Agile Application Security

Enabling Security in a Continuous Delivery Pipeline

Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird

Publisher: O'Reilly, 2017, 363 pages

ISBN: 978-1-491-93884-3

Keywords: IT Security

Last modified: Aug. 2, 2021, 10:45 p.m.

Agile continues to be the most adopted software development methodology among organizations worldwide, but it generally hasn't integrated well with traditional security management techniques. And most security professionals aren't up to speed in their understanding and experience of agile development. To help bridge the divide between these two worlds, this practical guide introduces several security tools and techniques adapted specifically to integrate with agile development.

Written by security experts and agile veterans, this book begins by introducing security principles to agile practitioners, and agile principles to security practitioners. The authors reveal problems they encountered in their own experiences with agile security, and how they worked to solve them.

You'll learn how to:

  • Add security practices to each stage of your existing development lifecycle
  • Integrate security with planning, requirements, design, and at the code level
  • Include security testing as part of your team's effort to deliver working software in each release
  • Implement regulatory compliance in an agile or DevOps environment
  • Build an effective security program through a culture of empathy, openness, transparency, and collaboration
  1. Getting Started with Security
    • This Isn't Just a Technology Problem
    • Not Just for Geeks
    • Security Is About Risk
      • Vulnerability: Likelihood and Impact
      • We Are All Vulnerable
      • Not Impossible, Just Improbable
      • Measuring the Cost
      • Risk Can Be Minimized, Not Avoided
      • An Imperfect World Means Hard Decisions
    • Threat Actors and Knowing Your Enemy
      • There Is an Attacker for Everyone
      • Motivation, Resources, Access
    • Security Values: Protecting Our Data, Systems, and People
      • Know What You Are Trying to Protect
      • Confidentiality, Integrity, and Availability
      • Nonrepudiation
      • Compliance, Regulation, and Security Standards
    • Common Security Misconceptions or Mistakes
      • Security Is Absolute
      • Security Is a Point That Can Be Reached
      • Security Is Static
      • Security requires Special [Insert Item/Device/Budget]
    • Let's Get Started
  2. Agile Enablers
    • Build Pipeline
    • Automated Testing
    • Continuous Testing
    • Infrastructure as Code
    • Release Management
    • Visible Tracking
    • Centralized Feedback
    • The Only Good Code Is Deployed Code
    • Operating Safely and at Speed
  3. Welcome to the Agile Revolution
    • Agile: A Potted Landscape
    • Scrum, the Most Popular of Agile Methodologies
      • Sprints and Backlogs
      • Stand-Ups
      • Scrum Feedback Loops
    • Extreme Programming
      • The Planning Game
      • The On-Site Customer
      • Pair Programming
      • Test-Driven Development
      • Shared Design Metaphor
    • Kanban
      • Kanban Board: Make Work Visible
      • Constant Feedback
      • Continuous Improvement
    • Lean
    • Agile Methods in General
    • What About DevOps?
    • Agile and Security
  4. Working with Your Existing Agile Life Cycle
    • Traditional Application Security Modules
    • Per-Iteration Rituals
      • Tools Embedded in the Life Cycle
    • Pre-Iteration Involvement
      • Tooling for Planning and Discovery
    • Post-Iteration Involvement
      • Tools to Enable the Team
      • Compliance and Audit Tools
    • Setting Secure Baselines
    • What About When You Scale?
    • Building Security Teams That Enable
      • Building Tools That People Will Use
      • Documenting Security Techniques
    • Key Takeaways
  5. Security Requirements
    • Dealing with Security Requirements
    • Agile Requirements: Telling Stories
      • What Do Stories Look Like?
      • Conditions of Satisfaction
    • Tracking and Managing Stories: The Backlog
    • Dealing with Bugs
    • Getting Security into Requirements
      • Security Stories
      • Privacy, Fraud, Compliance, and Encryption
      • SAFECode Security Stories
    • Security Personas and Anti-Personas
    • Attacker Stories: Put You Black Hat On
      • Writing Attacker Stories
    • Attack Trees
      • Building an Attack tree
      • Maintaining and Using Attack Trees
    • Infrastructure and Operations Requirements
    • Key Takeaways
  6. Agile Vulnerability Management
    • Vulnerability Scanning and Patching
      • First, Understand What You Need to Scan
      • Then Decide How to Scan and How Often
      • Tracking Vulnerabilities
      • Managing Vulnerabilities
    • Dealing with Critical Vulnerabilities
    • Securing Your Software Supply Chain
      • Vulnerabilities in Containers
      • Fewer, Better Suppliers
    • How to Fix Vulnerabilities in an Agile Way
      • Test-Driven Security
      • Zero Bug Tolerance
      • Collective Code Ownership
    • Security Sprints, Hardening Sprints, and Hack Days
    • Taking On and Paying Down Security Debt
    • Key Takeaways
  7. Risk for Agile Teams
    • Security Says, No
    • Understanding Risks and Risk Management
    • Risks and Threats
    • Dealing with Risk
      • Making Risks Visible
      • Accepting and Transferring Risks
      • Changing Contexts for Risks
    • Risk Management in Agile and DevOps
      • Speed of Delivery
      • Incremental Design and Refactoring
      • Self-Organized, Autonomous Teams
      • Automation
      • Agile Risk Mitigation
    • Handling Security Risks in Agile and DevOps
    • Key Takeaways
  8. Threat Assessments and Understanding Attacks
    • Understanding Threats: Paranoia and Reality
      • Understanding Threat Actions
      • Threat Actor Achetypes
      • Threats and Attack Targets
      • Threat Intelligence
      • Threat Assessment
    • Your System's Attack Surface
      • Mapping Your Application Attack Surface
      • Managing Your Application Attack Surface
    • Agile Threat Modeling
      • Understanding Trust and Trust Boundaries
      • Building Your Threat Model
      • "Good Enough" Is Good Enough
      • Thinking Like an Attacker
      • STRIDE: A Structured Model to Understand Attackers
      • Incremental Threat Modeling and Risk Assessments
      • Assess Risks Up Front
      • Review Threats as the Design Changes
      • Getting Value Out of Threat Modeling
    • Common Attack Vectors
    • Key Takeaways
  9. Building Secure and Usable Systems
    • Design to Resist Compromise
    • Security Versus Usability
    • Technical Controls
      • Deterrent Controls
      • Resistive Controls
      • Protective Controls
      • Detective Controls
      • Compensating Controls
    • Security Architecture
      • Perimeterless Security
      • Assume Compromised
    • Complexity and Security
    • Key Takeaways
  10. Code Review for Security
    • Why Do We Ned to Review Code?
    • Types of Code Reviews
      • Formal Inspection
      • Rubber Ducking or Desk Checking
      • Pair Programming (and Mob Programming)
    • Peer Code Reviews
      • Code Audits
      • Automated Code Reviews
      • What Kind of Review Approach Works Best for Your Team?
    • When Should You Review Code?
      • Before Code Changes Are Committed
      • Gated Checks Before Release
      • Postmortem and Investigation
    • How to Review Code
      • Take Advantage of Coding Guidelines
      • Using Code Review Checklists
      • Don't Make These Mistakes
      • Review Code a Little Bit at a Time
      • What Code Needs to Be Reviewed?
    • Who Needs to Review Code?
      • How Many Reviewers?
      • What Experience Do Reviewers Need?
    • Automated Code Reviews
      • Different Tools Find Different Problems
      • What Tools Are Good For, and What They're Not Good For
      • getting Developers to Use Automated Code Reviews
      • Self-Service Scanning
      • Reviewing Infrastructure Code
    • Code Review Challenges and Limitations
      • Reviews Take Time
      • Understanding Somebody Else's Code Is Hard
      • Finding Security Vulnerabilities Is Even Harder
    • Adopting Secure Code Reviews
      • Build on What the Team Is Doing, or Should Be Doing
      • Refactoring: Keeping Code Simple and Secure
      • Fundamentals Will Take You a Long Way to Secure, Safe Code
    • Reviewing Security Features and Controls
    • Reviewing Code for Insider Threats
    • Key Takeaways
  11. Agile Security Testing
    • How Is Testing Done in Agile?
    • If You Got Bugs, You'll Get Pwned
    • The Agile Test Pyramid
    • Unit Testing and TDD
      • What Unit Testing Means to System Security
      • get Off the Happy Path
    • Service-Level Testing and BDD Tools
      • GauntIt ("be Mean to Your Code")
      • BDD-Security
      • let's Look Under the Covers
    • Acceptance Testing
    • Functional Security Testing and Scanning
      • ZAP Tutorial
      • ZAP in Continuous Integration
      • BDD-Security and ZAP Together
      • Challenges with Application Scanning
    • Testing Your Infrastructure
      • Linting
      • Unit Testing
      • Acceptance Testing
    • Creating an Automated Build and Test Pipeline
      • Nightly Build
      • Continuous Integration
      • Continuous Delivery and Continuous Deployment
      • Out-of-Band Testing and reviews
      • Promoting to Production
      • Guidelines for Creating a Successful Automated Pipeline
      • Where Security Testing Fits Into Your Pipeline
    • A Place for Manual Testing in Agile
    • How Do You Make Security Testing Work in Agile and DevOps?
    • Key Takeaways
  12. External Reviews, Testing, and Advice
    • Why Do We Need External Reviews
    • Vulnerability Assessment
    • Penetration Testing
    • Red Teaming
    • Bug Bounties
      • How Bug Bounties Work
      • Setting Up a Bug Bounty Program
      • Are You Sure You Want to Run a Bug Bounty?
    • Configuration Review
    • Secure Code Audit
    • Crypto Audit
    • Choosing an External Firm
      • Experience with Products and Organizations Like Yours
      • Actively Researching or Updating Skills
      • Meet the Technical People
    • Getting Your Money's Worth
      • Don't Waste Their Time
      • Challenge the Findings
      • Insist on Results That Work For You
      • Put Results into Context
      • Include the Engineering Team
      • Measure Improvement Over Time
      • Hold Review/Retrospective/Sharing Events and Share the Results
      • Spread Remediation Across Teams to Maximize Knowledge Transfer
      • Rotate Firms or Swap Testers over Time
    • Key Takeaways
  13. Operations and OpSec
    • System Hardening: Setting Up Secure Systems
      • Regulatory Requirements for Hardening
      • Hardening Standards and Guidelines
      • Challenges with Harding
      • Automated Compliance Scanning
      • Approaches for Building Hardened Systems
      • Automated Hardening Templates
    • Network as Code
    • Monitoring and Intrusion Detection
      • Monitoring to Drive Feedback Loops
      • Using Application Monitoring for Security
      • Auditing and Logging
      • Proactive Versus Reactive Detection
    • Catching Mistakes at Runtime
    • Runtime Defense
      • Cloud Security Protection
      • RASP
    • Incident Response: Preparing for Breaches
      • Get Your Exercise: Game Days and Red Teaming
      • Blameless Postmortems: Learning from Security Failures
    • Securing Your Build Pipeline
      • Harden Your Build Infrastructure
      • Understand What's In the Cloud
      • Harden Your CI/CD Tools
      • Lock Down Configuration Managers
      • Protect Keys and Secrets
      • Lock Down Repos
      • Secure Chat
      • Review the Logs
      • Use Phoenix Servers for Build and Test
      • Monitor Your Build and Test Systems
    • Shh… Keeping Secrets Secret
    • Key Takeaways
  14. Compliance
    • Compliance and Security
    • Different Regulatory Approaches
      • PCI DSS. Rules-Based
      • Reg SCI: Outcomes-Based
    • Which Approach Is Better?
    • Risk Management and Compliance
    • Traceability of Changes
    • Data Privacy
    • How to Meet Compliance and Stay Agile
      • Compliance Stories and Compliance in Stories
      • More Code, Less Paperwork
      • Traceability and Assurance in Continuous Delivery
      • Managing Changes in Continuous Delivery
      • Dealing with Separation of Duties
    • Building Compliance into Your Culture
      • Keeping Auditors Happy
      • Dealing with Auditors When They Aren't Happy
    • Certification and Attestation
      • Continuous Compliance and Breaches
      • Certification Doesn't Mean That You Are Secure
    • Key Takeaways
  15. Security Culture
    • The Importance of Security Culture
      • Defining "Culture"
      • Push, Don't Pull
    • Building a Security Culture
    • Principles of Effective Security
      • Enable, Don't Block
      • Transparently Secure
      • Don't Play the Blame Game
      • Scale Security, Empower the Edges
      • The Who Is Just as Important as the How
    • Security Outreach
      • Securgonomics
      • Dashboards
    • Key Takeaways
  16. What Does Agile Security Mean?
    • Laura's Story
      • Not an Engineer but a Hacker
      • Your Baby Is Ugly and You Should Feel Bad
      • Speak Little, Listen Much 
      • Let's Go Faster
      • Creating Fans and Friends
      • We Are Small but We Are Many
    • Jim's Story
      • You Can Build Your Own Security Experts
      • Choose People over Tools
      • Security Has to Start with Quality
      • You Can Make Compliance an Everyday Thing
    • Michael's Story
      • Security Skills Are Unevenly Distributed
      • Security Practitioners Need to Get a Tech Refresh
      • Accreditation and Assurance Are Dying
      • Security Is an Enabler
    • Rich's Story
      • The First Time Is Free
      • This Can Be More Than a Hobby?
      • A Little Light Bulb
      • Computers Are Hard, People Are Harder
      • And Now, We're Here