Software development industry body Software Assurance Forum for Excellence in Code (SAFECode) has announced a new publication to complement their existing guidance on software assurance, secure software development and software supply chain integrity.
In Practical Security Stories and Security Tasks for Agile Development Environments provides guidance on incorporating secure-related activities into an Agile software development life cycle (S-SDLC) with specific guidance relating to fundamental secure coding practices. The advice was developed relates to the most common security issues SAFECode members see in their own environments, combined with input from the CWE/SANS Top 25 Most Dangerous Software Errors, including the 16 weaknesses in the on the cusp list, and the OWASP Top 10 Risks.
The document is aimed at those who already understand Agile practices, whether they are already adopters or planning to use the approach. The guidance provides:
- 36 security-focused stories and related security tasks
- 17 operational security tasks that Agile practitioners should consider conducting on an ongoing basis
- 12 advanced security tasks that typically require guidance from software security experts (in-house or consultants) for the first few iterations or in an ongoing manner.
I am very pleased to see such a document. Agile can be seen as a security blocker, and this provides evidence of tasks that are being incorporated into real-world Agile development processes. It is written in a way that will be immediately understandable by development teams, rather than being aimed at an information-security audience. So, for example, measures to prevent SQL injection vulnerabilities are phrased in a story like "As an architect/ developer I want
to ensure AND as QA I want to verify that database queries function
as expected by separating the data from the query", and the related backlog tasks include "Use prepared statements with bind variables (parameterized queries) that automatically enforce the separation between data and code.", "Deploy the database user accounts with minimal access rights (least privilege) required to perform the database action. Use separate accounts for different access roles (read only, read and update, etc.).", and "Comparable techniques apply also to XPath, NoSQL and other database queries". Great stuff.
Operational security tasks include activities such as "Configure bug tracking to track security vulnerabilities", "Resolve critical and high severity issues identified by static code analysis tools", "Perform stricter code review of 'risky' code", and so on. The 12 tasks listed as requiring the help of security experts include "Software security training (secure coding and secure testing)", "Performing threat modeling for new/enhanced features" and "Conduct penetration tests on the software around beta stage".
The cross-referencing to Common Weakness Enumeration (CWE) identifiers, SAFECode's own Fundamental Practices and other materials such as OWASP ESAPI, ensure this is not an island of information isolated from the wider application security knowledge base.
Integrating Security with Agile Software Development
Clerkendweller
No comments:
Post a Comment