Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Being secure and agile

Being secure and agile

It's my argument that agile working produces more secure systems than traditional V-model software development. In this presentation, I talk through which agile techniques deliver which security features

037360597d7b529eed1e61bb2329abc9?s=128

Michael Brunton-Spall

June 15, 2016
Tweet

Transcript

  1. Michael Brunton-Spall Lead Security Architect Government Digital Service @bruntonspall

  2. Being secure and agile GDS Michael Brunton-Spall GOTO Amsterdam 2016

  3. Michael Brunton-Spall @bruntonspall He/His/Him GDS Michael Brunton-Spall

  4. Lead Security Architect Cabinet Office UK Government GDS Michael Brunton-Spall

  5. I'm from the Government, and I'm here to help GDS

    Michael Brunton-Spall
  6. I'm from security, and I'm here to help GDS Michael

    Brunton-Spall
  7. The state of security GDS Michael Brunton-Spall

  8. Certification
 Accreditation PCI
 ISO27001 GDS Michael Brunton-Spall

  9. GDS Michael Brunton-Spall

  10. Change control boards GDS Michael Brunton-Spall

  11. GDS Michael Brunton-Spall

  12. Agile changes everything GDS Michael Brunton-Spall

  13. What is agile? GDS Michael Brunton-Spall

  14. GDS Michael Brunton-Spall

  15. While the things on the right have value GDS Michael

    Brunton-Spall
  16. The things on the left have more value GDS Michael

    Brunton-Spall
  17. Individuals and interactions over processes and tools GDS Michael Brunton-Spall

  18. Working software over comprehensive documentation GDS Michael Brunton-Spall

  19. Responding to change over following a plan GDS Michael Brunton-Spall

  20. Customer collaboration over contract negotiation GDS Michael Brunton-Spall

  21. Contracts, Planning, Documentation, Processes and Tools GDS Michael Brunton-Spall

  22. Collaboration, Change, Deliverables, People GDS Michael Brunton-Spall

  23. Building software together GDS Michael Brunton-Spall

  24. Support and trust GDS Michael Brunton-Spall

  25. Simplicity GDS Michael Brunton-Spall

  26. Maximising work not done GDS Michael Brunton-Spall

  27. "Minimising the lead time for delivering business value" @tastapod GDS

    Michael Brunton-Spall
  28. What does this mean today? GDS Michael Brunton-Spall

  29. Minimum viable product or service GDS Michael Brunton-Spall

  30. Iterate GDS Michael Brunton-Spall

  31. Release early, release often GDS Michael Brunton-Spall

  32. GDS Michael Brunton-Spall

  33. Principles GDS Michael Brunton-Spall

  34. Protect personal data GDS Michael Brunton-Spall https://www.cesg.gov.uk/guidance/protecting-bulk-personal-data

  35. Security design principles GDS Michael Brunton-Spall https://www.cesg.gov.uk/guidance/security-design-principles-digital-services-0

  36. 8 Principles of risk management GDS Michael Brunton-Spall https://www.gov.uk/government/publications/principles-of-effective-cyber-security-risk-management

  37. Accept uncertainty
 Security as part of the team
 Understand the

    risks GDS Michael Brunton-Spall
  38. Trust decision making
 Security is part of everything User experience

    is important GDS Michael Brunton-Spall
  39. Audit decisions
 Understand big picture impact GDS Michael Brunton-Spall

  40. How does agile help? GDS Michael Brunton-Spall

  41. Continual delivery of business value GDS Michael Brunton-Spall

  42. Continual acceptance of risk GDS Michael Brunton-Spall

  43. Secure Agile Development GDS Michael Brunton-Spall

  44. Security must be an enabler of the team GDS Michael

    Brunton-Spall
  45. Safety engineering and security engineering GDS Michael Brunton-Spall

  46. The unit of delivery is the team GDS Michael Brunton-Spall

  47. The unit of decision making is the team GDS Michael

    Brunton-Spall
  48. Risk GDS Michael Brunton-Spall

  49. Educate the team to the threats GDS Michael Brunton-Spall

  50. Keep a running risk log GDS Michael Brunton-Spall

  51. Apply risk decisions per story GDS Michael Brunton-Spall

  52. Apply controls per story GDS Michael Brunton-Spall

  53. Security debt GDS Michael Brunton-Spall

  54. Simple systems are more secure GDS Michael Brunton-Spall

  55. Choosing the secure method must be the easiest option GDS

    Michael Brunton-Spall
  56. Security as an enabler GDS Michael Brunton-Spall

  57. Secure Agile Operations GDS Michael Brunton-Spall

  58. Infrastructure as code GDS Michael Brunton-Spall

  59. GDS Michael Brunton-Spall

  60. Infrastructure as testable code GDS Michael Brunton-Spall

  61. GDS Michael Brunton-Spall

  62. GDS Michael Brunton-Spall

  63. Dealing with patches GDS Michael Brunton-Spall

  64. What machines are affected? GDS Michael Brunton-Spall

  65. GDS Michael Brunton-Spall

  66. GDS Michael Brunton-Spall

  67. Updating machines in test GDS Michael Brunton-Spall

  68. GDS Michael Brunton-Spall

  69. Just some machines? GDS Michael Brunton-Spall

  70. GDS Michael Brunton-Spall

  71. Repeat in production GDS Michael Brunton-Spall

  72. What does Agile and DevOps give you? GDS Michael Brunton-Spall

  73. Automated Testing GDS Michael Brunton-Spall

  74. Infrastructure as code GDS Michael Brunton-Spall

  75. Fast repeatable deploys GDS Michael Brunton-Spall

  76. Audit logs GDS Michael Brunton-Spall

  77. Code review of infrastructure changes GDS Michael Brunton-Spall

  78. Confidence! GDS Michael Brunton-Spall

  79. Why does that matter? GDS Michael Brunton-Spall

  80. Australian Signals Directorate GDS Michael Brunton-Spall http://www.asd.gov.au/publications/protect/top_4_mitigations.htm

  81. Application whitelisting GDS Michael Brunton-Spall

  82. Patching GDS Michael Brunton-Spall

  83. Patching (again) GDS Michael Brunton-Spall

  84. Minimise administrative controls GDS Michael Brunton-Spall

  85. Done well, agile techniques mean more secure software GDS Michael

    Brunton-Spall
  86. We're hiring!
 https://gds.blog.gov.uk/jobs GDS Michael Brunton-Spall

  87. Michael Brunton-Spall
 Lead Security Architect Government Digital Service
 @bruntonspall