Case Study: 10 Steps to Agile Development without Compromising Enterprise Security
Wednesday, November 20 • 12:00 pm - 12:50 pm
In an Agile, fastpaced environment with frequent and multiple product releases, security code reviews & testing is usually considered to be a delaying factor that conflicts with success.
Is it possible to keep up with the highend demands of continuous integration and deployment without abandoning security best practices?
When we started this journey, we were seeking for a way to reduce the friction, risk and cost driven from identifying vulnerabilities in Production. After a long way and with many lessons learned, we have successfully added an indepth security coverage to more than 20 SCRUMS (up to 1 MLOC), and are happy to share our insights, tips and experience.
LivePerson is a provider of SaaS based technology for realtime interaction between customers and online businesses. Over 1.5 billion webvisitors are monitored by the platform on a monthly basis. The R&D includes hundreds of developers who have adopted Agile and Scrumbased methods, closely tied with our Secure Software Development Lifecycle.
Our Secure Software Development Lifecycle:
In order to achieve best results and reduce friction, we have linked the SSDLC to the standard SCRUM process, and added a security coverage for each phase, as briefly outlined below:
Post Release Planning – Security High Level Design.
As soon as a Release is planned, a High Level Security Design is performed by the Security team together with the Group Leaders/Software Architects. This phase outlines the agreed security standards. We define the Logical Security flows and ensure that security best practices are enforced and complaint/regulations aspects.
Sprint Planning – On Demand Security Q&A
While the Sprint is being planned, some questions arise and require a response from a security specialist, for example: which validator should we use? What is the best encoder for this output? How shall we implement encryption?
Coding – ESAPI and SCA on build at CI.
The release version control system submits each build to a Static Code Analysis, where among other things, the correct usage of LivePerson ESAPI implementation is enforced.
Code Freeze – Manual CR
During “Code Freeze”, the Security Team partners with the developers to do Code Review in the submitted commits, to detect and prevent errors which might be missed by the Static Code Analysis process.
QA – Regression Test – Automated Security Test
Using a specific plugin to do automating testing we send the different inputs to automatic Security Testing, using BURP as our platform.