Bhushan Gupta

Gupta Consulting LLC (USA)

Agile + Security Stories + Validation = Safe and Secure Product

Numerous security data breeches have taken place just this year, 2019. These breeches cover a broad range from the Hi-Tech companies such as Microsoft, Facebook, Apple to federal and state governments and international entities. A majority of these breeches are driven by financial gain including ransom. The health care industry is often breeched for a ransom which interrupts patient care and potentially loss of lives. The authorities worldwide have been enacting new laws such as GDRP and enhancing the existing standards to force more secure web application development. Companies have emboldened physical security and the web application development has included some test tools such as scanners but a holistic approach to develop a secure web application is still not on the mind of the software industry. The market pressure often leads to peripheral testing such as penetration and discourages the industry from embedding the security as an attribute of quality that should be integrated into our software development lifecycle.

We owe it to ourselves to ingrain the application security in the software development life cycle (SDLC) to prevent breeches and loss of lives. Agile software development is prevalent in our industry. The backbone of the agile practice is a backlog of stories grouped as an epic which is subsequently implemented as a set of features and stories. A holistic approach to build a secure web application is to include security related personas (actors) and develop stories (use cases) with respect to these personas. A typical set of security persona is a hacker, a security engineer representing the functional security requirements, industry compliance such as PCI, local and federal Government standards as well as any international mandates like GDPR. Once identified, these stories are prioritized in the order of threat using the STRIDE method. They are then developed like any other stories (functional and UX) and validated at different stages using standard practices such as code review, static and dynamic code analysis and penetration testing. By enabling this approach, we are truly shifting the security left in the software development and raising the level of confidence.

Using a web application under development this paper will illustrate how to create application security stories related to the personas, develop acceptance criteria, establish test cases, identify different types of testing at various stages in the SDLC, and create and execute a test plan. It will also discuss the processes and the tools to achieve a high confidence secure application. The audience will learn:

  1. How to create a set of stories for security-related personas
  2. Build acceptance criteria, security controls, test cases including negative testing, and a test plan
  3. Use of tools at different stages of life cycle and how to use the results from these tools to make testing even more efficient
  4. Creating an overall more secure web application
Proven champion for quality and well-versed with software quality engineering, and a WebApp security researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. In WebApp security his research areas are; Infusing security in SDLC, OWASP Top10, Risk Analysis and Mitigation, Attack Surface Measurement, and Static and Dynamic Analysis. As a leader of Open Web Application Security Project (OWASP) Portland Chapter, he is dedicated to driving the WebApp security to higher levels via technical education and training. Bhushan often provides training workshops and presentation to corporations and non-profit organizations. He is also an invited speaker and a panelist in discussions for both application security and agile software development.

Bhushan has been a Certified Six Sigma Black Belt (American Society for Quality and Hewlett Packard), and possesses deep and broad experience in solving complex problems, change management, and coaching and mentoring. Bhushan has a MS in Computer Science (1985) from New Mexico Tech and has worked at Hewlett-Packard and Nike in various roles. He was also a faculty member at the Oregon Institute of Technology, Software Engineering department, from 1985 to 1995 and is currently an Adjunct Faculty member.