Achieving Security by Shifting Left in Agile

The main thesis of the conference presentation is to bring security elements into the agile development life cycle to catch problems earlier and mitigate risks. The speaker emphasizes the importance of including security stories in the backlog, conducting security risk assessments, and testing throughout the life cycle using both SASD and DST tools. The anecdote provided highlights the consequences of not addressing vulnerabilities early, such as breaches that can take up to 266 days to contain and cost a significant amount of money. The speaker also quotes technology evangelist Liz Rice and participant Gemanico to emphasize the importance of involving software engineers in security engineering early on.

• Constant threat of hacking in all areas of life
• Multiple areas of vulnerabilities being exploited
• Penetration testing is not effective enough
• Bring security elements into the agile development life cycle
• Include security stories in the backlog
• Conduct security risk assessments
• Test throughout the life cycle using both SASD and DST tools
• Prioritize high-risk stories
• Chaos engineering can help prepare for release
• Involving software engineers in security engineering early on

The speaker highlights the consequences of not addressing vulnerabilities early, such as breaches that can take up to 266 days to contain and cost a significant amount of money.

We owe it to ourselves to ingrain the application security in the software development life cycle (SDLC) to prevent breeches and loss of lives. Agile software development is prevalent in our industry. The backbone of the agile practice is a backlog of stories grouped as an epic which is subsequently implemented as a set of features and stories. A holistic approach to build a secure web application is to include security related personas (actors) and develop stories (use cases) with respect to these personas. A typical set of security persona is a hacker, a security engineer representing the functional security requirements, industry compliance such as PCI, local and federal Government standards as well as any international mandates like GDPR. Once identified, these stories are prioritized in the order of threat using the STRIDE method. They are then developed like any other stories (functional and UX) and validated at different stages using standard practices such as code review, static and dynamic code analysis and penetration testing. By enabling this approach, we are truly shifting the security left in the software development and raising the level of confidence.Using a web application under development this paper will illustrate how to create application security stories related to the personas, develop acceptance criteria, establish test cases, identify different types of testing at various stages in the SDLC, and create and execute a test plan. It will also discuss the processes and the tools to achieve a high confidence secure application. The audience will learn:1. How to create a set of stories for security-related personas2. Build acceptance criteria, security controls, test cases including negative testing, and a test plan3. Use of tools at different stages of life cycle and how to use the results from these tools to make testing even more efficient4. Creating an overall more secure web application