cyber security testing in an agile environment

Arthur DonkersSecurity Officer

Interested in infosec, technology, organization and combining these all into one solution. Critical Security Architect Trainer for PECB (ISO27001, 27005, 31000) Convinced that Infosec is a means to an end, not a purpose in itself.

Contact Information

+ 31-6-53315102

arthur@1secure.nl

www.1secure.nl

nl.linkedin.com/in/arthurdonkers

Cyber Security Testing

How to align security testing to your agile cyber strategy

Agenda

What is this all about?

Who am I?

Out with the old!

In with the new!

Securitytesting in Cyber space

Does classical penetration testing still fit in the rapidly moving cyberspace?Or do we need a new approach?

Who am I?

Arthur DonkersIndependent security consultantSecurity tester for mobile, IoT and hardwareTrainer for PECB (ISO27001, 27005, 31000)

arthur@1secure.nl

These are my opinions

This presentation is based on MY personal experiences with MY clients and MY projects.

Your mileage may vary, I just want to make you think about your current security testing strategy.

… one more thing ...

I’m not a big fan of the term cyber, I think it is an empty term…

Classic testing strategies

Classic security testing follows the waterfall project delivery model:

SECURITY TEST

Classic testing strategies

this means:- Test after delivery of product (but hopefully

before actual deployment);- Within a set scope (only the product);- Within a limited timeframe (before release

date);- With limited resources (people and money)

Classic testing strategies

which leads to:- time crunch (prioritizing individual tests, features

left untested);- limited security assessment (product is not

assessed in its final environment);- Too little time to test (time crunch);- No testers available due to time shift (limited

resource);- No time to fix things (no feedback).

Classic testing strategies

Trying to swim upstream…

Classic testing strategies

Same issues apply to regular testing as well, this is often part of a (mandatory) compliance program:- Limit scope (don’t test the scary stuff);- Limit time (need to be recertified yesterday);- Don’t care about the actual execution (having

ANY test executed often considered sufficient).

Classic testing strategies

Tick in the box exercise!

So now what?

Modern development of products needs to adapt quickly and follow a risk based approach.

This is often referred to as Agile Development

Agile testing strategy

Security testing needs to be integrated into the incremental and continuous delivery cycle

Agile testing strategy

Security testing is not a separate step anymore:- follow at least the risks identified in the agile

cycle (and any additional risks identified);- embed security testers in project (secure

development);- focus and prioritize (there is no 100%)- automate and tool up

Agile testing strategy

Supporting environment (just an example):

Agile security management

For your regular testing you should:- employ a red team (for continuous testing);- don’t limit the scope (let them think and work

like a hacker);- actively and continuously manage the

vulnerabilities and associated risks.

Agile security management

What is ‘red team’ exactly?

“Penetration testers assess organization security, often unbeknownst to client staff. This type of Red Team provides a more realistic picture of the security readiness than exercises, role playing, or announced assessments. The Red Team may trigger active controls and countermeasures within a given operational environment.” (Wikipedia)

Agile security management

So it is a simulated attack, without the limitations of a regular penetration test to yield better and more complete results:

A simulated hacker attack

Agile security management

Continuous security testing uses the same approach, but in a continuous flow instead of an exercise.

Agile security management

• Continuous security testing becomes part of your operational security process (vulnerability management) and gives you a realtime and continuous view on your current security posture.

• This helps you to prioritize risk mitigation and resource allocation (put $$$ where it has the most effect).

• And it fits very well into the continuous improvent which is part of ISO27001

But wait! There’s more!

What then?

All organizations have limited resources (people, time, money).Leverage the hacker community via a bugbounty program.

Bug bounty program

Reward hackers for reporting bugs to you’They’ have the time and dedication to look for bugs.You must set the right terms and conditions.And make sure you can handle the bug reports that will be pouring in (both in volume and quality!).If done properly, this could be an addition to your continuous testing team!

Bug bounty program

Make sure you have at least:

- set up a (responsible) disclosure policy;- set up a reward system (separate the wheat

from the chaff);- set up an incident handling process (things

may/will go wrong and/or trigger alarms).

Responsible disclosure

Allow for people to report bugs and vulnerabilities to you:- without ‘punishing’ the reporter;- in a safe (and sometime anonymous) way;- using clear communication protocols.

So you can resolve these bugs and vulnerabilities before they bite you!

Bug bounty program

You can run your own bug bounty program,Or have a specialized company do it for you, like

Incident handling process

In a continuous security testing strategy, the incident handling is necessary to catch all things that slip through the cracks.This is not an omission, but a result of the fact that you cannot test and secure everything.But you should prepare yourself!

Incident handling process

Wrapping up

Old skool testing does not fit the bill anymore!

Perform continuous testing;Think like a hacker using red team approach;Leverage the hacker community through bug bounty program;Prepare for incidents.

More info at:

www.agilesecurity.nl

THANK YOU

?

+ 31-6-53315102

arthur@1secure.nl

www.1secure.nl

nl.linkedin.com/in/arthurdonkers