Agile Application Security

Book description

Agile continues to be the most adopted software development methodology among organizations worldwide, but it generally hasn't integrated well with traditional security management techniques. And most security professionals aren’t up to speed in their understanding and experience of agile development. To help bridge the divide between these two worlds, this practical guide introduces several security tools and techniques adapted specifically to integrate with agile development.

Written by security experts and agile veterans, this book begins by introducing security principles to agile practitioners, and agile principles to security practitioners. The authors also reveal problems they encountered in their own experiences with agile security, and how they worked to solve them.

You’ll learn how to:

  • Add security practices to each stage of your existing development lifecycle
  • Integrate security with planning, requirements, design, and at the code level
  • Include security testing as part of your team’s effort to deliver working software in each release
  • Implement regulatory compliance in an agile or DevOps environment
  • Build an effective security program through a culture of empathy, openness, transparency, and collaboration

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. Who Should Read This Book
      1. The Agile Practitioner
      2. The Security Practitioner
      3. The Agile Security Practitioner
    2. Navigating This Book
      1. Part 1: Fundamentals
      2. Part 2: Agile and Security
      3. Part 3: Pulling It All Together
    3. Conventions Used in This Book
    4. O’Reilly Safari
    5. How to Contact Us
    6. Acknowledgments
  2. 1. Getting Started with Security
    1. This Isn’t Just a Technology Problem
    2. Not Just for Geeks
    3. Security Is About Risk
      1. Vulnerability: Likelihood and Impact
      2. We Are All Vulnerable
      3. Not Impossible, Just Improbable
      4. Measuring the Cost
      5. Risk Can Be Minimized, Not Avoided
      6. An Imperfect World Means Hard Decisions
    4. Threat Actors and Knowing Your Enemy
      1. There Is an Attacker for Everyone
      2. Motivation, Resources, Access
    5. Security Values: Protecting Our Data, Systems, and People
      1. Know What You Are Trying to Protect
      2. Confidentiality, Integrity, and Availability
      3. Nonrepudiation
      4. Compliance, Regulation, and Security Standards
    6. Common Security Misconceptions or Mistakes
      1. Security Is Absolute
      2. Security Is a Point That Can Be Reached
      3. Security Is Static
      4. Security Requires Special [Insert Item/Device/Budget]
    7. Let’s Get Started
  3. 2. Agile Enablers
    1. Build Pipeline
    2. Automated Testing
    3. Continuous Integration
    4. Infrastructure as Code
    5. Release Management
    6. Visible Tracking
    7. Centralized Feedback
    8. The Only Good Code Is Deployed Code
    9. Operating Safely and at Speed
  4. 3. Welcome to the Agile Revolution
    1. Agile: A Potted Landscape
    2. Scrum, the Most Popular of Agile Methodologies
      1. Sprints and Backlogs
      2. Stand-ups
      3. Scrum Feedback Loops
    3. Extreme Programming
      1. The Planning Game
      2. The On-Site Customer
      3. Pair Programming
      4. Test-Driven Development
      5. Shared Design Metaphor
    4. Kanban
      1. Kanban Board: Make Work Visible
      2. Constant Feedback
      3. Continuous Improvement
    5. Lean
    6. Agile Methods in General
    7. What About DevOps?
    8. Agile and Security
  5. 4. Working with Your Existing Agile Life Cycle
    1. Traditional Application Security Models
    2. Per-Iteration Rituals
      1. Tools Embedded in the Life Cycle
    3. Pre-Iteration Involvement
      1. Tooling for Planning and Discovery
    4. Post-Iteration Involvement
      1. Tools to Enable the Team
      2. Compliance and Audit Tools
    5. Setting Secure Baselines
    6. What About When You Scale?
    7. Building Security Teams That Enable
      1. Building Tools That People Will Use
      2. Documenting Security Techniques
    8. Key Takeaways
  6. 5. Security and Requirements
    1. Dealing with Security in Requirements
    2. Agile Requirements: Telling Stories
      1. What Do Stories Look Like?
      2. Conditions of Satisfaction
    3. Tracking and Managing Stories: The Backlog
    4. Dealing with Bugs
    5. Getting Security into Requirements
      1. Security Stories
      2. Privacy, Fraud, Compliance, and Encryption
      3. SAFECode Security Stories
    6. Security Personas and Anti-Personas
    7. Attacker Stories: Put Your Black Hat On
      1. Writing Attacker Stories
    8. Attack Trees
      1. Building an Attack Tree
      2. Maintaining and Using Attack Trees
    9. Infrastructure and Operations Requirements
    10. Key Takeaways
  7. 6. Agile Vulnerability Management
    1. Vulnerability Scanning and Patching
      1. First, Understand What You Need to Scan
      2. Then Decide How to Scan and How Often
      3. Tracking Vulnerabilities
      4. Managing Vulnerabilities
    2. Dealing with Critical Vulnerabilities
    3. Securing Your Software Supply Chain
      1. Vulnerabilities in Containers
      2. Fewer, Better Suppliers
    4. How to Fix Vulnerabilities in an Agile Way
      1. Test-Driven Security
      2. Zero Bug Tolerance
      3. Collective Code Ownership
    5. Security Sprints, Hardening Sprints, and Hack Days
    6. Taking On and Paying Down Security Debt
    7. Key Takeaways
  8. 7. Risk for Agile Teams
    1. Security Says, No
    2. Understanding Risks and Risk Management
    3. Risks and Threats
    4. Dealing with Risk
      1. Making Risks Visible
      2. Accepting and Transferring Risks
      3. Changing Contexts for Risks
    5. Risk Management in Agile and DevOps
      1. Speed of Delivery
      2. Incremental Design and Refactoring
      3. Self-Organized, Autonomous Teams
      4. Automation
      5. Agile Risk Mitigation
    6. Handling Security Risks in Agile and DevOps
    7. Key Takeaways
  9. 8. Threat Assessments and Understanding Attacks
    1. Understanding Threats: Paranoia and Reality
      1. Understanding Threat Actors
      2. Threat Actor Archetypes
      3. Threats and Attack Targets
      4. Threat Intelligence
      5. Threat Assessment
    2. Your System’s Attack Surface
      1. Mapping Your Application Attack Surface
      2. Managing Your Application Attack Surface
    3. Agile Threat Modeling
      1. Understanding Trust and Trust Boundaries
      2. Building Your Threat Model
      3. “Good Enough” Is Good Enough
      4. Thinking Like an Attacker
      5. STRIDE: A Structured Model to Understand Attackers
      6. Incremental Threat Modeling and Risk Assessments
      7. Assess Risks Up Front
      8. Review Threats as the Design Changes
      9. Getting Value Out of Threat Modeling
    4. Common Attack Vectors
    5. Key Takeaways
  10. 9. Building Secure and Usable Systems
    1. Design to Resist Compromise
    2. Security Versus Usability
    3. Technical Controls
      1. Deterrent Controls
      2. Resistive Controls
      3. Protective Controls
      4. Detective Controls
      5. Compensating Controls
    4. Security Architecture
      1. Perimeterless Security
      2. Assume Compromised
    5. Complexity and Security
    6. Key Takeaways
  11. 10. Code Review for Security
    1. Why Do We Need to Review Code?
    2. Types of Code Reviews
      1. Formal Inspections
      2. Rubber Ducking or Desk Checking
      3. Pair Programming (and Mob Programming)
    3. Peer Code Reviews
      1. Code Audits
      2. Automated Code Reviews
      3. What Kind of Review Approach Works Best for Your Team?
    4. When Should You Review Code?
      1. Before Code Changes Are Committed
      2. Gated Checks Before Release
      3. Postmortem and Investigation
    5. How to Review Code
      1. Take Advantage of Coding Guidelines
      2. Using Code Review Checklists
      3. Don’t Make These Mistakes
      4. Review Code a Little Bit at a Time
      5. What Code Needs to Be Reviewed?
    6. Who Needs to Review Code?
      1. How Many Reviewers?
      2. What Experience Do Reviewers Need?
    7. Automated Code Reviews
      1. Different Tools Find Different Problems
      2. What Tools Are Good For, and What They’re Not Good For
      3. Getting Developers to Use Automated Code Reviews
      4. Self-Service Scanning
      5. Reviewing Infrastructure Code
    8. Code Review Challenges and Limitations
      1. Reviews Take Time
      2. Understanding Somebody Else’s Code Is Hard
      3. Finding Security Vulnerabilities Is Even Harder
    9. Adopting Secure Code Reviews
      1. Build on What the Team Is Doing, or Should Be Doing
      2. Refactoring: Keeping Code Simple and Secure
      3. Fundamentals Will Take You a Long Way to Secure, Safe Code
    10. Reviewing Security Features and Controls
    11. Reviewing Code for Insider Threats
    12. Key Takeaways
  12. 11. Agile Security Testing
    1. How Is Testing Done in Agile?
    2. If You Got Bugs, You’ll Get Pwned
    3. The Agile Test Pyramid
    4. Unit Testing and TDD
      1. What Unit Testing Means to System Security
      2. Get Off the Happy Path
    5. Service-Level Testing and BDD Tools
      1. Gauntlt (“Be Mean to Your Code”)
      2. BDD-Security
      3. Let’s Look Under the Covers
    6. Acceptance Testing
    7. Functional Security Testing and Scanning
      1. ZAP Tutorial
      2. ZAP in Continuous Integration
      3. BDD-Security and ZAP Together
      4. Challenges with Application Scanning
    8. Testing Your Infrastructure
      1. Linting
      2. Unit Testing
      3. Acceptance Testing
    9. Creating an Automated Build and Test Pipeline
      1. Nightly Build
      2. Continuous Integration
      3. Continuous Delivery and Continuous Deployment
      4. Out-of-Band Testing and Reviews
      5. Promoting to Production
      6. Guidelines for Creating a Successful Automated Pipeline
      7. Where Security Testing Fits Into Your Pipeline
    10. A Place for Manual Testing in Agile
    11. How Do You Make Security Testing Work in Agile and DevOps?
    12. Key Takeaways
  13. 12. External Reviews, Testing, and Advice
    1. Why Do We Need External Reviews?
    2. Vulnerability Assessment
    3. Penetration Testing
    4. Red Teaming
    5. Bug Bounties
      1. How Bug Bounties Work
      2. Setting Up a Bug Bounty Program
      3. Are You Sure You Want to Run a Bug Bounty?
    6. Configuration Review
    7. Secure Code Audit
    8. Crypto Audit
    9. Choosing an External Firm
      1. Experience with Products and Organizations Like Yours
      2. Actively Researching or Updating Skills
      3. Meet the Technical People
    10. Getting Your Money’s Worth
      1. Don’t Waste Their Time
      2. Challenge the Findings
      3. Insist on Results That Work for You
      4. Put Results into Context
      5. Include the Engineering Team
      6. Measure Improvement Over Time
      7. Hold Review/Retrospective/Sharing Events and Share the Results
      8. Spread Remediation Across Teams to Maximize Knowledge Transfer
      9. Rotate Firms or Swap Testers over Time
    11. Key Takeaways
  14. 13. Operations and OpSec
    1. System Hardening: Setting Up Secure Systems
      1. Regulatory Requirements for Hardening
      2. Hardening Standards and Guidelines
      3. Challenges with Hardening
      4. Automated Compliance Scanning
      5. Approaches for Building Hardened Systems
      6. Automated Hardening Templates
    2. Network as Code
    3. Monitoring and Intrusion Detection
      1. Monitoring to Drive Feedback Loops
      2. Using Application Monitoring for Security
      3. Auditing and Logging
      4. Proactive Versus Reactive Detection
    4. Catching Mistakes at Runtime
    5. Runtime Defense
      1. Cloud Security Protection
      2. RASP
    6. Incident Response: Preparing for Breaches
      1. Get Your Exercise: Game Days and Red Teaming
      2. Blameless Postmortems: Learning from Security Failures
    7. Securing Your Build Pipeline
      1. Harden Your Build infrastructure
      2. Understand What’s in the Cloud
      3. Harden Your CI/CD Tools
      4. Lock Down Configuration Managers
      5. Protect Keys and Secrets
      6. Lock Down Repos
      7. Secure Chat
      8. Review the Logs
      9. Use Phoenix Servers for Build and Test
      10. Monitor Your Build and Test Systems
    8. Shh…Keeping Secrets Secret
    9. Key Takeaways
  15. 14. Compliance
    1. Compliance and Security
    2. Different Regulatory Approaches
      1. PCI DSS: Rules-Based
      2. Reg SCI: Outcome-Based
    3. Which Approach Is Better?
    4. Risk Management and Compliance
    5. Traceability of Changes
    6. Data Privacy
    7. How to Meet Compliance and Stay Agile
      1. Compliance Stories and Compliance in Stories
      2. More Code, Less Paperwork
      3. Traceability and Assurance in Continuous Delivery
      4. Managing Changes in Continuous Delivery
      5. Dealing with Separation of Duties
    8. Building Compliance into Your Culture
      1. Keeping Auditors Happy
      2. Dealing with Auditors When They Aren’t Happy
    9. Certification and Attestation
      1. Continuous Compliance and Breaches
      2. Certification Doesn’t Mean That You Are Secure
    10. Key Takeaways
  16. 15. Security Culture
    1. The Importance of Security Culture
      1. Defining “Culture”
      2. Push, Don’t Pull
    2. Building a Security Culture
    3. Principles of Effective Security
      1. Enable, Don’t Block
      2. Transparently Secure
      3. Don’t Play the Blame Game
      4. Scale Security, Empower the Edges
      5. The Who Is Just as Important as the How
    4. Security Outreach
      1. Securgonomics
      2. Dashboards
    5. Key Takeaways
  17. 16. What Does Agile Security Mean?
    1. Laura’s Story
      1. Not an Engineer but a Hacker
      2. Your Baby Is Ugly and You Should Feel Bad
      3. Speak Little, Listen Much
      4. Let’s Go Faster
      5. Creating Fans and Friends
      6. We Are Small, but We Are Many
    2. Jim’s Story
      1. You Can Build Your Own Security Experts
      2. Choose People over Tools
      3. Security Has to Start with Quality
      4. You Can Make Compliance an Everyday Thing
    3. Michael’s Story
      1. Security Skills Are Unevenly Distributed
      2. Security Practitioners Need to Get a Tech Refresh
      3. Accreditation and Assurance Are Dying
      4. Security Is an Enabler
    4. Rich’s Story
      1. The First Time Is Free
      2. This Can Be More Than a Hobby?
      3. A Little Light Bulb
      4. Computers Are Hard, People Are Harder
      5. And Now, We’re Here
  18. Index

Product information

  • Title: Agile Application Security
  • Author(s): Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird
  • Release date: September 2017
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781491938799