SlideShare une entreprise Scribd logo

Applying Lean Principles to Overcome Challenges of Software Security in Agile Mode of Operation

Thoralf J. Klatt
Thoralf J. Klatt

Developing secure software is a complex and asymmetrical endeavor since it requires high level of technical expertise in order to mitigate known risks and vulnerabilities of today and to withstand attacks from the unknown threats of tomorrow. The traditional way of securing software is based on thorough threat analysis, extensive capture of the security requirements and detailed planning of the mitigations. This highly formulated approach is contradictory in many aspects to the principles of Lean and Agile software development. In this talk we are presenting a context sensitive framework of secure software deployment that is based on the principles of Lean development like eliminating waste, amplified learning, late decisions and fast deliveries without making any compromises regarding security. Our approach is focusing on providing product owners with detailed information about the impact of threats to products and the cost of mitigations, allowing them to assess and prioritize security items using the same criteria as any other item in their product backlog. Thoralf J. Klatt, Mario Lischka, Panayotis Kikiras

1  sur  16
Télécharger pour lire hors ligne
Applying Lean Principles to Overcome Challenges of Software Security in Agile Mode of Operation Thoralf J. Klatt Mario Lischka Panayotis Kikiras Software-Qualität und Smart Cities - Herausforderungen und Chancen Berlin 15-16 October 2012 1
Agenda • Lean Principles and Agile Development • Usable Security • Secure software development in Agile environment • Prioritizing Security • Conclusions Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 2
Lean Thinking in Agile Development • Eliminate Waste does it add end user value? • Amplify Learning validated learning • Decide as Late as Possible real options • Deliver as Fast as Possible fast learning • Empower the Team mastery, autonomy, purpose • Build Integrity In perceived and conceptual integrity • See the Whole simplify structure, optimize behaviour Nordic Reading: http://www.fokkusu.fi/agile-security/ Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 3
Definition of Secure Secure product is one that protects the confidentiality, integrity, and availability of the customers’ information, and the integrity and availability of processing resources under control of the system’s owner or administrator. -- Source: Writing Secure Code (Michael Howard, David LeBlanc) Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 4
Security is mainly a software problem • Depending on the source, an estimated 70% to 92% of security breaches result from vulnerabilities in software. • Network Security Layer is adequately addressed (firewalls, IDS, IPS, Antivirus). • A new star is rising though … The end user Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 5
Incentives to Improve Source: Fundamentals of Secure Architecture – online available at https://knowledge.elementk.com Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 6
Where is Scrum now? • Early and continuous delivery of valuable software • Welcome changing requirements, even late in development • Build projects around motivated individuals and trust them to get the job done. • Working software as the primary measure of progress • Continuous attention to technical excellence and good design • Simplicity—maximizing the amount of work not done • The best architectures, requirements, and designs emerge from self-organizing teams • At regular intervals, the team reflects on, tunes, and adjusts its behavior Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 7
Where are you now? • You trust that your teams are doing their best for security. • Do they? • No specific care being taken in designing for security unless the customer requires that • Does it happen now? • How a PO prioritizes security if not required by the customer? Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 8
Usable Security to Eliminate Waste • Customers in general never ask for security directly • The product is expected to be secure • As a service to protect the business case • Sometimes customers and security specialists are overexaggerating • Teams should provide built-in solutions based on thorough Risk Analysis and Threat Assessment • UX: simplify structure, enrich functionality Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 9
Securing Scrum Security User Stories Data Threats & Flow & Risks Retrospective Threat Analysis Sprint Imple Prod tation men uct Continuous Security Tests Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 10
Prioritizing Security: Risk – Adjusted Backlog • Project Risks – security threats are like anti-value • If a risk occurs, takes time and resources away from activities that deliver value. • Therefore not only plan to deliver high value early but plan to execute risk avoidance and mitigation activities early too! • Risk management great fit in Agile development • Through iterations we can tackle high-risk areas sooner than later • Deal with threats when still exists time and budget to work with them • Reduces the amount of effort invested in work that may end up scraped. Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 11
A security risk can be prioritized like any other feature Prioritized Feature list with ROI Values Prioritized Risk list –Ordered by Severity Risk i Risk 1 Must 5000€ (Risk Impact (in€,points)XRisk (9000€X50%=4500€) Propability (in %)) Risk 2 Must 4000€ (8000€X50%=4000€) Risk 3 Should 3000€ (3000€X25%=1500€) Risk 4 Should 2000€ (2500€X25%=625€) Risk 5 Could 1000€ (500€X20%=100€) Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 12
Risk-adjusted Backlog Prioritized risk list Prioritized requirements Risk Adjusted list Backlog Risk 1 Requirement 1 Requirement 1 (9000€X50%=4500€) 5000 5000 Risk 2 Requirement 2 Risk 1 (8000€X50%=4000€) 4000 (9000€X50%=4500 €) Risk 3 Requirement 3 Requirement 2 (3000€X25%=1500€) 3000 4000 Risk 4 Requirement 4 Risk 2 (2500€X25%=625€) 2000 (8000€X50%=4000 €) Risk 5 Requirement 5 Requirement 3 (500€X20%=100€) 1000 3000 Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 13
Analyze the Dataflow • Realization of User Stories whose acceptance criteria requires detailed look on potential threats • Dataflow and STRIDE Analysis support identification of threats Spoofing of Identity T M Tampering Repudiation Information Disclosure Denial of Service Elevation of privilege S M E M STRIDE R M Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 14
Conclusions • Also part of the Security Scrum process • Continuous Integration Testing • Explicit regression for acceptance criteria • Code Analysis (SAN 25) • Fuzzy Testing • Secure Coding Guidelines • Adding Security to Scrum process is necessary and possible • Backlog Prioritization based on identified Risks • Modeling threats in user stories (business and technical) • Integrated security testing • Incorporating experiences from Scrum teams at AGT R&D (incl. explicit vs. implicit stories) Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 15
Contacts: Thoralf J. Klatt tjklatt@agtinternational.com Dr. Mario Lischka mlischka@agtinternational.com Dr. Panayotis Kikiras pkikiras@agtinternational.com 16

Recommandé

How do you survive the radical shift towards inversion of responsibility and ...
How do you survive the radical shift towards inversion of responsibility and ...How do you survive the radical shift towards inversion of responsibility and ...
How do you survive the radical shift towards inversion of responsibility and ...Thoralf J. Klatt
 
Invoice automation webinar 2: Quality of invoice data
Invoice automation webinar 2: Quality of invoice dataInvoice automation webinar 2: Quality of invoice data
Invoice automation webinar 2: Quality of invoice dataOpusCapita
 
Webinar: Why Peppol matters for your e-invoicing
Webinar: Why Peppol matters for your e-invoicingWebinar: Why Peppol matters for your e-invoicing
Webinar: Why Peppol matters for your e-invoicingOpusCapita
 
Win Friends and Influence People... with DSLs
Win Friends and Influence People... with DSLsWin Friends and Influence People... with DSLs
Win Friends and Influence People... with DSLsVladimir Bacvanski, PhD
 
Noor
NoorNoor
NoorNASAPMC
 
Flink Forward SF 2017: Erik de Nooij - StreamING models, how ING adds models ...
Flink Forward SF 2017: Erik de Nooij - StreamING models, how ING adds models ...Flink Forward SF 2017: Erik de Nooij - StreamING models, how ING adds models ...
Flink Forward SF 2017: Erik de Nooij - StreamING models, how ING adds models ...Flink Forward
 
Improving Supply Chain-Management based on Semantically Enriched Risk Descrip...
Improving Supply Chain-Management based on Semantically Enriched Risk Descrip...Improving Supply Chain-Management based on Semantically Enriched Risk Descrip...
Improving Supply Chain-Management based on Semantically Enriched Risk Descrip...University of Applied Sciences St. Gallen
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming WorldDimitrios Stergiou
 

Recommandé

How do you survive the radical shift towards inversion of responsibility and ...
How do you survive the radical shift towards inversion of responsibility and ...How do you survive the radical shift towards inversion of responsibility and ...
How do you survive the radical shift towards inversion of responsibility and ...Thoralf J. Klatt
 
Invoice automation webinar 2: Quality of invoice data
Invoice automation webinar 2: Quality of invoice dataInvoice automation webinar 2: Quality of invoice data
Invoice automation webinar 2: Quality of invoice dataOpusCapita
 
Webinar: Why Peppol matters for your e-invoicing
Webinar: Why Peppol matters for your e-invoicingWebinar: Why Peppol matters for your e-invoicing
Webinar: Why Peppol matters for your e-invoicingOpusCapita
 
Win Friends and Influence People... with DSLs
Win Friends and Influence People... with DSLsWin Friends and Influence People... with DSLs
Win Friends and Influence People... with DSLsVladimir Bacvanski, PhD
 
Noor
NoorNoor
NoorNASAPMC
 
Flink Forward SF 2017: Erik de Nooij - StreamING models, how ING adds models ...
Flink Forward SF 2017: Erik de Nooij - StreamING models, how ING adds models ...Flink Forward SF 2017: Erik de Nooij - StreamING models, how ING adds models ...
Flink Forward SF 2017: Erik de Nooij - StreamING models, how ING adds models ...Flink Forward
 
Improving Supply Chain-Management based on Semantically Enriched Risk Descrip...
Improving Supply Chain-Management based on Semantically Enriched Risk Descrip...Improving Supply Chain-Management based on Semantically Enriched Risk Descrip...
Improving Supply Chain-Management based on Semantically Enriched Risk Descrip...University of Applied Sciences St. Gallen
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming WorldDimitrios Stergiou
 
Risk engineering decision tools for risk management support
Risk engineering decision tools for risk management supportRisk engineering decision tools for risk management support
Risk engineering decision tools for risk management supportGlobal Risk Forum GRFDavos
 
Introduction - The Smart Protection Network
Introduction - The Smart Protection NetworkIntroduction - The Smart Protection Network
Introduction - The Smart Protection NetworkAndrew Wong
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009Vladimir Jirasek
 
ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...
ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...
ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...rahmatmoelyana
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...Security Ninja
 
Building Applications For The Cloud
Building Applications For The CloudBuilding Applications For The Cloud
Building Applications For The CloudToddy Mladenov
 
Cloud and the Enterprise Risk Profile
Cloud and the Enterprise Risk ProfileCloud and the Enterprise Risk Profile
Cloud and the Enterprise Risk ProfileAmazon Web Services
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0nCircle - a Tripwire Company
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...Cyber Security Alliance
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...cVidya Networks
 
Understanding and Managing Risk in Complex Supply Chain Projects
Understanding and Managing Risk in Complex Supply Chain ProjectsUnderstanding and Managing Risk in Complex Supply Chain Projects
Understanding and Managing Risk in Complex Supply Chain ProjectsDerek Hill
 
recycle조 사업아이디어
recycle조 사업아이디어recycle조 사업아이디어
recycle조 사업아이디어crableg
 
Risk Management_TRAINING
Risk Management_TRAININGRisk Management_TRAINING
Risk Management_TRAININGKanaidi ken
 
Where worlds collide: Agile, Project Management, Risk and Cloud?
Where worlds collide: Agile, Project Management, Risk and Cloud?Where worlds collide: Agile, Project Management, Risk and Cloud?
Where worlds collide: Agile, Project Management, Risk and Cloud?Livingstone Advisory
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
Uncertainty, Risk, and Information Value in Software Requirements and Archite...
Uncertainty, Risk, and Information Value in Software Requirements and Archite...Uncertainty, Risk, and Information Value in Software Requirements and Archite...
Uncertainty, Risk, and Information Value in Software Requirements and Archite...Emmanuel Letier
 
패션어플 recycle
패션어플 recycle패션어플 recycle
패션어플 recyclecrableg
 
Managing Risk in IT
Managing Risk in ITManaging Risk in IT
Managing Risk in ITNTEN
 
La gestion de projet dans l'industrie 4.0
La gestion de projet dans l'industrie 4.0La gestion de projet dans l'industrie 4.0
La gestion de projet dans l'industrie 4.0PMI-Montréal
 
Abac17 prosun-slides
Abac17 prosun-slidesAbac17 prosun-slides
Abac17 prosun-slidesUT, San Antonio
 

Contenu connexe

Similaire à Applying Lean Principles to Overcome Challenges of Software Security in Agile Mode of Operation

Risk engineering decision tools for risk management support
Risk engineering decision tools for risk management supportRisk engineering decision tools for risk management support
Risk engineering decision tools for risk management supportGlobal Risk Forum GRFDavos
 
Introduction - The Smart Protection Network
Introduction - The Smart Protection NetworkIntroduction - The Smart Protection Network
Introduction - The Smart Protection NetworkAndrew Wong
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009Vladimir Jirasek
 
ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...
ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...
ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...rahmatmoelyana
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...Security Ninja
 
Building Applications For The Cloud
Building Applications For The CloudBuilding Applications For The Cloud
Building Applications For The CloudToddy Mladenov
 
Cloud and the Enterprise Risk Profile
Cloud and the Enterprise Risk ProfileCloud and the Enterprise Risk Profile
Cloud and the Enterprise Risk ProfileAmazon Web Services
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...Cyber Security Alliance
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...cVidya Networks
 
Understanding and Managing Risk in Complex Supply Chain Projects
Understanding and Managing Risk in Complex Supply Chain ProjectsUnderstanding and Managing Risk in Complex Supply Chain Projects
Understanding and Managing Risk in Complex Supply Chain ProjectsDerek Hill
 
recycle조 사업아이디어
recycle조 사업아이디어recycle조 사업아이디어
recycle조 사업아이디어crableg
 
Risk Management_TRAINING
Risk Management_TRAININGRisk Management_TRAINING
Risk Management_TRAININGKanaidi ken
 
Where worlds collide: Agile, Project Management, Risk and Cloud?
Where worlds collide: Agile, Project Management, Risk and Cloud?Where worlds collide: Agile, Project Management, Risk and Cloud?
Where worlds collide: Agile, Project Management, Risk and Cloud?Livingstone Advisory
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
Uncertainty, Risk, and Information Value in Software Requirements and Archite...
Uncertainty, Risk, and Information Value in Software Requirements and Archite...Uncertainty, Risk, and Information Value in Software Requirements and Archite...
Uncertainty, Risk, and Information Value in Software Requirements and Archite...Emmanuel Letier
 
패션어플 recycle
패션어플 recycle패션어플 recycle
패션어플 recyclecrableg
 
Managing Risk in IT
Managing Risk in ITManaging Risk in IT
Managing Risk in ITNTEN
 
La gestion de projet dans l'industrie 4.0
La gestion de projet dans l'industrie 4.0La gestion de projet dans l'industrie 4.0
La gestion de projet dans l'industrie 4.0PMI-Montréal
 

Similaire à Applying Lean Principles to Overcome Challenges of Software Security in Agile Mode of Operation (20)

Risk engineering decision tools for risk management support
Risk engineering decision tools for risk management supportRisk engineering decision tools for risk management support
Risk engineering decision tools for risk management support
 
Introduction - The Smart Protection Network
Introduction - The Smart Protection NetworkIntroduction - The Smart Protection Network
Introduction - The Smart Protection Network
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...
ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...
ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk...
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
 
Building Applications For The Cloud
Building Applications For The CloudBuilding Applications For The Cloud
Building Applications For The Cloud
 
Cloud and the Enterprise Risk Profile
Cloud and the Enterprise Risk ProfileCloud and the Enterprise Risk Profile
Cloud and the Enterprise Risk Profile
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
 
Understanding and Managing Risk in Complex Supply Chain Projects
Understanding and Managing Risk in Complex Supply Chain ProjectsUnderstanding and Managing Risk in Complex Supply Chain Projects
Understanding and Managing Risk in Complex Supply Chain Projects
 
recycle조 사업아이디어
recycle조 사업아이디어recycle조 사업아이디어
recycle조 사업아이디어
 
Risk Management_TRAINING
Risk Management_TRAININGRisk Management_TRAINING
Risk Management_TRAINING
 
Where worlds collide: Agile, Project Management, Risk and Cloud?
Where worlds collide: Agile, Project Management, Risk and Cloud?Where worlds collide: Agile, Project Management, Risk and Cloud?
Where worlds collide: Agile, Project Management, Risk and Cloud?
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
 
Uncertainty, Risk, and Information Value in Software Requirements and Archite...
Uncertainty, Risk, and Information Value in Software Requirements and Archite...Uncertainty, Risk, and Information Value in Software Requirements and Archite...
Uncertainty, Risk, and Information Value in Software Requirements and Archite...
 
패션어플 recycle
패션어플 recycle패션어플 recycle
패션어플 recycle
 
Managing Risk in IT
Managing Risk in ITManaging Risk in IT
Managing Risk in IT
 
La gestion de projet dans l'industrie 4.0
La gestion de projet dans l'industrie 4.0La gestion de projet dans l'industrie 4.0
La gestion de projet dans l'industrie 4.0
 
Abac17 prosun-slides
Abac17 prosun-slidesAbac17 prosun-slides
Abac17 prosun-slides
 

Applying Lean Principles to Overcome Challenges of Software Security in Agile Mode of Operation

  • 1. Applying Lean Principles to Overcome Challenges of Software Security in Agile Mode of Operation Thoralf J. Klatt Mario Lischka Panayotis Kikiras Software-Qualität und Smart Cities - Herausforderungen und Chancen Berlin 15-16 October 2012 1
  • 2. Agenda • Lean Principles and Agile Development • Usable Security • Secure software development in Agile environment • Prioritizing Security • Conclusions Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 2
  • 3. Lean Thinking in Agile Development • Eliminate Waste does it add end user value? • Amplify Learning validated learning • Decide as Late as Possible real options • Deliver as Fast as Possible fast learning • Empower the Team mastery, autonomy, purpose • Build Integrity In perceived and conceptual integrity • See the Whole simplify structure, optimize behaviour Nordic Reading: http://www.fokkusu.fi/agile-security/ Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 3
  • 4. Definition of Secure Secure product is one that protects the confidentiality, integrity, and availability of the customers’ information, and the integrity and availability of processing resources under control of the system’s owner or administrator. -- Source: Writing Secure Code (Michael Howard, David LeBlanc) Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 4
  • 5. Security is mainly a software problem • Depending on the source, an estimated 70% to 92% of security breaches result from vulnerabilities in software. • Network Security Layer is adequately addressed (firewalls, IDS, IPS, Antivirus). • A new star is rising though … The end user Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 5
  • 6. Incentives to Improve Source: Fundamentals of Secure Architecture – online available at https://knowledge.elementk.com Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 6
  • 7. Where is Scrum now? • Early and continuous delivery of valuable software • Welcome changing requirements, even late in development • Build projects around motivated individuals and trust them to get the job done. • Working software as the primary measure of progress • Continuous attention to technical excellence and good design • Simplicity—maximizing the amount of work not done • The best architectures, requirements, and designs emerge from self-organizing teams • At regular intervals, the team reflects on, tunes, and adjusts its behavior Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 7
  • 8. Where are you now? • You trust that your teams are doing their best for security. • Do they? • No specific care being taken in designing for security unless the customer requires that • Does it happen now? • How a PO prioritizes security if not required by the customer? Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 8
  • 9. Usable Security to Eliminate Waste • Customers in general never ask for security directly • The product is expected to be secure • As a service to protect the business case • Sometimes customers and security specialists are overexaggerating • Teams should provide built-in solutions based on thorough Risk Analysis and Threat Assessment • UX: simplify structure, enrich functionality Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 9
  • 10. Securing Scrum Security User Stories Data Threats & Flow & Risks Retrospective Threat Analysis Sprint Imple Prod tation men uct Continuous Security Tests Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 10
  • 11. Prioritizing Security: Risk – Adjusted Backlog • Project Risks – security threats are like anti-value • If a risk occurs, takes time and resources away from activities that deliver value. • Therefore not only plan to deliver high value early but plan to execute risk avoidance and mitigation activities early too! • Risk management great fit in Agile development • Through iterations we can tackle high-risk areas sooner than later • Deal with threats when still exists time and budget to work with them • Reduces the amount of effort invested in work that may end up scraped. Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 11
  • 12. A security risk can be prioritized like any other feature Prioritized Feature list with ROI Values Prioritized Risk list –Ordered by Severity Risk i Risk 1 Must 5000€ (Risk Impact (in€,points)XRisk (9000€X50%=4500€) Propability (in %)) Risk 2 Must 4000€ (8000€X50%=4000€) Risk 3 Should 3000€ (3000€X25%=1500€) Risk 4 Should 2000€ (2500€X25%=625€) Risk 5 Could 1000€ (500€X20%=100€) Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 12
  • 13. Risk-adjusted Backlog Prioritized risk list Prioritized requirements Risk Adjusted list Backlog Risk 1 Requirement 1 Requirement 1 (9000€X50%=4500€) 5000 5000 Risk 2 Requirement 2 Risk 1 (8000€X50%=4000€) 4000 (9000€X50%=4500 €) Risk 3 Requirement 3 Requirement 2 (3000€X25%=1500€) 3000 4000 Risk 4 Requirement 4 Risk 2 (2500€X25%=625€) 2000 (8000€X50%=4000 €) Risk 5 Requirement 5 Requirement 3 (500€X20%=100€) 1000 3000 Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 13
  • 14. Analyze the Dataflow • Realization of User Stories whose acceptance criteria requires detailed look on potential threats • Dataflow and STRIDE Analysis support identification of threats Spoofing of Identity T M Tampering Repudiation Information Disclosure Denial of Service Elevation of privilege S M E M STRIDE R M Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 14
  • 15. Conclusions • Also part of the Security Scrum process • Continuous Integration Testing • Explicit regression for acceptance criteria • Code Analysis (SAN 25) • Fuzzy Testing • Secure Coding Guidelines • Adding Security to Scrum process is necessary and possible • Backlog Prioritization based on identified Risks • Modeling threats in user stories (business and technical) • Integrated security testing • Incorporating experiences from Scrum teams at AGT R&D (incl. explicit vs. implicit stories) Software-Qualität und Smart Cities - Herausforderungen und Chancen (16. Oct 2012) 15
  • 16. Contacts: Thoralf J. Klatt tjklatt@agtinternational.com Dr. Mario Lischka mlischka@agtinternational.com Dr. Panayotis Kikiras pkikiras@agtinternational.com 16