Building securely with agile

Building securely with agile

A talk given at DevOxxUK 2015 - Covering the principles of how to build software securely while still using agile techniques

037360597d7b529eed1e61bb2329abc9?s=128

Michael Brunton-Spall

June 19, 2015
Tweet

Transcript

  1. None
  2. GDS Michael Brunton-Spall Building securely with agile

  3. GDS Michael Brunton-Spall I work for the Government Digital Service

  4. GDS Michael Brunton-Spall Why bother?

  5. GDS Michael Brunton-Spall What are the threats?

  6. GDS Michael Brunton-Spall Data loss and theft

  7. GDS Michael Brunton-Spall 7 GDS Michael Brunton-Spall http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ http://www.nbcnews.com/id/8985989/#.VQgdgWSsU8Z http://news.bbc.co.uk/1/hi/uk/7103911.stm

  8. GDS Michael Brunton-Spall 8 GDS Michael Brunton-Spall http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

  9. GDS Michael Brunton-Spall Criminal users on the internet

  10. GDS Michael Brunton-Spall GameOver/Zeus Banking Malware

  11. GDS Michael Brunton-Spall "FBI Fraud Scheme Zeus Trojan" by FBI.

    Licensed under Public Domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:FBI_Fraud_Scheme_Zeus_Trojan.jpg
  12. GDS Michael Brunton-Spall Advanced Persistent Threats

  13. GDS Michael Brunton-Spall 13 GDS Michael Brunton-Spall https://www2.fireeye.com/fin4.html

  14. None
  15. GDS Michael Brunton-Spall The state of information security

  16. GDS Michael Brunton-Spall Accreditation Certification Approval to operate

  17. GDS Michael Brunton-Spall

  18. GDS Michael Brunton-Spall 18 GDS Michael Brunton-Spall

  19. GDS Michael Brunton-Spall Agile changes everything

  20. GDS Michael Brunton-Spall A security nightmare!

  21. GDS Michael Brunton-Spall How can we deal with it?

  22. GDS Michael Brunton-Spall Principles over rules

  23. GDS Michael Brunton-Spall The UK Government published 8 principles https://www.gov.uk/government/publications/principles-of-effective-cyber-security-risk-management

  24. GDS Michael Brunton-Spall But what do they mean?

  25. GDS Michael Brunton-Spall Let's get practical

  26. GDS Michael Brunton-Spall Automated Penetration Testing

  27. GDS Michael Brunton-Spall The bare minimum level

  28. GDS Michael Brunton-Spall Embed security on the team Audit decisions

  29. GDS Michael Brunton-Spall nginx Web UserApi PaymentApi https://github.com/bruntonspall/security-workshop https://github.com/continuumsecurity/bdd-security

  30. GDS Michael Brunton-Spall What about big picture impact?

  31. GDS Michael Brunton-Spall Component security doesn't matter if there are

    fundamental exploits in the business process
  32. GDS Michael Brunton-Spall Most information disclosure risks are business process

  33. GDS Michael Brunton-Spall Can I submit a fake claim if

    I know someone elses username?
  34. GDS Michael Brunton-Spall Can we automate this?

  35. GDS Michael Brunton-Spall Misuse cases

  36. GDS Michael Brunton-Spall Given the system contains a claim When

    a hacker posts their bank details to the payments api using a username Then the payment should not be sent to the criminal
  37. GDS Michael Brunton-Spall Given the system contains a claim When

    a fraudster updates their account to a real customers address Then the payment should not be sent to the criminal
  38. GDS Michael Brunton-Spall Executed like other user acceptance tests

  39. GDS Michael Brunton-Spall Give confidence that a story hasn't had

    an impact elsewhere
  40. GDS Michael Brunton-Spall Gives confidence in business process

  41. GDS Michael Brunton-Spall Example:

  42. GDS Michael Brunton-Spall But can we do more?

  43. GDS Michael Brunton-Spall What can we do in an agile

    team?
  44. GDS Michael Brunton-Spall Choose security model that's appropriate

  45. GDS Michael Brunton-Spall Understand the threats

  46. GDS Michael Brunton-Spall Educate decision makers to risks

  47. GDS Michael Brunton-Spall Make risk decisions on a per story

    basis
  48. GDS Michael Brunton-Spall “Allow user to enter bank details to

    be paid by bank transfer”
  49. GDS Michael Brunton-Spall “Add 2 factor authentication to staff login

    system”
  50. GDS Michael Brunton-Spall “Allow user to enter multiple holiday periods”

  51. GDS Michael Brunton-Spall What do you do about the risk?

  52. GDS Michael Brunton-Spall Don't do it, use cheques instead

  53. GDS Michael Brunton-Spall Use a banking third party

  54. GDS Michael Brunton-Spall Just do it

  55. GDS Michael Brunton-Spall Encrypt bank details on submission using public

    key cryptography
  56. GDS Michael Brunton-Spall How to assess the risk?

  57. GDS Michael Brunton-Spall Record decision in a log

  58. GDS Michael Brunton-Spall … probably a wiki

  59. GDS Michael Brunton-Spall Connect the risk log to the story

    tracker
  60. GDS Michael Brunton-Spall When a story is played, the risks

    get updated
  61. GDS Michael Brunton-Spall It's clear what current risk is

  62. GDS Michael Brunton-Spall You could even automate it!

  63. GDS Michael Brunton-Spall In summary

  64. GDS Michael Brunton-Spall We have a duty of care when

    developing software
  65. GDS Michael Brunton-Spall Choose the right process for you Apply

    some basic principles Dedicate someone to it Align security and delivery
  66. GDS Michael Brunton-Spall We're still learning, so let us know

    if this works for you or not
  67. GDS Michael Brunton-Spall We are of course hiring: gds.blog.gov.uk/jobs

  68. GDS Michael Brunton-Spall Michael Brunton-Spall Technical Architect Government Digital Service

    @bruntonspall mbs@digital.cabinet-office.gov.uk