Being secure and agile

Transcript

1. Michael Brunton-Spall Lead Security Architect Government Digital Service @bruntonspall

2. Being secure and agile GDS Michael Brunton-Spall GOTO Amsterdam 2016

3. Michael Brunton-Spall @bruntonspall He/His/Him GDS Michael Brunton-Spall

4. Lead Security Architect Cabinet Office UK Government GDS Michael Brunton-Spall

5. I'm from the Government, and I'm here to help GDS

   Michael Brunton-Spall

6. I'm from security, and I'm here to help GDS Michael

   Brunton-Spall

7. The state of security GDS Michael Brunton-Spall

8. Certification
 Accreditation PCI
 ISO27001 GDS Michael Brunton-Spall

9. GDS Michael Brunton-Spall

10. Change control boards GDS Michael Brunton-Spall

11. GDS Michael Brunton-Spall

12. Agile changes everything GDS Michael Brunton-Spall

13. What is agile? GDS Michael Brunton-Spall

14. GDS Michael Brunton-Spall

15. While the things on the right have value GDS Michael

    Brunton-Spall

16. The things on the left have more value GDS Michael

    Brunton-Spall

17. Individuals and interactions over processes and tools GDS Michael Brunton-Spall

18. Working software over comprehensive documentation GDS Michael Brunton-Spall

19. Responding to change over following a plan GDS Michael Brunton-Spall

20. Customer collaboration over contract negotiation GDS Michael Brunton-Spall

21. Contracts, Planning, Documentation, Processes and Tools GDS Michael Brunton-Spall

22. Collaboration, Change, Deliverables, People GDS Michael Brunton-Spall

23. Building software together GDS Michael Brunton-Spall

24. Support and trust GDS Michael Brunton-Spall

25. Simplicity GDS Michael Brunton-Spall

26. Maximising work not done GDS Michael Brunton-Spall

27. "Minimising the lead time for delivering business value" @tastapod GDS

    Michael Brunton-Spall

28. What does this mean today? GDS Michael Brunton-Spall

29. Minimum viable product or service GDS Michael Brunton-Spall

30. Iterate GDS Michael Brunton-Spall

31. Release early, release often GDS Michael Brunton-Spall

32. GDS Michael Brunton-Spall

33. Principles GDS Michael Brunton-Spall

34. Protect personal data GDS Michael Brunton-Spall https://www.cesg.gov.uk/guidance/protecting-bulk-personal-data

35. Security design principles GDS Michael Brunton-Spall https://www.cesg.gov.uk/guidance/security-design-principles-digital-services-0

36. 8 Principles of risk management GDS Michael Brunton-Spall https://www.gov.uk/government/publications/principles-of-effective-cyber-security-risk-management

37. Accept uncertainty
 Security as part of the team
 Understand the

    risks GDS Michael Brunton-Spall

38. Trust decision making
 Security is part of everything User experience

    is important GDS Michael Brunton-Spall

39. Audit decisions
 Understand big picture impact GDS Michael Brunton-Spall

40. How does agile help? GDS Michael Brunton-Spall

41. Continual delivery of business value GDS Michael Brunton-Spall

42. Continual acceptance of risk GDS Michael Brunton-Spall

43. Secure Agile Development GDS Michael Brunton-Spall

44. Security must be an enabler of the team GDS Michael

    Brunton-Spall

45. Safety engineering and security engineering GDS Michael Brunton-Spall

46. The unit of delivery is the team GDS Michael Brunton-Spall

47. The unit of decision making is the team GDS Michael

    Brunton-Spall

48. Risk GDS Michael Brunton-Spall

49. Educate the team to the threats GDS Michael Brunton-Spall

50. Keep a running risk log GDS Michael Brunton-Spall

51. Apply risk decisions per story GDS Michael Brunton-Spall

52. Apply controls per story GDS Michael Brunton-Spall

53. Security debt GDS Michael Brunton-Spall

54. Simple systems are more secure GDS Michael Brunton-Spall

55. Choosing the secure method must be the easiest option GDS

    Michael Brunton-Spall

56. Security as an enabler GDS Michael Brunton-Spall

57. Secure Agile Operations GDS Michael Brunton-Spall

58. Infrastructure as code GDS Michael Brunton-Spall

59. GDS Michael Brunton-Spall

60. Infrastructure as testable code GDS Michael Brunton-Spall

61. GDS Michael Brunton-Spall

62. GDS Michael Brunton-Spall

63. Dealing with patches GDS Michael Brunton-Spall

64. What machines are affected? GDS Michael Brunton-Spall

65. GDS Michael Brunton-Spall

66. GDS Michael Brunton-Spall

67. Updating machines in test GDS Michael Brunton-Spall

68. GDS Michael Brunton-Spall

69. Just some machines? GDS Michael Brunton-Spall

70. GDS Michael Brunton-Spall

71. Repeat in production GDS Michael Brunton-Spall

72. What does Agile and DevOps give you? GDS Michael Brunton-Spall

73. Automated Testing GDS Michael Brunton-Spall

74. Infrastructure as code GDS Michael Brunton-Spall

75. Fast repeatable deploys GDS Michael Brunton-Spall

76. Audit logs GDS Michael Brunton-Spall

77. Code review of infrastructure changes GDS Michael Brunton-Spall

78. Confidence! GDS Michael Brunton-Spall

79. Why does that matter? GDS Michael Brunton-Spall

80. Australian Signals Directorate GDS Michael Brunton-Spall http://www.asd.gov.au/publications/protect/top_4_mitigations.htm

81. Application whitelisting GDS Michael Brunton-Spall

82. Patching GDS Michael Brunton-Spall

83. Patching (again) GDS Michael Brunton-Spall

84. Minimise administrative controls GDS Michael Brunton-Spall

85. Done well, agile techniques mean more secure software GDS Michael

    Brunton-Spall

86. We're hiring!
 https://gds.blog.gov.uk/jobs GDS Michael Brunton-Spall

87. Michael Brunton-Spall
 Lead Security Architect Government Digital Service
 @bruntonspall