Bhushan Gupta, Gupta Consulting, LLC.
Security of a web application is a critical attribute and should be achieved by making it an integral part of the software development life cycle. It is also not a responsibility of the security team only, everyone involved in the application developers should take it seriously. There are multiple actors, product owner, scrum master, security engineer, hacker, developer, and quality engineer, that must come together to orchestrate the security of an application. The question is, how do we create the symphony so that everyone in the ensemble plays the right note. The answer is, by adding security stories to the backlog and treat them with the same emphasis as any other story.
This presentation details the mechanics that a development team should utilize in integrating application security with the software development life cycle; in particular, the agile development. It illustrates how a “hacker” actor can own and write security stories as a part of the backlog so that each story can be developed through the SDLC pipeline. For example, “As a hacker I want to steel the user login information” can be one of the stories of login epic. Once a set of stories is in the backlog then acceptance criteria and the test cases can be established. These stories can be defined for the entire OWASP Top 10 range of vulnerabilities depending upon the application.
Key takeaways include:
- Create security stories from the hacker perspective and develop an acceptance criteria
- Prioritize stories based upon the security risk using STRIDE method
- Integrate security validation in each phase of SDLC using a variety of tools
- Understand overall risk and its mitigation prior to deployment