Developing secure software is a complex and asymmetrical endeavor since it requires high level of technical expertise in order to mitigate known risks and vulnerabilities of today and to withstand attacks from the unknown threats of tomorrow. The traditional way of securing software is based on thorough threat analysis, extensive capture of the security requirements and detailed planning of the mitigations. This highly formulated approach is contradictory in many aspects to the principles of Lean and Agile software development.
In this talk we are presenting a context sensitive framework of secure software deployment that is based on the principles of Lean development like eliminating waste, amplified learning, late decisions and fast deliveries without making any compromises regarding security. Our approach is focusing on providing product owners with detailed information about the impact of threats to products and the cost of mitigations, allowing them to assess and prioritize security items using the same criteria as any other item in their product backlog.
Thoralf J. Klatt, Mario Lischka, Panayotis Kikiras
Applying Lean Principles to Overcome Challenges of Software Security in Agile Mode of Operation
1. Applying Lean Principles to
Overcome Challenges of Software
Security in Agile Mode of Operation
Thoralf J. Klatt
Mario Lischka
Panayotis Kikiras
Software-Qualität und Smart Cities - Herausforderungen und Chancen
Berlin 15-16 October 2012 1
2. Agenda
• Lean Principles and Agile Development
• Usable Security
• Secure software development in Agile
environment
• Prioritizing Security
• Conclusions
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 2
3. Lean Thinking in Agile Development
• Eliminate Waste does it add end user value?
• Amplify Learning validated learning
• Decide as Late as Possible real options
• Deliver as Fast as Possible fast learning
• Empower the Team mastery, autonomy, purpose
• Build Integrity In perceived and conceptual integrity
• See the Whole simplify structure, optimize behaviour
Nordic Reading: http://www.fokkusu.fi/agile-security/
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 3
4. Definition of Secure
Secure product is one that protects the
confidentiality, integrity, and availability of the
customers’ information, and the integrity and
availability of processing resources under control
of the system’s owner or administrator.
-- Source: Writing Secure Code
(Michael Howard, David LeBlanc)
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 4
5. Security is mainly a software problem
• Depending on the source, an estimated 70% to
92% of security breaches result from
vulnerabilities in software.
• Network Security Layer is adequately
addressed (firewalls, IDS, IPS, Antivirus).
• A new star is rising though …
The end user
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 5
6. Incentives to Improve
Source: Fundamentals of Secure Architecture – online available at
https://knowledge.elementk.com
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 6
7. Where is Scrum now?
• Early and continuous delivery of valuable software
• Welcome changing requirements,
even late in development
• Build projects around motivated individuals and
trust them to get the job done.
• Working software as the primary measure of
progress
• Continuous attention to technical excellence and
good design
• Simplicity—maximizing the amount of work not
done
• The best architectures, requirements, and designs
emerge from self-organizing teams
• At regular intervals, the team reflects on, tunes,
and adjusts its behavior
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 7
8. Where are you now?
• You trust that your teams are doing their best for
security.
• Do they?
• No specific care being taken in designing for
security unless the customer requires that
• Does it happen now?
• How a PO prioritizes security if not required by the
customer?
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 8
9. Usable Security to Eliminate Waste
• Customers in general never ask for
security directly
• The product is expected to be secure
• As a service to protect the business case
• Sometimes customers and security
specialists are overexaggerating
• Teams should provide built-in solutions
based on thorough Risk Analysis and
Threat Assessment
• UX: simplify structure, enrich functionality
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 9
10. Securing Scrum
Security
User Stories
Data
Threats &
Flow &
Risks
Retrospective
Threat
Analysis
Sprint
Imple
Prod tation
men
uct
Continuous
Security Tests
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 10
11. Prioritizing Security: Risk – Adjusted Backlog
• Project Risks – security threats are like anti-value
• If a risk occurs, takes time and resources away from
activities that deliver value.
• Therefore not only plan to deliver high value early but
plan to execute risk avoidance and mitigation activities
early too!
• Risk management great fit in Agile development
• Through iterations we can tackle high-risk areas
sooner than later
• Deal with threats when still exists time and budget to
work with them
• Reduces the amount of effort invested in work that may
end up scraped.
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 11
12. A security risk can be prioritized
like any other feature
Prioritized Feature list with ROI
Values Prioritized Risk list –Ordered by Severity
Risk i
Risk 1
Must 5000€ (Risk Impact (in€,points)XRisk
(9000€X50%=4500€)
Propability (in %))
Risk 2
Must 4000€
(8000€X50%=4000€)
Risk 3
Should 3000€
(3000€X25%=1500€)
Risk 4
Should 2000€
(2500€X25%=625€)
Risk 5
Could 1000€
(500€X20%=100€)
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 12
14. Analyze the Dataflow
• Realization of User Stories whose acceptance criteria
requires detailed look on potential threats
• Dataflow and STRIDE Analysis support identification of
threats
Spoofing of Identity
T M Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of privilege
S M
E M
STRIDE
R M
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 14
15. Conclusions
• Also part of the Security Scrum process
• Continuous Integration Testing
• Explicit regression for acceptance criteria
• Code Analysis (SAN 25)
• Fuzzy Testing
• Secure Coding Guidelines
• Adding Security to Scrum process is necessary and
possible
• Backlog Prioritization based on identified Risks
• Modeling threats in user stories (business and technical)
• Integrated security testing
• Incorporating experiences from Scrum teams at AGT
R&D (incl. explicit vs. implicit stories)
Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 15
16. Contacts:
Thoralf J. Klatt tjklatt@agtinternational.com
Dr. Mario Lischka mlischka@agtinternational.com
Dr. Panayotis Kikiras pkikiras@agtinternational.com
16