Agile Application Security
Enabling Security in a Continuous Delivery Pipeline

Laura Bell, Michael Brunton-Spall, Rich Smith, and Jim Bird


Agile Application Security
by Laura Bell, Michael Brunton-Spall, Rich Smith, and Jim Bird
Copyright © 2017 Laura Bell, Rich Smith, Michael Brunton-Spall, Jim Bird.
All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North,
Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales
promotional use. Online editions are also available for most titles
( For more information, contact our
corporate/institutional sales department: 800-998-9938 or

Editor: Courtney Allen
Production Editor: Colleen Cole
Copyeditor: Amanda Kersey
Proofreader: Sonia Saruba
Indexer: Wendy Catalano
Interior Designer: David Futato
Cover Designer: Karen Montgomery
Illustrator: Rebecca Demarest
September 2017: First Edition


Revision History for the First Edition

2017-09-08: First Release
See for release
details.
The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Agile
Application Security, the cover image, and related trade dress are trademarks
of O’Reilly Media, Inc.
While the publisher and the authors have used good faith efforts to ensure
that the information and instructions contained in this work are accurate, the
publisher and the authors disclaim all responsibility for errors or omissions,
including without limitation responsibility for damages resulting from the use
of or reliance on this work. Use of the information and instructions contained
in this work is at your own risk. If any code samples or other technology this
work contains or describes is subject to open source licenses or the
intellectual property rights of others, it is your responsibility to ensure that
your use thereof complies with such licenses and/or rights.
978-1-491-93884-3
[LSI]


Preface
Software is eating the world. Developers are the new kingmakers. The
internet of things means there will be a computer in every light bulb.
These statements indicate the growing dominance of software development,
to the point where most people in the world will never be further than a meter
away from a computer, and we will expect much of our life to interact with
computer-assisted objects and environments all the time.
But this world comes with some dangers. In the old world of computing,
security was often only considered in earnest for banking and government
systems. But the rise of ubiquitous computing means a rise in the value that
can be realized from the abuse of systems, which increases incentives for

misuse, which in turn increases the risks systems face.
Agile software development techniques are becoming rapidly adopted in
most organizations. By being responsive to change and dramatically lowering
the cost of development, they provide a standard that we expect will continue
to grow until the majority of software is built in an Agile manner.
However, security and Agile have not historically been great bedfellows.
Security professionals have had their hands full with the aforementioned
government, ecommerce, and banking systems, trying to architect, test, and
secure those systems, all in the face of a constantly evolving set of threats.
Furthermore, what is often seen as the most fun and exciting work in security,
the things that get covered on the tech blogs and the nightly news, is done by
teams of professional hackers focusing on vulnerability research, exploit
development, and stunt hacks.
You can probably name a few recent branded vulnerabilities like Heartbleed,
Logjam, or Shellshock (or heaven forbid even recognize their logos), or
recognize the teams of researchers who have achieved a jailbreak on the latest
iPhones and Android devices. But when was the last time a new defensive
measure or methodology had a cool, media-friendly name, or you picked up


the name of a defender and builder?
Security professionals are lagging behind in their understanding and
experience of Agile development, and that creates a gap that is scary for our
industry.
Equally, Agile teams have rejected and thrown off the shackles of the past.
No more detailed requirements specifications, no more system modeling, no
more traditional Waterfall handoffs and control gates. The problem with this
is that Agile teams have thrown the baby out with the bathwater. Those
practices, while sometimes slow and inflexible, have demonstrated value over
the years. They were done for a reason, and Agile teams in rejecting them can

easily forget and dismiss their value.
This means that Agile teams rarely consider security as much as they should.
Some of the Agile practices make a system more secure, but that is often a
beneficial side effect rather than the purpose. Very few Agile teams have an
understanding of the threats that face their system; they don’t understand the
risks they are taking; they don’t track or do anything to control those risks;
and they often have a poor understanding of who it even is that is attacking
their creations.


Who Should Read This Book
We don’t know if you are an Agile team leader, or a developer who is curious
or wants to know more about security. Maybe you are a security practitioner
who has just found an entire development team you didn’t know existed and
you want to know more.
This book was written with three main audiences in mind.


The Agile Practitioner
You live, breathe, and do Agile. You know your Scrum from your Kaizen,
your test-driven-development from your feedback loop. Whether you are a
Scrum Master, developer, tester, Agile coach, Product Owner, or customer
proxy, you understand the Agile practices and values.
This book should help you understand what security is about, what threats
exist, and the language that security practitioners use to describe what is
going on. We’ll help you understand how we model threats, measure risks,
build software with security in mind, install software securely, and
understand the operational security issues that come with running a service.



The Security Practitioner
Whether you are a risk manager, an information assurance specialist, or a
security operations analyst, you understand security. You are probably
careful how you use online services, you think about threats and risks and
mitigations all of the time, and you may have even found new vulnerabilities
and exploited them yourself.
This book should help you understand how software is actually developed in
Agile teams, and what on earth those teams are talking about when they talk
about sprints and stories. You will learn to see the patterns in the chaos, and
that should help you interact with and influence the team. This book should
show you where you can intervene or contribute that is most valuable to an
Agile team and has the best effect.


The Agile Security Practitioner
From risk to sprints, you know it all. Whether you are a tool builder who is
trying to help teams do security well, or a consultant who advises teams, this
book is also for you. The main thing to get out of this book is to understand
what the authors consider to be the growing measure of good practice. This
book should help you be aware of others in your field, and of the ideas and
thoughts and concepts that we are seeing pop up in organizations dealing
with this problem. It should give you a good, broad understanding of the field
and an idea for what to research or learn about next.


Navigating This Book
You could read this book from beginning to end, one chapter at a time. In
fact, we recommend it; we worked hard on this book, and we hope that every
chapter will contain something valuable to all readers, even if it’s just our dry
wit and amusing anecdotes!

But actually, we think that some chapters are more useful to some of you than
others.
We roughly divided this book into three parts.


Part 1: Fundamentals
Agile and security are very broad fields, and we don’t know what you already
know. Especially if you come from one field, you might not have much
knowledge or experience of the other.
If you are an Agile expert, we recommend first reading Chapter 1, Getting
Started with Security, to be sure that you have a baseline understanding of
security.
If you aren’t doing Agile yet, or you are just starting down that road, then
before we move on to the introduction to Agile, we recommend that you read
Chapter 2, Agile Enablers. This represents what we think the basic practices
are and what we intend to build upon.
Chapter 3, Welcome to the Agile Revolution, covers the history of Agile
software development and the different ways that it can be done. This is
mostly of interest to security experts or people who don’t have that
experience yet.


Part 2: Agile and Security
We then recommend that everybody starts with Chapter 4, Working with
Your Existing Agile Life Cycle.
This chapter attempts to tie together the security practices that we consider,
with the actual Agile development life cycle, and explains how to combine
the two together.
Chapters 5 through 7 give an understanding of requirements and vulnerability
management and risk management, which are more general practices that

underpin the product management and general planning side of development.
Chapters 8 through 13 cover the various parts of a secure software
development life cycle, from threat assessment, code review, testing, and
operational security.


Part 3: Pulling It All Together
Chapter 14 looks at regulatory compliance and how it relates to security, and
how to implement compliance in an Agile or DevOps environment.
Chapter 15 covers the cultural aspects of security. Yes, you could implement
every one of the practices in this book, and the previous chapters will show
you a variety of tools you can use to make those changes stick. Yet Agile is
all about people, and the same is true of effective security programs: security
is really cultural change at heart, and this chapter will provide examples that
we have found to be effective in the real world.
For a company to change how it does security, it takes mutual support and
respect between security professionals and developers for them to work
closely together to build secure products. That can’t be ingrained through a
set of tools or practices, but requires a change throughout the organization.
Finally, Chapter 16 looks at what Agile security means to different people,
and summarizes what each of us has learned about what works and what
doesn’t in trying to make teams Agile and secure.


Conventions Used in This Book
The following typographical conventions are used in this book:
Italic
Indicates new terms, URLs, email addresses, filenames, and file
extensions.
Constant width


Used for program listings, as well as within paragraphs to refer to
program elements such as variable or function names, databases, data
types, environment variables, statements, and keywords. If you see the ↲
at the end of a code line, this indicates the line continues on the next
line.
Constant width bold

Shows commands or other text that should be typed literally by the user.
Constant width italic

Shows text that should be replaced with user-supplied values or by
values determined by context.

TIP
This element signifies a tip or suggestion.

NOTE
This element signifies a general note.

WARNING
This element indicates a warning or caution.


O’Reilly Safari
NOTE
Safari (formerly Safari Books Online) is a membership-based training and
reference platform for enterprise, government, educators, and individuals.
Members have access to thousands of books, training videos, Learning Paths,
interactive tutorials, and curated playlists from over 250 publishers, including

O’Reilly Media, Harvard Business Review, Prentice Hall Professional,
Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press,
Adobe, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan
Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning,
New Riders, McGraw-Hill, Jones & Bartlett, and Course Technology, among
others.
For more information, please visit />

How to Contact Us
Please address comments and questions concerning this book to the
publisher:
O’Reilly Media, Inc.
1005 Gravenstein Highway North
Sebastopol, CA 95472
800-998-9938 (in the United States or Canada)
707-829-0515 (international or local)
707-829-0104 (fax)
We have a web page for this book, where we list errata, examples, and any
additional information. You can access this page at />To comment or ask technical questions about this book, send email to

For more information about our books, courses, conferences, and news, see
our website at .
Find us on Facebook: />Follow us on Twitter: />Watch us on YouTube: />

Acknowledgments
First, thank you to our wonderful editors: Courtney Allen, Virgnia Wilson,
and Nan Barber. We couldn’t have got this done without all of you and the
rest of the team at O’Reilly.
We also want to thank our technical reviewers for their patience and helpful
insights: Ben Allen, Geoff Kratz, Pete McBreen, Kelly Shortridge, and

Nenad Stojanovski.
And finally, thank you to our friends and families with putting up with yet
another crazy project.


Chapter 1. Getting Started with
Security
So what is security?
A deceptively simple question to ask, rather more complex to answer.
When first starting out in the world of security, it can be difficult to
understand or to even to know what to look at first. The successful hacks you
will read about in the news paint a picture of Neo-like adversaries who have a
seemingly infinite range of options open to them with which to craft their
highly complex attacks. When thought about like this, security can feel like a
possibly unwinnable field that almost defies reason.
While it is true that security is a complex and ever-changing field, it is also
true that there are some relatively simple first principles that, once
understood, will be the undercurrent to all subsequent security knowledge
you acquire. Approach security as a journey, not a destination — one that
starts with a small number of fundamentals upon which you will continue to
build iteratively, relating new developments back to familiar concepts.
With this in mind, and regardless of our backgrounds, it is important that we
all understand some key security principles before we begin. We will also
take a look at the ways in which security has traditionally been approached,
and why that approach is no longer as effective as it once was now that Agile
is becoming more ubiquitous.
Security for development teams tends to focus on information security (as
compared to physical security like doors and walls, or personnel security like
vetting procedures). Information security looks at security practices and
procedures during the inception of a project, during the implementation of a

system, and on through the operation of the system.


NOTE
While we will be talking mostly about information security in this book, for the sake of
brevity we will just use security to refer to it. If another part of the security discipline is
being referred to, such as physical security, then it will be called out explicitly.


This Isn’t Just a Technology Problem
As engineers we often discuss the technology choices of our systems and
their environment. Security forces us to expand past the technology. Security
can perhaps best be thought of as the overlap between that technology and the
people who interact with it day-to-day as shown in Figure 1-1.

Figure 1-1. When society had less dependence on technology, the need for security was less

So what can this picture tell us? It can be simply viewed as an illustration that
security is more than just about the technology and must, in its very
definition, also include people.
People don’t need technology to do bad things or take advantage of each
other; such activities happened well before computers entered our lives; and
we tend to just refer to this as crime. People have evolved for millennia to lie,
cheat, and steal items of value to further themselves and their community.
When people start interacting with technology, however, this becomes a
potent combination of motivations, objectives, and opportunity. In these
situations, certain motivated groups of people will use the concerted


circumvention of technology to further some very human end goal, and it is

this activity that security is tasked with preventing.
However, it should be noted that technological improvements have widened
the fraternity of people who can commit such crime, whether that be by
providing greater levels of instruction, or widening the reach of motivated
criminals to cover worldwide services. With the internet, worldwide
telecommunication, and other advances, you are much more easily attacked
now than you could have been before, and for the perpetrators there is a far
lower risk of getting caught. The internet and related technologies made the
world a much smaller place and in doing so have made the asymmetries even
starker — the costs have fallen, the paybacks increased, and the chance of
being caught drastically reduced. In this new world, geographical distance to
the richest targets has essentially been reduced to zero for attackers, while at
the same time there is still the old established legal system of treaties and
process needed for cross-jurisdictional investigations and extraditions — this
aside from the varying definitions of what constitutes a computer crime in
different regions. Technology and the internet also help shield perpetrators
from identification: no longer do you need to be inside a bank to steal its
money — you can be half a world away.


A NOTE ON TERMINOLOGY
Circumvention is used deliberately to avoid any implicit moral judgments whenever
insecurity is discussed.

The more technologies we have in our lives, the more opportunities we have
to both use and benefit from them. The flip side of this is that society’s
increasing reliance on technology creates greater opportunities, incentives,
and benefits for its misuse. The greater our reliance on technology, the
greater our need for that technology to be stable, safe, and available. When
this stability and security comes into question, our businesses and

communities suffer. The same picture can also help to illustrate this
interdependence between the uptake of technology by society and the need
for security in order to maintain its stability and safety, as shown in Figure 12.

Figure 1-2. As society becomes increasingly dependent on technology, the need for security and
impacts of its absence increase significantly


As technology becomes ever more present in the fabric of society, the
approaches taken to thinking about its security become increasingly
important.
A fundamental shortcoming of classical approaches to information security is
failing to recognize that people are just as important as technology. This is an
area we hope to provide a fresh perspective to in this book.


Not Just for Geeks
There was a time that security was the exclusive worry of government and
geeks. Now, with the internet being an integral part of people’s lives the
world over, securing the technologies that underlie it is something that is
pertinent to a larger part of society than ever before.
If you use technology, security matters because a failure in security can
directly harm you and your communities.
If you build technology, you are now the champion of keeping it stable and
secure so that we can improve our business and society on top of its
foundation. No longer is security an area you can mentally outsource:
You are responsible for considering the security of the technology.
You provide for people to embrace security in their everyday lives.
Failure to accept this responsibility means the technology you build will be
fundamentally flawed and fail in one of its primary functions.