Security is a lot like quality and performance. You can’t tack them on at the end of the development cycle and expect it to be effective. All of them have to be built in along the way, in every phase of every cycle. But even though many companies claim that security is a priority, that doesn’t always translate to supporting security initiatives in the software development process. Security code reviews are often overlooked or avoided, and when development schedules fall behind security testing is often dropped to help the team "catch up". And there is almost never any money in the budget for buying new tools.

So the first step of building secure applications has to be making security part of the regular development process, but at the same time there isn't time or budget to do so. Developers have to get some quick, easy wins with security without expending a lot of time, money, or effort. Like any agile practice, continuous and rapid feedback is critical.

Static analysis tools look at source code or compiled code, looking for common errors, unused variables, style and formatting variations, and similar items. Most modern languages have a selection of open-source static analysis tools that can scan source code looking for predictable problems. SQL injection, cross-site scripting, and hard-coded passwords are common vulnerabilities that can often be detected by static code analysis. Static analysis tools can also look at the third-party libraries that the source code depends on, identifying components that have known vulnerabilities.  

With a continuous integration practice, it is easy to run some of these static code analysis frequently, beginning early in the development cycle. We can make these tools part of the developer's normal routine, heading off potential security problems before it is too late. 

Gene talks about his experiences with using open-source static analysis tools to build security into the development process without spending much time or effort, but still adding plenty of security value. 

 
2 favorite thumb_down thumb_up 3 comments visibility_off  Remove from Watchlist visibility  Add to Watchlist
 

Outline/structure of the Session

  1. Introduction
  2. Basics of Software Security
  3. Introduction to Static Analysis
  4. Basic Development Build Cycle
    1. Maven
    2. Continuous Integration
    3. Checkstyle
    4. FindBugs
    5. PMD
    6. SonarQube
    7. OWASP Dependency Checker
    8. Other tools
  5. Beyond Static Analysis
    1. Importance of Testing
    2. Security Scanning
    3. Continuous Delivery
    4. System Scanning
  6. Conclusion

Learning Outcome

By the end of the presentation, attendees should have some ideas on how they can add some open-source static analysis tools to their own projects to start building security into their development process.

Target Audience

Developers

schedule Submitted 2 years ago

Comments Subscribe to Comments

comment Comment on this Proposal
  • George Dinwiddie
    By George Dinwiddie  ~  2 years ago
    reply Reply

    Hi Gene, 

    My apologies for any confuson with respect to your session. Unfortunately, and as was originally communicated, your proposal was not, in fact, accepted this year.  We do not have any other sessions for which you are the presenter.  In appreciation for taking the time to submit your proposal, which was not ultimately selected, we are offering a discounted admission price. When you register, please submit the code “THANK YOU” following which your registration fee should change to $100 at checkout.  Once again, we genuinely appreciate your commitment to further developing the Mid-Atlantic Agile Community and look forward to seeing you at the event.

    Regards, 

     

    Phillip Manketo and George Dinwiddie

    on behalf of the organizing members

     

  • George Dinwiddie
    By George Dinwiddie  ~  2 years ago
    reply Reply

    Hi, Gene,

    My experience is that most people running static analysis tools on their codebase never actually look at the output. Scanning the code gets little analysis, and scanning the system is postponed until right before launch.

    I don't see anything in your proposal that talks about these aspects. Do you include them, or is this more about the tools that are available?

    • Gene Gotimer
      By Gene Gotimer  ~  2 years ago
      reply Reply

      The intent is to discuss how to roll static analysis tools into the development process, so I was planning on discussing how/when to use static analysis tools (including reviewing the results) and how/when to remediate the findings (immediately, just like unit test failures).

      Both the continuous integration and SonarQube items address dashboards and displays of the results. Likewise, both tools have facilities for "failing the build" if user-selected thresholds for findings are exceeded or not appropriately met. In that way, the continuous integration process can enforce adherance to the static analysis rules.

      I'll mention available tools along the way, but the focus will be making the practice part of the development cycle.


  • Liked Max Saperstone
    keyboard_arrow_down

    Implementing Effective Testing for Behavior Driven Development using Cucumber-JVM

    Max Saperstone
    Max Saperstone
    schedule 2 years ago
    Sold Out!
    60 mins
    Talk
    Intermediate

    Behavior Driven Development allows for high level, plain English tests to be written, and to describe and exercise a system. Unfortunately it is difficult to have these tests encompass all interfaces of a software system, and to reuse them in multiple scenarios. Specifying these tests to run at different levels and times without duplicating work is non-trivial, and frequently produces lots of rework. This presentation will focus on cucumber to provide a robust framework for BDD, but any BDD framework can easily be substituting following guildelines and practices covered in this talk. This is not your typical Cucumber tutorial. We will mostly be focusing on how to utilize Cucumber's flexible structure in combination with the Java language how to write singular tests to run over multiple testing interfaces. This framework will build on the Cucumber basics to provide a generic model that also builds on the standard reports, giving additional information for debugging and traceability purposes. Test runners and inputs will also be discussed, to understand how to create more dynamic testing scenarios.

  • Liked Jeff Nielsen
    keyboard_arrow_down

    The Power of Commitments

    Jeff Nielsen
    Jeff Nielsen
    schedule 2 years ago
    Sold Out!
    60 mins
    Workshop
    Beginner

    Doing what you say you will do, when you say you will do it, is one of the key ways to build a relationship of trust. Conversely, nothing erodes trust more quickly than a couple of missed deadlines or broken promises.

    The ability to make and keep commitments is one of the hallmarks of a true Software Craftsman. Likewise, the most effective teams harness the power of commitment to forge strong and healthy partnerships with their customers. This is a surprisingly rare skill, but one that can be learned and improved.

    In this session we'll look at the different kinds of commitments we make as individuals and teams. We'll distinguish between commitments and predictions. We'll reflect on why we sometimes commit when we shouldn't and vice versa. Most importantly, we'll practice some crucial "commitment conversations." 

  • Liked shentonfreude
    keyboard_arrow_down

    Making a Better Salad: Behavior-Driven Development with Lettuce

    shentonfreude
    shentonfreude
    Paul Boos
    Paul Boos
    schedule 2 years ago
    Sold Out!
    30 mins
    Tutorial
    Intermediate

    Is your organization still using brittle GUI driven-tools to ensure applications can be tested? Do you find these difficult to map to the user stories that describe product owner/business needs? One of the current Agile practices to doing this is Behavior-Driven Development (aka Acceptance Test-Driven Development) and writing user stories and acceptance criteria in a Specifications by Example format.  This has real power in that business people can understand the tests and the delivery team can ensure the code meets the tests, thus they serve as an example.

     

    This tutorial will give a short background on Specs by Example/BDD and the show you how to write such tests in Lettuce.  You will gain a deeper understanding of how you can apply this to writing your applications.

     

  • Liked Dragos Dumitriu
    keyboard_arrow_down

    Why Kanban May Be Your Most Effective Tool for Improving Efficiencies in Operations and Maintenance, Business Process Management, and COTS Implementations

    Dragos Dumitriu
    Dragos Dumitriu
    schedule 2 years ago
    Sold Out!
    60 mins
    Talk
    Intermediate

    Are you finding the demands to your team overwhelming and the process chaotic? Are your customers saying your team takes too long to deliver or that they have no idea what your team is busy doing? Do you have a growing backlog with requests months to years old? Are people with critical skills not available when you need them? Do you feel like priorities are changing all the time? On top of your ever-growing delivery workload, are you able to develop the capabilities of your team?

    The situations above reflect common challenges for software development teams and for IT Organizations in both private and public sectors.  Kanban is being used worldwide as a management method that helps teams pull themselves out of these sinkholes and dramatically reduce work delivery times, increase productivity and improve project visibility. The method’s rapid success is based on its adaptability to existing situations and on its evolutionary capabilities to evolve along with the challenges it must solve. When implemented correctly, it is relatively easy to adopt, encounters minimal resistance to change and quickly enhances morale and trust in organizations.

    This presentation aims to provide an introduction to Kanban core practices and why they work and practical insights into where the method might best fit within your organization or agency.

  • Jeffery Payne
    Jeffery Payne
    schedule 2 years ago
    Sold Out!
    60 mins
    Talk
    Intermediate

    It's a falacy that software built using an agile process cannot be made secure but this statement is often heard.  Reasons given by naysayers often include: Sprints are too short to integrate security analysis, agile doesn't value formalizing the architecture/design and security analysis needs this, and agile doesn't value the types of documentation necessary for security to be validated.  In this presentation, Mr. Payne dispells these myths and discusses an approach for integrating security analysis into an agile development process.  Participants will learn how to identify both bugs and flaws during agile software development and how disciplined continuous integration / continuous delivery significantly assists the security process. Topics discussed within an agile context will include: secure requirements, threat modeling, architectural risk analysis, secure code review, security testing, penetration testing.  Examples of building and deliverying secure software for both commercial and government agencies will be given.