Agile Software Development: Don't Forget EVIL User Stories - Revision history

Jmanico: not really a cheatsheet

2011-08-15T18:53:52Z

not really a cheatsheet

Deleted user at 16:49, 24 September 2009

2009-09-24T16:49:12Z

Deleted user at 00:02, 14 September 2009

2009-09-14T00:02:38Z

Wichers at 17:18, 11 August 2009

2009-08-11T17:18:43Z

Deleted user at 13:07, 7 August 2009

2009-08-07T13:07:58Z

Deleted user at 12:40, 7 August 2009

2009-08-07T12:40:15Z

Deleted user at 12:36, 7 August 2009

2009-08-07T12:36:43Z

Deleted user at 20:53, 27 July 2009

2009-07-27T20:53:11Z

Deleted user at 14:27, 8 July 2009

2009-07-08T14:27:13Z

Deleted user at 12:59, 8 July 2009

2009-07-08T12:59:57Z

← Older revision		Revision as of 18:53, 15 August 2011
Line 27:		Line 27:
	[[Category:OWASP Enterprise Security API]]		[[Category:OWASP Enterprise Security API]]
	[[Category:How To]]		[[Category:How To]]
−	~~[[Category:Cheatsheets]]~~

@@ Line 12: / Line 12: @@
 * '''Example #3.''' "As a hacker, I can send bad data in HTTP headers, so I can access data and functions for which I'm not authorized."
-* '''Example #4.''' "As a hacker, I can read and even modify all data input and output by your application, both inside and outside the firewall."
+* '''Example #4.''' "As a hacker, I can read and even modify all data that is input and output by your application."
 The next step is to whip out your permanent marker forever after when the sprint backlog is being penciled in during sprint planning meetings. Authentication, session management, access control, input validation, output encoding/escaping, cryptography, error handling and logging, data protection, communication security, and HTTP security features will need to be included AS APPLICABLE for EVERY single sprint backlog feature, EVERY sprint.

← Older revision		Revision as of 00:02, 14 September 2009
Line 13:		Line 13:

	* '''Example #4.''' "As a hacker, I can read and even modify all data input and output by your application, both inside and outside the firewall."		* '''Example #4.''' "As a hacker, I can read and even modify all data input and output by your application, both inside and outside the firewall."
		+
		+	* '''Example #5.''' "As a user, I will not use your application if you are not taking what I consider adequate measures to protect my data."
		+
		+	* '''Example #6.''' "As a user, I may have legal recourse if a security incident that compromises my data is traced back to your application."

	The next step is to whip out your permanent marker forever after when the sprint backlog is being penciled in during sprint planning meetings. Authentication, session management, access control, input validation, output encoding/escaping, cryptography, error handling and logging, data protection, communication security, and HTTP security features will need to be included AS APPLICABLE for EVERY single sprint backlog feature, EVERY sprint.		The next step is to whip out your permanent marker forever after when the sprint backlog is being penciled in during sprint planning meetings. Authentication, session management, access control, input validation, output encoding/escaping, cryptography, error handling and logging, data protection, communication security, and HTTP security features will need to be included AS APPLICABLE for EVERY single sprint backlog feature, EVERY sprint.

@@ Line 20: / Line 20: @@
 [[Image:Secure-scrum.gif]]
-For more information about how security features such as input validation should work for EVERY single sprint backlog feature, see: http://www.owasp.org/index.php/ASVS
+For more information about how security features such as input validation should work for EVERY single sprint backlog feature, see: [[ASVS | The ASVS Project]]
-For more information about how to build out an enterprise security API, see: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
+For more information about how to build out an enterprise security API, see: [[:Category:OWASP_Enterprise_Security_API | The ESAPI Project]]
 [[Category:OWASP Application Security Verification Standard Project]]

@@ Line 12: / Line 12: @@
 * '''Example #3.''' "As a hacker, I can send bad data in HTTP headers, so I can access data and functions for which I'm not authorized."
-* '''Example #4.''' "As a hacker, I can read all data input and output by your application, both inside and outside the firewall."
+* '''Example #4.''' "As a hacker, I can read and even modify all data input and output by your application, both inside and outside the firewall."
 The next step is to whip out your permanent marker forever after when the sprint backlog is being penciled in during sprint planning meetings. Authentication, session management, access control, input validation, output encoding/escaping, cryptography, error handling and logging, data protection, communication security, and HTTP security features will need to be included AS APPLICABLE for EVERY single sprint backlog feature, EVERY sprint.

← Older revision		Revision as of 12:36, 7 August 2009
Line 11:		Line 11:

	* '''Example #3.''' "As a hacker, I can send bad data in HTTP headers, so I can access data and functions for which I'm not authorized."		* '''Example #3.''' "As a hacker, I can send bad data in HTTP headers, so I can access data and functions for which I'm not authorized."
		+
		+	* '''Example #4.''' "As a hacker, I read all data input and output by your application, both inside and outside the firewall."

	The next step is to whip out your permanent marker forever after when the sprint backlog is being penciled in during sprint planning meetings. Authentication, session management, access control, input validation, output encoding/escaping, cryptography, error handling and logging, data protection, communication security, and HTTP security features will need to be included AS APPLICABLE for EVERY single sprint backlog feature, EVERY sprint.		The next step is to whip out your permanent marker forever after when the sprint backlog is being penciled in during sprint planning meetings. Authentication, session management, access control, input validation, output encoding/escaping, cryptography, error handling and logging, data protection, communication security, and HTTP security features will need to be included AS APPLICABLE for EVERY single sprint backlog feature, EVERY sprint.

@@ Line 6: / Line 6: @@
 How then to hold onto the treadmill rails before jumping on? The first step is to hack the product backlog. How does one "hack" the product backlog? One does this by adding user stories. EVIL user stories. User stories are software requirements expressed conversationally by users. For example: "As an employee, I can search for other employees by their last name". What are evil user stories then? These are evil user stories, perhaps even THE evil user stories:
-* Example #1. "As a hacker, I can send bad data in URLs."
+* '''Example #1.''' "As a hacker, I can send bad data in URLs, so I can access data and functions for which I'm not authorized."
-* Example #2. "As a hacker, I can send bad data in the content of requests."
+* '''Example #2.''' "As a hacker, I can send bad data in the content of requests, so I can access data and functions for which I'm not authorized."
-* Example #3. "As a hacker, I can send bad data in HTTP headers."
+* '''Example #3.''' "As a hacker, I can send bad data in HTTP headers, so I can access data and functions for which I'm not authorized."
 The next step is to whip out your permanent marker forever after when the sprint backlog is being penciled in during sprint planning meetings. Authentication, session management, access control, input validation, output encoding/escaping, cryptography, error handling and logging, data protection, communication security, and HTTP security features will need to be included AS APPLICABLE for EVERY single sprint backlog feature, EVERY sprint.

← Older revision		Revision as of 14:27, 8 July 2009
Line 15:		Line 15:

	The last step is to gate the completion of tasks on the sprint backlog with the successful completion of a security-focused code review. Successfully completing a code review means addressing findings from a code review and then passing a re-review. Hopefully the team member will have been mindful of the need to for example perform input validation for form fields. Hopefully the code reviewer will be able to provide guidance how to make fixes, perhaps even assistance. For example, having a code reviewer build out and maintain an enterprise security API in between sprints is one way code reviewers can help speed up fixes during a sprint, by having a toolkit at the ready for team members to use.		The last step is to gate the completion of tasks on the sprint backlog with the successful completion of a security-focused code review. Successfully completing a code review means addressing findings from a code review and then passing a re-review. Hopefully the team member will have been mindful of the need to for example perform input validation for form fields. Hopefully the code reviewer will be able to provide guidance how to make fixes, perhaps even assistance. For example, having a code reviewer build out and maintain an enterprise security API in between sprints is one way code reviewers can help speed up fixes during a sprint, by having a toolkit at the ready for team members to use.
		+
		+	[[Image:Secure-scrum.gif]]

	For more information about how security features such as input validation should work for EVERY single sprint backlog feature, see: http://www.owasp.org/index.php/ASVS		For more information about how security features such as input validation should work for EVERY single sprint backlog feature, see: http://www.owasp.org/index.php/ASVS

← Older revision		Revision as of 12:59, 8 July 2009
Line 1:		Line 1:
		+	[[Image:Evil-stories.gif\|right]]
	Introducing security-focused code reviews into Agile software development methodologies such as Scrum is not easy. Like stepping onto a moving treadmill, it can be done, but it has to be done carefully.		Introducing security-focused code reviews into Agile software development methodologies such as Scrum is not easy. Like stepping onto a moving treadmill, it can be done, but it has to be done carefully.