Case Study: 10 Steps to Agile Development without Compromising Enterprise Security

Presented at AppSec USA 2013, Nov. 20, 2013, noon (50 minutes)

Video of session: https://www.youtube.com/watch?v=Y31qgnF-Bzg&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=30 In an Agile, fast paced environment with frequent product releases, security code reviews & testing is usually considered a delaying factor that conflicts with success. Is it possible to keep up with the high-end demands of continuous integration and deployment without abandoning security best practices? We started our journey seeking a way to reduce friction, risk and cost driven from identifying vulnerabilities too late, when already in Production. After a long way and many lessons learned, we have successfully added in-depth security coverage to more than 20 SCRUMS and up to 1M lines of code. We are happy to share our insights, tips and experience from that process. LivePerson is a provider of SaaS based technology for real-time interaction between customers and online businesses. Over 1.5 billion web visitors are monitored by the platform on a monthly basis. LivePerson's R&D center consists of hundreds of developers who work in an Agile and Scrum based methods, closely tied with our Secure Software Development Lifecycle. In order to achieve best results and reduce friction, we have tailored the SSDLC to the standard SCRUM process and added security coverage (both operational + technical controls) for each phase starting with a mutual Security High Level Design post release planning with Software Architects, defining technical security controls and framework in sprint planning, implementation of ESAPI and Static Code Analysis at the CI, manual code reviews, Automated Security Tests during QA and a penetration test as part of the release. This session will include detailed information about the methodologies and operational cycles as well as measureable key success factors and tips related to implementation of tools and technologies in our use (e.g. ESAPI package, Static Code Analysis as a Maven Step, Vulnerability Scanning plugins) References: OWASP ESAPI https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Writing Secure Code, Second Edition, Michael Howard and David LeBlanc, Microsoft Press The Burp Suite http://portswigger.net/burp/ OWASP Developer Guide http://ignum.dl.sourceforge.net/project/owasp/Guide/2.0.1/OWASPGuide2.0.1.pdf

Presenters:

• Yair Rovek - Security Specialist - LivePerson
  A technical information security specialist with more than 25 years of experience and strong knowledge in Network and Web Applications.

Links:

• https://appsecusa2013.sched.com/event/148T2hv/case-study-10-steps-to-agile-development-without-compromising-enterprise-security
• https://infocon.org/cons/OWASP/AppSecUSA 2013/Case Study - 10 Steps to Agile Development without Compromising Enterprise Security - Yair Rovek.mp4
• https://infocon.org/cons/OWASP/AppSecUSA 2013/Case Study - 10 Steps to Agile Development without Compromising Enterprise Security - Yair Rovek.srt (subtitles)
• https://www.youtube.com/watch?v=Y31qgnF-Bzg

Similar Presentations:

• DeepSec 2015 „DeepSec No. 9“ / Agile Security: The Good, The Bad, and mostly the Ugly
• AppSec USA 2015 / Security as Code: A New Frontier
• AppSec USA 2013 / Application Security: Everything we know is wrong