book

Agile Application Security

by Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird

September 2017

Intermediate to advanced

386 pages

11h

English

O'Reilly Media, Inc.

Read now

Unlock full access

Who Should Read This BookThe Agile PractitionerThe Security PractitionerThe Agile Security PractitionerNavigating This BookPart 1: FundamentalsPart 2: Agile and SecurityPart 3: Pulling It All TogetherConventions Used in This BookO’Reilly SafariHow to Contact UsAcknowledgments
This Isn’t Just a Technology ProblemNot Just for GeeksSecurity Is About RiskVulnerability: Likelihood and ImpactWe Are All VulnerableNot Impossible, Just ImprobableMeasuring the CostRisk Can Be Minimized, Not AvoidedAn Imperfect World Means Hard DecisionsThreat Actors and Knowing Your EnemyThere Is an Attacker for EveryoneMotivation, Resources, AccessSecurity Values: Protecting Our Data, Systems, and PeopleKnow What You Are Trying to ProtectConfidentiality, Integrity, and AvailabilityNonrepudiationCompliance, Regulation, and Security StandardsCommon Security Misconceptions or MistakesSecurity Is AbsoluteSecurity Is a Point That Can Be ReachedSecurity Is StaticSecurity Requires Special [Insert Item/Device/Budget]Let’s Get Started
Build PipelineAutomated TestingContinuous IntegrationInfrastructure as CodeRelease ManagementVisible TrackingCentralized FeedbackThe Only Good Code Is Deployed CodeOperating Safely and at Speed
Agile: A Potted LandscapeScrum, the Most Popular of Agile MethodologiesSprints and BacklogsStand-upsScrum Feedback LoopsExtreme ProgrammingThe Planning GameThe On-Site CustomerPair ProgrammingTest-Driven DevelopmentShared Design MetaphorKanbanKanban Board: Make Work VisibleConstant FeedbackContinuous ImprovementLeanAgile Methods in GeneralWhat About DevOps?Agile and Security
Traditional Application Security ModelsPer-Iteration RitualsTools Embedded in the Life CyclePre-Iteration InvolvementTooling for Planning and DiscoveryPost-Iteration InvolvementTools to Enable the TeamCompliance and Audit ToolsSetting Secure BaselinesWhat About When You Scale?Building Security Teams That EnableBuilding Tools That People Will UseDocumenting Security TechniquesKey Takeaways
Dealing with Security in RequirementsAgile Requirements: Telling StoriesWhat Do Stories Look Like?Conditions of SatisfactionTracking and Managing Stories: The BacklogDealing with BugsGetting Security into RequirementsSecurity StoriesPrivacy, Fraud, Compliance, and EncryptionSAFECode Security StoriesSecurity Personas and Anti-PersonasAttacker Stories: Put Your Black Hat OnWriting Attacker StoriesAttack TreesBuilding an Attack TreeMaintaining and Using Attack TreesInfrastructure and Operations RequirementsKey Takeaways
Vulnerability Scanning and PatchingFirst, Understand What You Need to ScanThen Decide How to Scan and How OftenTracking VulnerabilitiesManaging VulnerabilitiesDealing with Critical VulnerabilitiesSecuring Your Software Supply ChainVulnerabilities in ContainersFewer, Better SuppliersHow to Fix Vulnerabilities in an Agile WayTest-Driven SecurityZero Bug ToleranceCollective Code OwnershipSecurity Sprints, Hardening Sprints, and Hack DaysTaking On and Paying Down Security DebtKey Takeaways
Security Says, NoUnderstanding Risks and Risk ManagementRisks and ThreatsDealing with RiskMaking Risks VisibleAccepting and Transferring RisksChanging Contexts for RisksRisk Management in Agile and DevOpsSpeed of DeliveryIncremental Design and RefactoringSelf-Organized, Autonomous TeamsAutomationAgile Risk MitigationHandling Security Risks in Agile and DevOpsKey Takeaways
Understanding Threats: Paranoia and RealityUnderstanding Threat ActorsThreat Actor ArchetypesThreats and Attack TargetsThreat IntelligenceThreat AssessmentYour System’s Attack SurfaceMapping Your Application Attack SurfaceManaging Your Application Attack SurfaceAgile Threat ModelingUnderstanding Trust and Trust BoundariesBuilding Your Threat Model“Good Enough” Is Good EnoughThinking Like an AttackerSTRIDE: A Structured Model to Understand AttackersIncremental Threat Modeling and Risk AssessmentsAssess Risks Up FrontReview Threats as the Design ChangesGetting Value Out of Threat ModelingCommon Attack VectorsKey Takeaways
Design to Resist CompromiseSecurity Versus UsabilityTechnical ControlsDeterrent ControlsResistive ControlsProtective ControlsDetective ControlsCompensating ControlsSecurity ArchitecturePerimeterless SecurityAssume CompromisedComplexity and SecurityKey Takeaways

Why Do We Need to Review Code?Types of Code ReviewsFormal InspectionsRubber Ducking or Desk CheckingPair Programming (and Mob Programming)Peer Code ReviewsCode AuditsAutomated Code ReviewsWhat Kind of Review Approach Works Best for Your Team?When Should You Review Code?Before Code Changes Are CommittedGated Checks Before ReleasePostmortem and InvestigationHow to Review CodeTake Advantage of Coding GuidelinesUsing Code Review ChecklistsDon’t Make These MistakesReview Code a Little Bit at a TimeWhat Code Needs to Be Reviewed?Who Needs to Review Code?How Many Reviewers?What Experience Do Reviewers Need?Automated Code ReviewsDifferent Tools Find Different ProblemsWhat Tools Are Good For, and What They’re Not Good ForGetting Developers to Use Automated Code ReviewsSelf-Service ScanningReviewing Infrastructure CodeCode Review Challenges and LimitationsReviews Take TimeUnderstanding Somebody Else’s Code Is HardFinding Security Vulnerabilities Is Even HarderAdopting Secure Code ReviewsBuild on What the Team Is Doing, or Should Be DoingRefactoring: Keeping Code Simple and SecureFundamentals Will Take You a Long Way to Secure, Safe CodeReviewing Security Features and ControlsReviewing Code for Insider ThreatsKey Takeaways
How Is Testing Done in Agile?If You Got Bugs, You’ll Get PwnedThe Agile Test PyramidUnit Testing and TDDWhat Unit Testing Means to System SecurityGet Off the Happy PathService-Level Testing and BDD ToolsGauntlt (“Be Mean to Your Code”)BDD-SecurityLet’s Look Under the CoversAcceptance TestingFunctional Security Testing and ScanningZAP TutorialZAP in Continuous IntegrationBDD-Security and ZAP TogetherChallenges with Application ScanningTesting Your InfrastructureLintingUnit TestingAcceptance TestingCreating an Automated Build and Test PipelineNightly BuildContinuous IntegrationContinuous Delivery and Continuous DeploymentOut-of-Band Testing and ReviewsPromoting to ProductionGuidelines for Creating a Successful Automated PipelineWhere Security Testing Fits Into Your PipelineA Place for Manual Testing in AgileHow Do You Make Security Testing Work in Agile and DevOps?Key Takeaways
Why Do We Need External Reviews?Vulnerability AssessmentPenetration TestingRed TeamingBug BountiesHow Bug Bounties WorkSetting Up a Bug Bounty ProgramAre You Sure You Want to Run a Bug Bounty?Configuration ReviewSecure Code AuditCrypto AuditChoosing an External FirmExperience with Products and Organizations Like YoursActively Researching or Updating SkillsMeet the Technical PeopleGetting Your Money’s WorthDon’t Waste Their TimeChallenge the FindingsInsist on Results That Work for YouPut Results into ContextInclude the Engineering TeamMeasure Improvement Over TimeHold Review/Retrospective/Sharing Events and Share the ResultsSpread Remediation Across Teams to Maximize Knowledge TransferRotate Firms or Swap Testers over TimeKey Takeaways
System Hardening: Setting Up Secure SystemsRegulatory Requirements for HardeningHardening Standards and GuidelinesChallenges with HardeningAutomated Compliance ScanningApproaches for Building Hardened SystemsAutomated Hardening TemplatesNetwork as CodeMonitoring and Intrusion DetectionMonitoring to Drive Feedback LoopsUsing Application Monitoring for SecurityAuditing and LoggingProactive Versus Reactive DetectionCatching Mistakes at RuntimeRuntime DefenseCloud Security ProtectionRASPIncident Response: Preparing for BreachesGet Your Exercise: Game Days and Red TeamingBlameless Postmortems: Learning from Security FailuresSecuring Your Build PipelineHarden Your Build infrastructureUnderstand What’s in the CloudHarden Your CI/CD ToolsLock Down Configuration ManagersProtect Keys and SecretsLock Down ReposSecure ChatReview the LogsUse Phoenix Servers for Build and TestMonitor Your Build and Test SystemsShh…Keeping Secrets SecretKey Takeaways
Compliance and SecurityDifferent Regulatory ApproachesPCI DSS: Rules-BasedReg SCI: Outcome-BasedWhich Approach Is Better?Risk Management and ComplianceTraceability of ChangesData PrivacyHow to Meet Compliance and Stay AgileCompliance Stories and Compliance in StoriesMore Code, Less PaperworkTraceability and Assurance in Continuous DeliveryManaging Changes in Continuous DeliveryDealing with Separation of DutiesBuilding Compliance into Your CultureKeeping Auditors HappyDealing with Auditors When They Aren’t HappyCertification and AttestationContinuous Compliance and BreachesCertification Doesn’t Mean That You Are SecureKey Takeaways
The Importance of Security CultureDefining “Culture”Push, Don’t PullBuilding a Security CulturePrinciples of Effective SecurityEnable, Don’t BlockTransparently SecureDon’t Play the Blame GameScale Security, Empower the EdgesThe Who Is Just as Important as the HowSecurity OutreachSecurgonomicsDashboardsKey Takeaways
Laura’s StoryNot an Engineer but a HackerYour Baby Is Ugly and You Should Feel BadSpeak Little, Listen MuchLet’s Go FasterCreating Fans and FriendsWe Are Small, but We Are ManyJim’s StoryYou Can Build Your Own Security ExpertsChoose People over ToolsSecurity Has to Start with QualityYou Can Make Compliance an Everyday ThingMichael’s StorySecurity Skills Are Unevenly DistributedSecurity Practitioners Need to Get a Tech RefreshAccreditation and Assurance Are DyingSecurity Is an EnablerRich’s StoryThe First Time Is FreeThis Can Be More Than a Hobby?A Little Light BulbComputers Are Hard, People Are HarderAnd Now, We’re Here

Overview

Agile continues to be the most adopted software development methodology among organizations worldwide, but it generally hasn't integrated well with traditional security management techniques. And most security professionals aren’t up to speed in their understanding and experience of agile development. To help bridge the divide between these two worlds, this practical guide introduces several security tools and techniques adapted specifically to integrate with agile development.

Written by security experts and agile veterans, this book begins by introducing security principles to agile practitioners, and agile principles to security practitioners. The authors also reveal problems they encountered in their own experiences with agile security, and how they worked to solve them.

You’ll learn how to:

Add security practices to each stage of your existing development lifecycle
Integrate security with planning, requirements, design, and at the code level
Include security testing as part of your team’s effort to deliver working software in each release
Implement regulatory compliance in an agile or DevOps environment
Build an effective security program through a culture of empathy, openness, transparency, and collaboration