OWASP 20th Anniversary Event

We owe it to ourselves to ingrain the application security in the software development life cycle (SDLC) to prevent breeches and loss of lives. Agile software development is prevalent in our industry. The backbone of the agile practice is a backlog of stories grouped as an epic which is subsequently implemented as a set of features and stories. A holistic approach to build a secure web application is to include security related personas (actors) and develop stories (use cases) with respect to these personas. A typical set of security persona is a hacker, a security engineer representing the functional security requirements, industry compliance such as PCI, local and federal Government standards as well as any international mandates like GDPR. Once identified, these stories are prioritized in the order of threat using the STRIDE method. They are then developed like any other stories (functional and UX) and validated at different stages using standard practices such as code review, static and dynamic code analysis and penetration testing. By enabling this approach, we are truly shifting the security left in the software development and raising the level of confidence.
Using a web application under development this paper will illustrate how to create application security stories related to the personas, develop acceptance criteria, establish test cases, identify different types of testing at various stages in the SDLC, and create and execute a test plan. It will also discuss the processes and the tools to achieve a high confidence secure application. The audience will learn:
1. How to create a set of stories for security-related personas
2. Build acceptance criteria, security controls, test cases including negative testing, and a test plan
3. Use of tools at different stages of life cycle and how to use the results from these tools to make testing even more efficient
4. Creating an overall more secure web application