Table of Contents for
Agile Application Security
Close
Version ebook
/
Retour
Agile Application Security
by Laura Bell
Published by O'Reilly Media, Inc., 2017
nav
Cover
Agile Application Security
Agile Application Security
Preface
1. Getting Started with Security
2. Agile Enablers
3. Welcome to the Agile Revolution
4. Working with Your Existing Agile Life Cycle
5. Security and Requirements
6. Agile Vulnerability Management
7. Risk for Agile Teams
8. Threat Assessments and Understanding Attacks
9. Building Secure and Usable Systems
10. Code Review for Security
11. Agile Security Testing
12. External Reviews, Testing, and Advice
13. Operations and OpSec
14. Compliance
15. Security Culture
16. What Does Agile Security Mean?
Index
About the Authors
Colophon
Preface
Who Should Read This Book
The Agile Practitioner
The Security Practitioner
The Agile Security Practitioner
Navigating This Book
Part 1: Fundamentals
Part 2: Agile and Security
Part 3: Pulling It All Together
Conventions Used in This Book
O’Reilly Safari
How to Contact Us
Acknowledgments
1. Getting Started with Security
This Isn’t Just a Technology Problem
Not Just for Geeks
Security Is About Risk
Vulnerability: Likelihood and Impact
We Are All Vulnerable
Not Impossible, Just Improbable
Measuring the Cost
Risk Can Be Minimized, Not Avoided
An Imperfect World Means Hard Decisions
Threat Actors and Knowing Your Enemy
There Is an Attacker for Everyone
Motivation, Resources, Access
Security Values: Protecting Our Data, Systems, and People
Know What You Are Trying to Protect
Confidentiality, Integrity, and Availability
Nonrepudiation
Compliance, Regulation, and Security Standards
Common Security Misconceptions or Mistakes
Security Is Absolute
Security Is a Point That Can Be Reached
Security Is Static
Security Requires Special [Insert Item/Device/Budget]
Let’s Get Started
2. Agile Enablers
Build Pipeline
Automated Testing
Continuous Integration
Infrastructure as Code
Release Management
Visible Tracking
Centralized Feedback
The Only Good Code Is Deployed Code
Operating Safely and at Speed
3. Welcome to the Agile Revolution
Agile: A Potted Landscape
Scrum, the Most Popular of Agile Methodologies
Sprints and Backlogs
Stand-ups
Scrum Feedback Loops
Extreme Programming
The Planning Game
The On-Site Customer
Pair Programming
Test-Driven Development
Shared Design Metaphor
Kanban
Kanban Board: Make Work Visible
Constant Feedback
Continuous Improvement
Lean
Agile Methods in General
What About DevOps?
Agile and Security
4. Working with Your Existing Agile Life Cycle
Traditional Application Security Models
Per-Iteration Rituals
Tools Embedded in the Life Cycle
Pre-Iteration Involvement
Tooling for Planning and Discovery
Post-Iteration Involvement
Tools to Enable the Team
Compliance and Audit Tools
Setting Secure Baselines
What About When You Scale?
Building Security Teams That Enable
Building Tools That People Will Use
Documenting Security Techniques
Key Takeaways
5. Security and Requirements
Dealing with Security in Requirements
Agile Requirements: Telling Stories
What Do Stories Look Like?
Conditions of Satisfaction
Tracking and Managing Stories: The Backlog
Dealing with Bugs
Getting Security into Requirements
Security Stories
Privacy, Fraud, Compliance, and Encryption
SAFECode Security Stories
Security Personas and Anti-Personas
Attacker Stories: Put Your Black Hat On
Writing Attacker Stories
Attack Trees
Building an Attack Tree
Maintaining and Using Attack Trees
Infrastructure and Operations Requirements
Key Takeaways
6. Agile Vulnerability Management
Vulnerability Scanning and Patching
First, Understand What You Need to Scan
Then Decide How to Scan and How Often
Tracking Vulnerabilities
Managing Vulnerabilities
Dealing with Critical Vulnerabilities
Securing Your Software Supply Chain
Vulnerabilities in Containers
Fewer, Better Suppliers
How to Fix Vulnerabilities in an Agile Way
Test-Driven Security
Zero Bug Tolerance
Collective Code Ownership
Security Sprints, Hardening Sprints, and Hack Days
Taking On and Paying Down Security Debt
Key Takeaways
7. Risk for Agile Teams
Security Says, No
Understanding Risks and Risk Management
Risks and Threats
Dealing with Risk
Making Risks Visible
Accepting and Transferring Risks
Changing Contexts for Risks
Risk Management in Agile and DevOps
Speed of Delivery
Incremental Design and Refactoring
Self-Organized, Autonomous Teams
Automation
Agile Risk Mitigation
Handling Security Risks in Agile and DevOps
Key Takeaways
8. Threat Assessments and Understanding Attacks
Understanding Threats: Paranoia and Reality
Understanding Threat Actors
Threat Actor Archetypes
Threats and Attack Targets
Threat Intelligence
Threat Assessment
Your System’s Attack Surface
Mapping Your Application Attack Surface
Managing Your Application Attack Surface
Agile Threat Modeling
Understanding Trust and Trust Boundaries
Building Your Threat Model
“Good Enough” Is Good Enough
Thinking Like an Attacker
STRIDE: A Structured Model to Understand Attackers
Incremental Threat Modeling and Risk Assessments
Assess Risks Up Front
Review Threats as the Design Changes
Getting Value Out of Threat Modeling
Common Attack Vectors
Key Takeaways
9. Building Secure and Usable Systems
Design to Resist Compromise
Security Versus Usability
Technical Controls
Deterrent Controls
Resistive Controls
Protective Controls
Detective Controls
Compensating Controls
Security Architecture
Perimeterless Security
Assume Compromised
Complexity and Security
Key Takeaways
10. Code Review for Security
Why Do We Need to Review Code?
Types of Code Reviews
Formal Inspections
Rubber Ducking or Desk Checking
Pair Programming (and Mob Programming)
Peer Code Reviews
Code Audits
Automated Code Reviews
What Kind of Review Approach Works Best for Your Team?
When Should You Review Code?
Before Code Changes Are Committed
Gated Checks Before Release
Postmortem and Investigation
How to Review Code
Take Advantage of Coding Guidelines
Using Code Review Checklists
Don’t Make These Mistakes
Review Code a Little Bit at a Time
What Code Needs to Be Reviewed?
Who Needs to Review Code?
How Many Reviewers?
What Experience Do Reviewers Need?
Automated Code Reviews
Different Tools Find Different Problems
What Tools Are Good For, and What They’re Not Good For
Getting Developers to Use Automated Code Reviews
Self-Service Scanning
Reviewing Infrastructure Code
Code Review Challenges and Limitations
Reviews Take Time
Understanding Somebody Else’s Code Is Hard
Finding Security Vulnerabilities Is Even Harder
Adopting Secure Code Reviews
Build on What the Team Is Doing, or Should Be Doing
Refactoring: Keeping Code Simple and Secure
Fundamentals Will Take You a Long Way to Secure, Safe Code
Reviewing Security Features and Controls
Reviewing Code for Insider Threats
Key Takeaways
11. Agile Security Testing
How Is Testing Done in Agile?
If You Got Bugs, You’ll Get Pwned
The Agile Test Pyramid
Unit Testing and TDD
What Unit Testing Means to System Security
Get Off the Happy Path
Service-Level Testing and BDD Tools
Gauntlt (“Be Mean to Your Code”)
BDD-Security
Let’s Look Under the Covers
Acceptance Testing
Functional Security Testing and Scanning
ZAP Tutorial
ZAP in Continuous Integration
BDD-Security and ZAP Together
Challenges with Application Scanning
Testing Your Infrastructure
Linting
Unit Testing
Acceptance Testing
Creating an Automated Build and Test Pipeline
Nightly Build
Continuous Integration
Continuous Delivery and Continuous Deployment
Out-of-Band Testing and Reviews
Promoting to Production
Guidelines for Creating a Successful Automated Pipeline
Where Security Testing Fits Into Your Pipeline
A Place for Manual Testing in Agile
How Do You Make Security Testing Work in Agile and DevOps?
Key Takeaways
12. External Reviews, Testing, and Advice
Why Do We Need External Reviews?
Vulnerability Assessment
Penetration Testing
Red Teaming
Bug Bounties
How Bug Bounties Work
Setting Up a Bug Bounty Program
Are You Sure You Want to Run a Bug Bounty?
Configuration Review
Secure Code Audit
Crypto Audit
Choosing an External Firm
Experience with Products and Organizations Like Yours
Actively Researching or Updating Skills
Meet the Technical People
Getting Your Money’s Worth
Don’t Waste Their Time
Challenge the Findings
Insist on Results That Work for You
Put Results into Context
Include the Engineering Team
Measure Improvement Over Time
Hold Review/Retrospective/Sharing Events and Share the Results
Spread Remediation Across Teams to Maximize Knowledge Transfer
Rotate Firms or Swap Testers over Time
Key Takeaways
13. Operations and OpSec
System Hardening: Setting Up Secure Systems
Regulatory Requirements for Hardening
Hardening Standards and Guidelines
Challenges with Hardening
Automated Compliance Scanning
Approaches for Building Hardened Systems
Automated Hardening Templates
Network as Code
Monitoring and Intrusion Detection
Monitoring to Drive Feedback Loops
Using Application Monitoring for Security
Auditing and Logging
Proactive Versus Reactive Detection
Catching Mistakes at Runtime
Runtime Defense
Cloud Security Protection
RASP
Incident Response: Preparing for Breaches
Get Your Exercise: Game Days and Red Teaming
Blameless Postmortems: Learning from Security Failures
Securing Your Build Pipeline
Harden Your Build infrastructure
Understand What’s in the Cloud
Harden Your CI/CD Tools
Lock Down Configuration Managers
Protect Keys and Secrets
Lock Down Repos
Secure Chat
Review the Logs
Use Phoenix Servers for Build and Test
Monitor Your Build and Test Systems
Shh…Keeping Secrets Secret
Key Takeaways
14. Compliance
Compliance and Security
Different Regulatory Approaches
PCI DSS: Rules-Based
Reg SCI: Outcome-Based
Which Approach Is Better?
Risk Management and Compliance
Traceability of Changes
Data Privacy
How to Meet Compliance and Stay Agile
Compliance Stories and Compliance in Stories
More Code, Less Paperwork
Traceability and Assurance in Continuous Delivery
Managing Changes in Continuous Delivery
Dealing with Separation of Duties
Building Compliance into Your Culture
Keeping Auditors Happy
Dealing with Auditors When They Aren’t Happy
Certification and Attestation
Continuous Compliance and Breaches
Certification Doesn’t Mean That You Are Secure
Key Takeaways
15. Security Culture
The Importance of Security Culture
Defining “Culture”
Push, Don’t Pull
Building a Security Culture
Principles of Effective Security
Enable, Don’t Block
Transparently Secure
Don’t Play the Blame Game
Scale Security, Empower the Edges
The Who Is Just as Important as the How
Security Outreach
Securgonomics
Dashboards
Key Takeaways
16. What Does Agile Security Mean?
Laura’s Story
Not an Engineer but a Hacker
Your Baby Is Ugly and You Should Feel Bad
Speak Little, Listen Much
Let’s Go Faster
Creating Fans and Friends
We Are Small, but We Are Many
Jim’s Story
You Can Build Your Own Security Experts
Choose People over Tools
Security Has to Start with Quality
You Can Make Compliance an Everyday Thing
Michael’s Story
Security Skills Are Unevenly Distributed
Security Practitioners Need to Get a Tech Refresh
Accreditation and Assurance Are Dying
Security Is an Enabler
Rich’s Story
The First Time Is Free
This Can Be More Than a Hobby?
A Little Light Bulb
Computers Are Hard, People Are Harder
And Now, We’re Here
Index
Agile Application Security
Published by
O'Reilly Media, Inc., 2017