY BY DESIGN in anAgile environment The situation •...

1 SECURITY BY DESIGN in an Agile environment1

Security by DesignEasy talking ???

DevOn summit March 30 2017

Arjan van Breemen

March 23, 2017

Anticipate the difficult By managing the easy

(Lao Tzu)

2 SECURITY BY DESIGN in an Agile environment

Before start ingA short introduction

• Arjan van [email protected]

• Current role: Security Officer

• Ambition: Embedding a security, privacy and compliance attitude in an Agile / DevOps work environment including a safety net in case of “mistakes”

• Environment: and

• Started April 2014 with a lot of freedom, with (currently) 250 colleagues, 35 scrum teams. per April 2017 90 and > 600 colleagues.

mailto:[email protected]


Secur ity challenges outside …..

• As a security guard you must defend against all attacks• As attacker only one successful attack requires a breakthrough

ISF Threat Horizon 2019


as well as inside

Power to the process


The situat ion• Security a necessity through the centuries• Cyber threats: Its not about IF, but about WHEN• The race between attacker and target is a never ending story

• Innovation activities distributed over teams• Different awareness / knowledge of security• Frequent releases with minimum valuable products• Different level of risks

SO:• You cannot protect the organization from cyber threats• There are a lot of things in the organization you cannot influence

• FACE THOSE FACTS, start the journey, learn and adapt


Need for a changeFrom this

To this


While prevent ing this

or this


And aware of thisAgile KANO model

Area we are working in

Security by Design, not only a process but an interplay between:• Awareness, knowledge, architecture, process and requirements• CISO, Security experts, teams and businessBased on support and transparency


So, how to start???The basic essentials:

Organize Risk based

Process & tools

Act ive Support

Open your eyes

Prevent

And react fast

Architecture


How to organize

Basic knowledge of security covered within teams. Product Owner accountable for complying to policyIf security threats have medium impact than a “Trusted person” (Security specialist) is involved.

CISO Policy Advisors (knowledge ++)Interpretation of the Policy

Implementation of the policy

Med

ium

Hig

hLO

W

Scrum Team Basic Knowledge

“Trusted person” (Knowledge +)





KSP

Product

Portal Authority (part of CISO Red Team): Penetration test (prod)

If security threats have High impact than Policy advisor extra involved and by that an important stakeholder for Product owner.


Organisat ion From control to support


Risk Based approach

Scrum team

No extra security measurements or internal checks byscrum teams

Trusted person involved. VA_CR during sprint

Trusted person & PA involved. VA_CR during sprint

LowMediumHigh

• Awareness• Process• Change scope

• Location of application in architecture• Sensitivity of information processed/stored

Risk profiling

Risk profiling

SCRUM TEAM

Architecture

Important questions to ask: • How mature is this team concerning security during their innovation lifecycle• What is the “security sensitivity” of the applications working on• What is the “security health” of the applications working on


Risk based approach

Build / Test

“Pen Test” / CR_VA results

checkby Red Team

Final Security approval

Scrum team 1 Backlog

Scrum team 2

Scrum team …

Backlog

Backlog

Prod

KSP requirement tool

Classification tool

Maturity Tool

(Quaterly)

Abuse cases

Threat analysis

ARSA ARSA ARSA ARSA

Code Review / Vulnerability Assesment by 3rd party (iLionx) or internal (Burp Suite)

ARSA: Agile Risk Self Assessment

Risk & Requirements “Test / Review” Approval

New Systems and / or Major functional

changes on existing systems

Medium functional changes on existing

systems

changes on existing systems within

existing functionality

1. Trusted person involved2. CR/ VA by 3rd party

1. Trusted person involved2. CR/ VA by 3rd party

1. No extra steps necessary or internal scan (VA)

1. KSP Req tool2. Threat Analysis3. Abuse cases

1. KSP Req tool2. Threat Analysis3. Abuse cases

1. KSP Req tool2. Threat analysis

3. Final Check PA

3. Final Check Sec. Officer Digital

2. Final Check Scrum Team

High Security RiskMedium Security RiskLow Security Risk

“Pen Test” by Red Team

Periodically (Quaterly)

http://www.google.nl/url?url=http://europesecurity.nl/producten/inbraakdetectiesysteem/woonhuisbeveiliging/&rct=j&frm=1&q=&esrc=s&sa=U&ei=18fUVMOAJcfYapjXgVg&ved=0CCIQ9QEwBg&usg=AFQjCNFd9wrT_SRlmnhrnY1mzIFPnRGtqA


ProcessBased on KPN Security Policy (KSP)

Exception handling

Scope relevant KSP items Classify Risk Analyse Determine extra

requirements

Organisation, process, functional

KSP scanned on area’s applicable

and on req.

Organisationlevel

Online: High (Sec / BCM);C&C : High (Privacy / BCM)BI : High (Privacy / BCM)

Team level

Sprint level(during back

log refinement)

Result : depends on usrstory / sprint content

If result High

Sprint / usr story (during back log

refinement)

Extra processsteps

(CR/VA) or spec’s

Input :KSP

Proj. Class. toolASRA

ASRA

Classification tool (KSP FA06 template)Requirements selection tool (KSP FA06 template)ASRA: Agile Self Risk Assesment

CR : Code ReviewVA : Vulnerability Assesment

Trusted Person + support Product Owner + Team Support from Trustedperson

1 2

3

43

4

Sprint

97

Update BCM plan

Quality Assurance

7

8

89

If requirementscannot be met

6

6

10

Split your policiesKSP: Github.com KPN-CISO/kpn-security-policy

https://github.com/KPN-CISO

https://github.com/KPN-CISO/kpn-security-policy


Process: 2 important i tems…..


What to do ?If requirements are not met


Agile Self Risk Assessment (ASRA)How does this look like

Action code Required action Nothing No action required CR Code review with focus on security issues VA Vulnarbility Assessment; scan on common security risk by security testers PT Full-scale penetration test by CISO RedTeam

Application Application Risk

Change Type Change Risk

Open pages without forms 0 Layout / content only 0

Open pages with forms 1 New data only (e.g. new field on form) 1

Mobile apps without user login 2

Changes in web server configuration, SSL, etc New connections (webservices, API, etc) to intranet

2

Closed environment with single customer information

(e.g. mijnKPN) 3

New functionality, new authorisation roles, etc 3

Closed environment with multiple customer information

(customer support portals) 4

New connections (webservices, API, etc) to internet 4

Poker Session Risk Assessment

Appl

icat

ion

Risk

4

CR CR + VA CR + VA CR + VA + PT CR + VA + PT

3

CR CR + VA CR + VA CR + VA + PT CR + VA + PT

2

Nothing CR CR + VA CR + VA + PT CR + VA + PT

1

Nothing CR CR + VA CR + VA CR + VA + PT

0

Nothing CR CR + VA CR + VA CR + VA

0 1 2 3 4 Change Risk


Act ive SupportYou are there to support the teams

Help teams & stakeholders.

• Balance the “need to protect the organization” against “ the need to run the business”• Every team member is responsible for security. So coach• Security skills are embedded in the teams, so teach• And above all: Always react fast and direct, so be alert

And beside this start with,• Putting together an overall security view• Actively inform stakeholders (management / CISO)• Connect frequently with teams, architects, testers and business• Give feedback to teams concerning operational issues• Let awareness grow by posting items from security forums


Support from managementImportant: Yes but this should be enough

Security

Do or

Die


Lessons Learned

• A strong team (trusted person) able to balance business benefit versus Security risk is a must;

• Make sure Privacy by Design activity / tools fits in the primary workflow of the teams;

• Support teams on their request;• Make sure there are requirements;• Be transparent in communication also if requirements are not met

or you are not able to decide about a certain risk

21 SECURITY BY DESIGN

Thank youFor your attention

SECURITY BY DESIGN - DevOn Summit · 5 SECURITY BY DESIGN in anAgile environment The situation •...

Documents

Transcript of SECURITY BY DESIGN - DevOn Summit · 5 SECURITY BY DESIGN in anAgile environment The situation •...