Agile security lessons from Aetna and the state of Texas
- 27 May, 2015 03:59
The move to agile development practices poses both challenges and opportunities to security teams -- with the challenges often dominating. But some organizations, such as the Aetna insurance company and the state of Texas, have found ways to make it work.
"We use agile development as the norm," said Jim Routh, CISO at Hartford, Conn.-based Aetna Inc.
What does "agile security" mean? Simply put, it means that security has to become agile, as well, said Routh, and the result has been better security from the ground up.
For example, one of the principles of agile development involves "use cases" -- designing for particular applications of the technology.
For Aetna, the agile security equivalent is "abuse cases."
"We create ways of attacking the application as if we were an adversary," Routh said. "By designing mitigation into the design process using threat modeling, we actually limit the potential of attacking that application and reduce defects, leading to higher quality and higher resiliency."
Another way Aetna embeds security into the software design process early on is to use static analysis tools on code as it is being written.
"When you write a story, and use Microsoft Word, the spell checker tells you if you've misspelled a word," he said.
Developers can make mistakes, as well, which is where static analysis comes in.
"They're using it like a spell checker for development," he said. "They run it on their code, and it gives them context for how to fix vulnerabilities."
Aetna also pre-reviews the open source libraries that developers use.
"We have a tool that allows them to determine the security vulnerabilities in any open source framework," Routh said. "Then we block the high-risk libraries from put into the code."
There are a total of twelve controls that are now part of the development process, and the end result is that the development process actually became more efficient.
"We get a 15 percent gain in productivity because defects are prevented early," he said. "We have the most mature software development program in health care."
Agile security improves morale in Texas
The Lone Star State has also switched to agile development for its Texas.gov online portal, and security had to adapt as well, according to CISO Tim Virtue.
Instead of waiting six months for problems to get fixed in the next development cycle, they now get fixed in two weeks, Virtue told attendees at the CSO50 conference earlier this year.
He has also seen improvements in employee motivation, retention and recruitment. Cycle time for vulnerability management and remediation was cut in half and the time it took to deliver new security services was cut by 90 percent.
"We're fixing problems before they become problems," he said. "That gives us more time to deal with innovation and other things out there."
Denim tests early and often
San Antonio-based security consulting firm The Denim Group switched away from traditional waterfall development eight years ago and today uses both "abuse cases" and automated testing tools as part of its agile security process.
Denim uses automated dynamic testing and automated static testing to find common vulnerabilities such as SQL injections.
"But business logic flaws, problems with authentication or authorization are hard or impossible to test for using automation," he said. "You hope to avoid introducing those types of vulnerabilities by doing threat modeling for an application."
This is where "abuse cases" come in, he said. "When building apiece of functionality, brainstorm for some time about how an application could be abused."
Another technique that Denim has found to be helpful for some organizations, especially with Web and mobile applications, is to focus manual testing on those features that changed most significantly during the previous development cycle.
"It's not as good as full testing," he said.
But sometimes there are budgetary or time constraints about how much testing can be done.
"By looking at what has changed since the last release, that can help organizations get most value for their budget," he said.
Moving to an agile model can make some traditional security professionals nervous, he said, especially those with a command-and-control view of the process.
"There's a perception among security people that developers don't care about security," he said.
But agile offers security employees the opportunity to become resources early on in the development process, instead of coming in afterwards and looking for mistakes.
"Which is still an important thing to do. but you don't want your development team to have all the interactions with the security team be negative," he said. "That creates a pretty toxic environment."
Cigital tears down the wall
For Dulles, Vir.-based Cigital, moving to agile development helped break down the cultural divide between the development and the security teams that exists in traditional waterfall development.
"It's us versus them," said Cigital CTO John Steven. "You've built something, you throw it over the wall, someone tests it, and says, 'You did these things wrong.' If they offer any guidance, its usually tautologically -- you didn't do this or that."
In agile development, the security operation can lend a security architect to the development team.
"He can say, 'I notice you're trying to query the database. One way to do that safely is this.' You break down the us versus them model," said Steven. "At Cigital, we think that benefit is so powerful."
Steven says that this is a much more effective approach than coming in, talking to developers about security, run a pen testing tool, point out vulnerabilities, and leaving.
"If you go back six months later, the developers are still forgetting about security and implementing vulnerable code," he said. "If you want to help developers code securely, you have to be with them."
Thycotic bakes in security
Washington, D.C.-based Thycotic Software Ltd. bakes security into the agile development process with a security training process, but also embeds security staffers when needed.
"We have a security architect on staff who helps us with security processes about encryption," said Thycotic CEO Jonathan Cogley. "We have a hardware security model, and doing encryption in hardware is pretty complex. He was involved in a lot of the work from the beginning and followed it from conception all the way to delivery to customers."
Cogley suggests that companies looking to make the switch to agile do it one small step at a time.
"It's one of the biggest things where people go wrong," he said.
For example, if a company is starting with a waterfall development team, then the first step might be to change the release cycle from six months to one month.
"The idea is that you can always unpeel the change and reverse it quickly," he said. "When you make a lot of changes, it's hard to see where things went wrong and reverse them effectively."