Agile Application Security - The Fast Track to SDLC
With Agile development seeing software released at a fast and furious rate how can you be sure each release is safe? See how one of Europe's largest on line retailers deploy web applications frequently and quickly with security built in. This is a very important talk for any security professional that needs to protect their business in the best possible way from application attacks.
- Learn about an efficient, effective, real and proven way to develop / deploy secure software
- Understand how to really address the issue of application security in an Agile process, automatically
- See how Agile development creates secure software
- Filmed at Information Security Europe (InfoSec) 2013 in the Business Strategy Theatre
With Agile Development seeing software released at a fast rate, how can you be sure each release is safe?
Here we are going to see how one of Europe's largest online retailers deploys web applications frequently and quickly with security built in. This is a very important talk for any security professional that needs to protect their business in the best possible way from application risks. We will talk about an efficient, effective, and real way to development and deploy secure software. I want you to understand how to really address the issue of application security in an on job process. Automatically, accurately, and therefore efficiently and simply. What I'm going to do is set the scene with some stories from the present, have a brief overview of Agile, and then we're going to get into the nitty gritty of Secure Agile.Application security, what is it doing in the business strategy theater?
Application security is a technical issue but it also has a serious impact on business. If you look at some application security-specific exploits that have been in the news in the last years :
- Sony for example lost somewhere between 1.5 billion and 117 million due to application security attacks.
- Citi Bank was disclosing someone else's credit card details, including the CCV number by just changing the account number in the URL. Parameter tampering issue. That was 360,000 credit cards, may or may not have been 2.7 million, that was what was reported. I would suspect it may have been significantly more.
- Mr David Cameron picture replaced by Mr. bean on the conservative party. SQl Injection attack.
Sql injection has been around for a long, long time and has been known about for a long, long time, at least 15 years. How did they make this mistake? Well the thing is, if the quality gates are in place but things have not been checked for every release then what you can find is these security bugs creep in. It's like a regression in your software.
Why do applications remain vulnerable?
Everyone acknowledge that IT security is important. according to National Institute of Standards and Technology enterprise spend 90% of their security investment in the infrastructure layer. However, 90% of vulnerabilities are in applications not in networks. With secure network and secure servers, the perimeter has been secured. But opening port 80 and 443 to give access to applications a hole through the secured network.
Another statistic: according to Gartner 75% percent of attacks, are at the application layer. 85% of application vulnerabilities are found at source code level.
This means we have a lot of vulnerable applications despite this one billion annual spends and 40 percent growth in the market. There is a severe problem !
Why is the application there?
Applications are useful for its users. They may be your staff, your patients, your customers, your soldiers, whatever it might be. It's got to be high performance, highly functional and very useful. The thing is, if security isn't considered in the application then malicious users have just as much ability to use the application and can use it either to do some injection and data extraction or via some cross site attack, attack other users via your application.
Agile & Security
If you're on a fast track to anything you're probably using Agile Development or some form of it. There's no set form of an Agile methodology there are different flavors of it. Agile is a method of developing software that favors face to face communication over formal documentation. Waterfall is a much more formal method of creating software and you can imagine it like a waterfall, step by step going through the stages of development until you get to release.
According MIT research says Agile firms grow 30 percent faster and generate 30 percent more profit so organizational agility gives you more profit.
What does Agile means for security ?
For every iteration that we do we're going to see how is the application looking. We go back to this continuous integration and planning with our to-do list and then create the iteration which should be continuing further in the right direction.
- Done the tight way agile mitigates risks
- Visible progress in right direction
- Developers more responsive
- For secure applications we need security by design
As opposed to waterfall methodology where it's more likely you'll have discovery of these vulnerabilities on the eve of delivery which is really no longer an option. If find issues early we can then test and test and test to maturity these application security vulnerabilities.Secure Software = secure applications
- Discovery on eve of delivery is no longer an option
- Find issues and test to maturity
Why isn't everybody developing secure applications?
Scanning and static code review tools are not delivering
- Noise & false Positives, false negative which means that you need to go through and have a verification process and correlate results for every report that you're going to get for this technology.
- Very skills hungry. There's not a lot of people with the ability to know what the application is doing and the ability to understand the exploit to work out where the problem is in the code.
- 3rd party issues : complexity, you don't necessarily have the code in the first place
- results are very code-centric, not application-centric. If you're told about a sql injection vulnerability in this particular function in the code, who's to know where it manifests itself on the interface? Also that code might be redundant code.
Penetration testing, can be very thorough, Proper security analysis of the application is the way to go. It's the way to find the most vulnerability.
How can penetration testing possibly fit with agile?
It's time consuming again. It's expensive. It's not really scalable. You couldn't do that for every iteration of your development.
For the response for the application security review, they have to be incredibly accurate and focused on real vulnerabilities and only those vulnerabilities. We need to get rid of false positives. It has to be very clear. Not only to present a problem, but the solution. The root cause analysis. Where is this exploit? How does it manifest itself? Where does it come from in the code?
We need to be able to say here's the problem but here's where it is in the application and in the code. It needs to be simple because there's not enough application security expertise in the world to deal with all software projects. It needs to be a conjoined effort between QA, security, and development in order to create a true piece of secure software. Therefore, a simple solution is needed.
Let's take a look at Agile Development. I struggled to find a diagram for agile, so I drew one myself. If we take a look at what's going on here, the other customer on the left, this king, and they have a project. They have some requirements. That turns into a prioritized to-do list. For each iteration of development we work on the things that give us the most value.
We go through this process, we go through the iteration, and then we come back, it might be a sprint or a release. We give a presentation to all the stakeholders. We analyze that. We do a project review. We then do the planning of the next iteration and then get our next prioritized to-do list.
We keep going through here. All the to-do things are done. Done. That's not a mistake. That's the whole point of agile. You say what you're going to do You stand up, you say what you're going to do, and you do it. If you look at what is actually is going on inside Agile it's really bite-sized, waterfall chunks. Small, manageable chunks of software development.