Building securely with agile

Transcript

1. None

2. GDS Michael Brunton-Spall Building securely with agile

3. GDS Michael Brunton-Spall I work for the Government Digital Service

4. GDS Michael Brunton-Spall Why bother?

5. GDS Michael Brunton-Spall What are the threats?

6. GDS Michael Brunton-Spall Data loss and theft

7. GDS Michael Brunton-Spall 7 GDS Michael Brunton-Spall http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ http://www.nbcnews.com/id/8985989/#.VQgdgWSsU8Z http://news.bbc.co.uk/1/hi/uk/7103911.stm

8. GDS Michael Brunton-Spall 8 GDS Michael Brunton-Spall http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

9. GDS Michael Brunton-Spall Criminal users on the internet

10. GDS Michael Brunton-Spall GameOver/Zeus Banking Malware

11. GDS Michael Brunton-Spall "FBI Fraud Scheme Zeus Trojan" by FBI.

    Licensed under Public Domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:FBI_Fraud_Scheme_Zeus_Trojan.jpg

12. GDS Michael Brunton-Spall Advanced Persistent Threats

13. GDS Michael Brunton-Spall 13 GDS Michael Brunton-Spall https://www2.fireeye.com/fin4.html

14. None

15. GDS Michael Brunton-Spall The state of information security

16. GDS Michael Brunton-Spall Accreditation Certification Approval to operate

17. GDS Michael Brunton-Spall

18. GDS Michael Brunton-Spall 18 GDS Michael Brunton-Spall

19. GDS Michael Brunton-Spall Agile changes everything

20. GDS Michael Brunton-Spall A security nightmare!

21. GDS Michael Brunton-Spall How can we deal with it?

22. GDS Michael Brunton-Spall Principles over rules

23. GDS Michael Brunton-Spall The UK Government published 8 principles https://www.gov.uk/government/publications/principles-of-effective-cyber-security-risk-management

24. GDS Michael Brunton-Spall But what do they mean?

25. GDS Michael Brunton-Spall Let's get practical

26. GDS Michael Brunton-Spall Automated Penetration Testing

27. GDS Michael Brunton-Spall The bare minimum level

28. GDS Michael Brunton-Spall Embed security on the team Audit decisions

29. GDS Michael Brunton-Spall nginx Web UserApi PaymentApi https://github.com/bruntonspall/security-workshop https://github.com/continuumsecurity/bdd-security

30. GDS Michael Brunton-Spall What about big picture impact?

31. GDS Michael Brunton-Spall Component security doesn't matter if there are

    fundamental exploits in the business process

32. GDS Michael Brunton-Spall Most information disclosure risks are business process

33. GDS Michael Brunton-Spall Can I submit a fake claim if

    I know someone elses username?

34. GDS Michael Brunton-Spall Can we automate this?

35. GDS Michael Brunton-Spall Misuse cases

36. GDS Michael Brunton-Spall Given the system contains a claim When

    a hacker posts their bank details to the payments api using a username Then the payment should not be sent to the criminal

37. GDS Michael Brunton-Spall Given the system contains a claim When

    a fraudster updates their account to a real customers address Then the payment should not be sent to the criminal

38. GDS Michael Brunton-Spall Executed like other user acceptance tests

39. GDS Michael Brunton-Spall Give confidence that a story hasn't had

    an impact elsewhere

40. GDS Michael Brunton-Spall Gives confidence in business process

41. GDS Michael Brunton-Spall Example:

42. GDS Michael Brunton-Spall But can we do more?

43. GDS Michael Brunton-Spall What can we do in an agile

    team?

44. GDS Michael Brunton-Spall Choose security model that's appropriate

45. GDS Michael Brunton-Spall Understand the threats

46. GDS Michael Brunton-Spall Educate decision makers to risks

47. GDS Michael Brunton-Spall Make risk decisions on a per story

    basis

48. GDS Michael Brunton-Spall “Allow user to enter bank details to

    be paid by bank transfer”

49. GDS Michael Brunton-Spall “Add 2 factor authentication to staff login

    system”

50. GDS Michael Brunton-Spall “Allow user to enter multiple holiday periods”

51. GDS Michael Brunton-Spall What do you do about the risk?

52. GDS Michael Brunton-Spall Don't do it, use cheques instead

53. GDS Michael Brunton-Spall Use a banking third party

54. GDS Michael Brunton-Spall Just do it

55. GDS Michael Brunton-Spall Encrypt bank details on submission using public

    key cryptography

56. GDS Michael Brunton-Spall How to assess the risk?

57. GDS Michael Brunton-Spall Record decision in a log

58. GDS Michael Brunton-Spall … probably a wiki

59. GDS Michael Brunton-Spall Connect the risk log to the story

    tracker

60. GDS Michael Brunton-Spall When a story is played, the risks

    get updated

61. GDS Michael Brunton-Spall It's clear what current risk is

62. GDS Michael Brunton-Spall You could even automate it!

63. GDS Michael Brunton-Spall In summary

64. GDS Michael Brunton-Spall We have a duty of care when

    developing software

65. GDS Michael Brunton-Spall Choose the right process for you Apply

    some basic principles Dedicate someone to it Align security and delivery

66. GDS Michael Brunton-Spall We're still learning, so let us know

    if this works for you or not

67. GDS Michael Brunton-Spall We are of course hiring: gds.blog.gov.uk/jobs

68. GDS Michael Brunton-Spall Michael Brunton-Spall Technical Architect Government Digital Service

    @bruntonspall [email protected]