Tuesday, January 29, 2008

Secure Agile Software Engineering with ESAPI

The principles of agile development are revolutionary and have only come to full fruition as computer languages, software engineering tools and software platform paradigms have matured to the depth that we have seen in recent years. But as anyone who works in Application Security well tell you, Software Development is a combat sport and we must continually march to the drumbeat of Better, Faster, Stronger. That new frontier is developing Secure Applications with lightning speed. We are not there yet. But the dawn of the age of secure agile software development is upon us, and the weapon of choice shall be ESAPI. But with such power comes great responsibility and we must continually learn skills anew. This brief article will debunk some of the theories of agile development, but will prepare you for the battle ahead.

Some of the core aspects behind agile development is placing working iterations of applications in front of the customer in a very rapid model similar to the spiral software engineering model. This rapid turnaround (and rapid desires from the customer for change) can allow software analysts to forgo much of the design process of an application. Pre-development design documentation no longer becomes an efficient process when you are iterating so frequently with the customer.

1) Design documentation in a secure agile development life cycle is more efficient when done after the primary live delivery.

Efficiency in the agile process is fundamental. We must be empowered to not only iterate fast, but to do so in a way that is of high quality. The chief architects code and the newest members of our team must be of similar quality, and a junior coder fresh out of school will not do. There are certain lessons that only the heat of battle and years of coding will teach you. For a new recruit, a support role to the team is more appropriate.

2) Junior Programmers do not belong in the core of secure agile development teams

Simplicity is no longer an option. K.I.S.S. died the day the first programmer completed an application that was a combination of J2EE, Hibernate XML mapping, ANT and Tomcat xml configuration, Javascript, SQL, XHTML/DHTML and CSS. The applications being
asked of us web-centric agile programmers are a mesh of 7 or more different programming languages with rich client cross-browser concerns that make even the most hardened C++ programmers weep.

3) We shall expect complexity as the norm and shall build such functionality in reusable well encapsulated abstractions

Our teams are now distributed. Face to face conversations are so - 1990's. We can expect our teams to be scattered all over the world. This new generation of agile warriors will use the free tools of new media to the fullest and will appear to be in the cubical next to yours from 6000 miles away in almost ninja like fashion. The Secure Agile Programmer is an extrovert who gains great satisfaction in clear and constant communication with the customer.

4) We shall expect our teams to be global and have the capacity to maximize Instant Message, Email, VOIP, Audio Chat Rooms and other forms of net communication in a very verbose yet clear way.

Our agile developers are not cowboys, they are elite soldiers with the right tools in hand. Before a agile coder can move fast, the application architecture must be well formed. We cannot build application infrastructure on the fly. That is where ESAPI comes in. ESAPI is the only enterprise Java API that covers all aspects of secure application development. It can be injected in to
any Java architecture. It will minimize the need for security testing when used appropriately. It will save you money, time and present you with a simple and effective way to build Java applications securely from the ground up, the first time.

5) We will have a secure robust architecture in place before we begin the agile process.

All areas of secure coding are covered in ESAPI:

1) Authentication
2) User Management
3) Access Control Abstraction
4) Secure Object Reference
5) Input Validation
6) Output Encoding
7) Encryption
8) Secure HTTPUtilities
9) Random Number Generation
10) Logging with proper Security Considerations
11) Intrusion Detection
12) Secure Configuration

Game on. Join us: ESAPI.org