Académique Documents
Professionnel Documents
Culture Documents
net/publication/308948578
CITATIONS READS
0 1,514
1 author:
Graeme Burnett
Enhyper Ltd
19 PUBLICATIONS 1 CITATION
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Role Driven Recruitment using STEP profiles and position chaining View project
Cellular Automata Simulation on FPGA for Training Neural Networks with Virtual World Imagery View project
All content following this page was uploaded by Graeme Burnett on 08 October 2016.
Enhyper Ltd
Table of Contents
1
Agile Application Secuirty Framework
Introduc*on
The Agile Applica,on Security Framework is data lifecycle focussed and lightweight in that
there is considerable op,onality. It has a single interface: a checklist which serves as
documenta,on for the data flows of the applica,on or component that is mandated as part
of the sprint/epic. The checklist is documented using the principles of Usable Security¹⁰ i.e. it
is well annotated so the user can understand the concepts of data security and privacy, the
protec,on mechanisms provided by the infrastructure and those which must be created
during the development lifecycle. This offers security improvements at low cost, allows non-
experts to understand the applica,on and it's threat environment and is easy to iterate.
Threat modelling is presented in the context of the applica,on domain and details both
generic and specific threats.
Adherence to the above methodology does not remove the need to perform a
comprehensive penetra,on test prior to produc,on roll out but it raises the awareness of
security and privacy whilst capturing real-world threats which can guide the focus of the
penetra,on test. The target audience are assumed to be competent developers who are
fully conversant with the features and development piKalls of their chosen implementa,on
language therefore this document does not cover standard programming prac,ces and
language features.
Background
This situa,on has prevailed for several years and is now changing due to two factors: threat
actors and increasingly sophis,cated automated exploit tools. Security is one again on the
agenda. In the interim, some alterna,ve approaches were tried, such as threat modelling[⁷],
sta,c code analysis using standard security development paPerns. Two of the world's
largest organisa,ons in par,cular pioneered security threat modelling: Microso\ via the
work of Adam Shostack and the European Union with their Shields Project ⁸. Both
2
Agile Application Secuirty Framework
approaches were laudable in their intent but if their success is measured in the availability,
usage and developer exper,se of func,onal threat models, both can be considered failures.
The same can be said of Security Architecture PaPerns⁹ which took considerable effort but
suffered two problems: distance from the applica,on developers and mission creep - too
many irrelevant paPerns.
3
Agile Application Secuirty Framework
Document Structure
There’s a quick start guide in the Appendix where you can find the Agile Security
Task
5. Agile Application Security Task: The Agile task in detail. This is available as
a word document or a Confluence Template. I
4
Agile Application Secuirty Framework
SCRUM Roles
The key benefits of SCRUM is that the developers get to chose what to deliver in the next
"sprint" and the user of the system gets what they ask for.
Team Member:
• experts in the tools, architecture and techniques required to deliver the system.
Scrum Master:
Product Owner:
Agile/Scrum is not about security per se but the delivery of systems which implicitly need to
be secure otherwise they put the business at risk. The product owner is responsible for the
informa,on security aspects of the system and it is the scrum master who is responsible for
ensuring that Informa,on Security task is on the task board at the appropriate stage.
5
Agile Application Secuirty Framework
This task comprises a checklist which details the data flows, their persistence,
transforma,ons and synthesis during the lifecycle of the process.
The security checklist integrated into the SCRUM framework means that the applica,on and
its data is understood at an early stage in development. As it is a mandatory task, it cannot
be put on the backlog.
6
Agile Application Secuirty Framework
Overview
• Data Analysis: list of data sources, sinks and synthesised data together
with applica,on configura,on files. Detailed full-lifecycle analysis of each
data feed covering physical, opera,on and security elements such as
access control, transport, persistence.
This exercise is completed for each sprint/epic and is updated as the whole
system progresses. An aggregate security analysis can be conducted for the
system as a whole from each component.
The end result is an accurate representa,on of the data artefacts and the
security aspects of the system which can be used to run automa,c and
directed penetra,on tests on the system with focussed coverage.
Architecture Modelling
Tools: Below is a list of tools which are useful for diagramming architectures:
YEd. hPp://www.yworks.com/en/products/yfiles/yed/
7
Agile Application Secuirty Framework
A simple tool wriPen in Java which is reliable, robust and scalable. It can
produce UML diagrams which is ideal for threat modelling.
8
Agile Application Secuirty Framework
Data Analysis
Overview
Data is the vector for many application threats. The majority of data is
transported via the network but there are other sources such as backup tapes,
keyboards, usb drives etc. Documenting these sources as used by an application
allows us to construct threat scenarios in the application context and where
appropriate, mitigate those threats. We use a simple quad chart approach with
axes of impact (low to high) and likelihood (again low to high) seeking to address
the high impact and likelihood threats as a priority.
Our approach to get use the SCRUM process to collect the data flows via the check
list which will allow security domain experts to analyse the elements of the data
flows which are necessary to provide a secure service with an acceptable service
level. Deviation from this SLA and issues with security are notified to the central
log analysis tool Splunk, an appropriate response initiated and remediation
managed.
Rather than looking from a pure threat point of view, we ask the developer
document the source IP, port number at the very least. This can, for example, be
used to drive firewall rules for that application.
Data Sources
The majority of application data will be from the network. There are subtle
threats which can compromise application availability (see CIA) and
9
Agile Application Secuirty Framework
Service Failure Facility dependency failure Retry and Escalation
Data Tampering Corruption of data hashing, cyclic
redundancy checks
Synthesised Data
Data that is created by the application from incoming data. For example a
transaction summary report on a per client basis.
One of the chief concerns is that the aggregation of data causes an increase in
information sensitivity. Appropriate measures must be taken to protect or prevent
this.
Data Sinks
Data that is supplied to downstream systems.
Application Configuration
10
Agile Application Secuirty Framework
Network
This is the most common source and sink of data and can arrive over
multiple network connections.
11
Agile Application Secuirty Framework
Threat Modelling
• Additional Task: They don’t help the development process - they are seen
as an additional task
• Lack of Domain Knowledge: Focus on security terms and threats that are
usually alien to developers
• Subjective: Quality and coverage based on individual experience and time
allocated.
• Numerical: A numerical value does not measure security. A comprehensive
approach from design to penetration testing is more effective.
The security focussed check list answers these four points thus:
12
Agile Application Secuirty Framework
Value: The value of creating a well annotated task adhering to the principles of
usable security, that involves building a threat model, gives the engineers a sense
of ownership and an understanding of the security model.
STRIDE
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege
A threat list of generic threats organised in these categories with examples and
the affected security controls is provided in the following table:
Security
Type Examples
Control
13
Agile Application Secuirty Framework
Inform
Threat action to read a file that one was
ation Confidentialit
not granted access to, or to read data in
disclos y
transit.
ure
Denial
Threat aimed to deny access to valid
of
users, such as by making a web server Availability
servic
temporarily unavailable or unusable.
e
Elevat
Threat aimed to gain privileged access to resources for
ion of
gaining unauthorised access to information or to
privile
compromise a system.
ge
Conclusion
A task is added to the task board of a story/epic in order to capture
the data flows, events, processes and threats associated with an
application. The flows and their attributes are described in terms that
14
Agile Application Secuirty Framework
are easily understood by application developers. Info
15
Agile Application Secuirty Framework
References
# Description
1 Agile Software Development
http://en.wikipedia.org/wiki/Agile_software_development
A Precise and General Inter-component Data Flow Analysis
Framework for Security Vetting of Android Apps
2
http://www.ieee-security.org/TC/SP2014/posters/WEIFE.pdf
16
Agile Application Secuirty Framework
Definitions
Term Definition
Business data Sets of individual data elements grouped around a concept
entry meaningful to the business e.g. Traveler might be the Business
Entity and their name, address, telephone number etc. would
be the individual data elements.
CSRF Cross-Site Request Forgery
DAO Data Access Object. An interface that abstracts access to a
database or persistence mechanism.
HTTPS HTTP over TLS
Acronym for Spoofing, Tampering, Repudiation, Information
STRIDE Disclosure, Denial of Service, and Elevation of Privilege. Used
as part of the Microsoft approach to threat modelling.
Object/Relational Mapper. A library that maps an object-
ORM oriented definition of data to a relational database containing
that data.
XSS Cross-Site Scripting
17
Agile Application Secuirty Framework
AHribute Detail
Sprint Name
JIRA Agile URI
Confluence URI
Descrip*on
Sign-Off
This process aims to capture the data flows of the current sprint in order to generate firewall
rules that permit these flows, document and improve the controls that are in place to
mi,gate aPacks them and ensure the system integrates into the opera,onal environment in
a way that can be measured and monitored.
For the components that are the focus of the current sprint/epic, here are the respec,ve
tasks:
Developers
• Fill in the Agile Security Checklist: detail the data sources, sinks and any data
synthesised
⁃ At a minimum: list the host/port, file transfers, creden,al handling and
lifecycle. Without this, your component will not be able to communicate to
the rest of the infrastructure.
⁃ Data Valida*on: Detail how the applica,on deals with data valida,on as this
is a strong aPack vector. Consult the mi,ga,on sugges,ons below.
⁃ Op*onally: But very useful, document the data lifecycle, volumes, back
pressure, privileges, privacy etc. The more informa,on that is accurate, the
bePer we can ensure the applica,on is available and secure.
• Configura*on Files: List the configura,on files used by the applica,on and who
controls these.
18
Agile Application Secuirty Framework
• PlaRorm Integra*on: Ensure the target system deals with issues such as resource
exhaus,on, OS errors and logs an applica,on specific message
⁃ Authen,ca,on failures, input valida,on failures and resource usage are
security sensi,ve events and need to be logged
⁃ Log issues using a unique token adhering to the applica,on development
standard
⁃ For example, the standard applica,on specific message starts with a ~ (,lde)
e.g. “~E_AUTH_FAILURE: Repeated authen,ca,on failure (count=5)”
• Opera*onal Integrity: List threats to the opera,onal integrity of the system in terms
of availability if you know any (e.g. Data input dependencies, missed transac,ons
etc)
• STRIDE Analysis: Consider aPack vectors and decide whether they are applicable/
likely. If so suggest or seek mi,ga,on.
Scrum Masters
• Ensure that the Agile Applica,on Security Task reflects the applica,on accurately and
does not contain irrelevant informa,on before
Product Owners
Applica*on Details
Name
Descrip,on
Confluence
URL
Business
Area
Product
Owner
Host
Datacenter
Loca,on
PCI-DSS
Notes
19
Agile Application Secuirty Framework
Name The common name of the applica,on.
Descrip*on Give as much detail as you know of the applica,on
and its business context
Confluence URL A URL to the system documenta,on.
Business Area Which business area owns the system
Product Owner Name of the individual or role that is responsible for
the access control and privacy of the data
Host hostname(s) of the applica,on servers that make up
the system
Data Centre Loca*on Which data centre hosts the applica,on servers
PCI-DSS Is this applica,on affected by PCI-DSS requirements.
Special measures need to be taken to protect card
data if this applies.
Architecture Diagram
20
Agile Application Secuirty Framework
System Descrip*on
Describe each component of the system and how they interact.
Sources
21
Agile Application Secuirty Framework
Sinks
Synthesised
Notes
By default, all ports are closed, therefore you will, at a minimum, have to document
the ports that your application requires.
For each data feed, complete the sec,ons that are relevant. See the sec,on below on Threat
Mi,ga,on/Controls for instruc,ons on how to apply this each data feed.
AHribute
Name
IP Address:Port Number
Transport (UDP, FTP etc)
Descrip,on
Access Control
Aggrega,on
Audit
Authen,ca,on
Configura,on Control
Confla,on
22
Agile Application Secuirty Framework
Encryp,on
En,tlements
Masking
On Demand Update/Replay
Persistence
Privacy
Resilience
SOC Integra,on
Tokenisa,on
Versioning
Whitelis,ng
Threat Mi*ga*on/Controls
For each data feed detailed in the previous sec,on, consider the list of controls
or threat mi,ga,ons for each. These are controls that are applicable to the
business model of Global Blue and are not intended to be architecturally
complete.
The list will be augmented as new security controls and paPerns relevant to
the opera,onal environment and business use cases are discovered.
Mi*ga*on Descrip*on
23
Agile Application Secuirty Framework
24
Agile Application Secuirty Framework
STRIDE Analysis
For each data feed in the data perimeter analysis, consider the aPack vector and decide if it
is applicable to this data feed. Choose an appropriate mi,ga,on technique or request
assistance from the SCRUM Master.
Applica*on Name
25
Agile Application Secuirty Framework
Repudia,on
Informa,on
Disclosure
Denial of
Service
Eleva,on of
Privilege
26
View publication stats