10 Steps To Agile Development
Without Compromising Enterprise
Security
Author : Yair Rovek
Challenged by Agile
“It is a well known and acknowledged fact that
Agile processes are extremely difficult to combine with any
existing security frameworks”
-- Extract from a blog of a very popular software provider
“The good news is
that our retroactive security is very good…”
-- Extract from the same blog as above
About Me
Yair Rovek
• 20+ years in the industry
• 4 years Security Specialist @
• Leading the SDLC Program
• Design security and new technologies within our products
Contact Me!
yairr@liveperson.com
@lione_heart
Hosted by OWASP & the NYC Chapter
LivePerson ID
What we do?
SaaS platform for creation of meaningful
connections through real-time engagement
•
•
•
•
•
16 years in business
SaaS from day 1.
NASDAQ & TASE (LPSN)
~8500 Customers
~800 employees
How it works?
Monitor web visitor’s behavior
(Over 1.5 B visits each month)
Conduct behavioral ranking
Provide the engagement platform
(Over 10 M chats each month)
SaaS & Cloud only
Hosted by OWASP & the NYC Chapter
Security is NOT optional…
Who are the key players?
Software
Architects
Sales & Product
R&D Scrum teams
System
Architects
CI environment
Hosted by OWASP & the NYC Chapter
Artifact
Production
Agile Framework
Agile Framework
RETROSPECTIVE
Add Security to the Agile Process
Scrum Actions
Release Planning
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Add Security to the Agile Process
Scrum Actions
Security Control
Release Planning
Security High-Level Design
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Add Security to the Agile Process
Scrum Actions
Security Control
Release Planning
Security High-Level Design
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Guide-in the teams On-Demand
Add Security to the Agile Process
Scrum Actions
Security Control
Release Planning
Security High-Level Design
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Guide-in the teams On-Demand
ESAPI & SCA checks for each build
Add Security to the Agile Process
Scrum Actions
Security Control
Release Planning
Security High-Level Design
Sprint Planning
Coding
Code Freeze
Q&A – Regression Tests
Release
Guide-in the teams On-Demand
ESAPI & SCA checks for each build
Automated Security Tests
Add Security to the Agile Process
Scrum Actions
Security Control
Release Planning
Security High-Level Design
Sprint Planning
Coding
Guide-in the teams On-Demand
ESAPI & SCA checks for each build
Code Freeze
Automated Security Tests
Q&A – Regression Tests
Automated Security Tests
Release
Add Security to the Agile Process
Scrum Actions
Security Control
Release Planning
Security High-Level Design
Sprint Planning
Coding
Q&A On-Demand
ESAPI & SCA checks for each build
Code Freeze
Automated Security Tests
Q&A – Regression Tests
Automated Security Tests
Release
External Pen-Test
Add Security to the Agile Process
Scrum Actions
Security Control
Release Planning
Security High-Level Design
Sprint Planning
Coding
Guide-in the teams On-Demand
ESAPI & SCA checks for each build
Code Freeze
Automated Security Tests
Q&A – Regression Tests
Automated Security Tests
Release
External Pen-Test
Screening Code in 3D
Delivered
Dependencies and Open Source
Developer Code
SecurityConfiguration
IntrusionDetector
Logger
Exception Handling
Randomizer
EncryptedProperties
Encryptor
HTTPUtilities
Encoder
Validator
AccessReferenceMap
AccessController
User
Authenticator
ESAPI Building Blocks
Custom Enterprise Web Application
Enterprise Security API
Where Do I put my validation
Any Interpreter
Web Service
Any Encoding
Controller
Database
Mainframe
Business
Functions
User
Data
Layer
Etc…
User
Interface
File System
Where Do I put my validation
Any Interpreter
Specific Validate
Web Service
Any Encoding
Controller
Database
Mainframe
Business
Functions
User
Data
Layer
Etc…
User
Interface
File System
Encode For HTML
Validate
API example
Define Relevant
Filters
Automated Test Example
Black/ White
Listing
Filter
Integrating Automated Testing: Example
Preventing RegEx DoS and Performance Issues
LivePerson ESAPI implementation
For Each Product
Live Person
Security API
(LPSAPI) In-House Security
Package based on
ESAPI project
Imports LPSAPI
Enforces correct usage via Source
Code Analysis (SCA)
Enforce Open Source Policy
Test your infra BB
CI environment
Maven Build Process (Unit tests)
Develop
Code
Commit
Source
Control
(SVN)
TeamCity
(Build
Trigger)
Deploy to
Test Env
Report
&
Notify
Publish to
release
repository
Deploy
to
Production
Security in CI environment
Maven Build Process (Unit tests)
Develop
Code
Commit
Source
Control
(SVN)
TeamCity
(Build
Trigger)
Deploy
to Test
Env
SCA ,
Dynamic,
OS
Report
&
Notify
Publish to
release
repository
Deploy
to
Production
One Dashboard
Results are integrated
within TeamCity
Dive into the results
Results are integrated
within TeamCity
Developer has all
required info.
No need to involve the
Security Team
10 Best Practices
Secure Agile Development
Key Success Factors
Identify the process within R&D and set a plan to
become part of it
Set Security Package API to be consumed with
each code (ESAPI AntiSamy CSRF Guard)
Screen and enforce your policy on your code
Open Source and platform
Use automation to collaborate with the security
dynamic test
Allow customer to run a pen test and work as a
community to succeed
Key Success Factors
Engage tech leaders as security champions by
showing them the value
Train developers on a regular basis
Create a knowledge base and discussions around
security
Break the build for any “High” or “Medium”
findings
Start small but think big
Contact Me!
yairr@liveperson.com
@lione_heart