Does agile make us less secure

Does agile make us less secure

Organisations adopting agile practices tend to throw out the old practices of requirements gathering, up front system design and careful analysis in favour of writing code just in time and pushing into production multiple times per day.

Doesn’t this make us far less secure?

Michael will address this question and talk about the tension between agile and security - and offer ways that you can resolve this tension.

037360597d7b529eed1e61bb2329abc9?s=128

Michael Brunton-Spall

September 27, 2018
Tweet

Transcript

  1. Michael Brunton-Spall @bruntonspall Does agile make us less secure? Agile

    Cambridge 27 Sept 2018
  2. Michael Brunton-Spall @bruntonspall Michael Brunton-Spall He/His/Him https://tinyletter.com/cyberweekly

  3. Michael Brunton-Spall @bruntonspall Does agile make us less secure?

  4. Michael Brunton-Spall @bruntonspall What is agile?

  5. Michael Brunton-Spall @bruntonspall Individuals and interactions over process and tools

  6. Michael Brunton-Spall @bruntonspall Working software over comprehensive documentation

  7. Michael Brunton-Spall @bruntonspall Customer collaboration over contract negotiation

  8. Michael Brunton-Spall @bruntonspall Responding to change over following a plan

  9. Michael Brunton-Spall @bruntonspall What is Security?

  10. Michael Brunton-Spall @bruntonspall A process for assuring the preservation of

    confidentiality, integrity and availability of information
  11. Michael Brunton-Spall @bruntonspall A process for assuring the preservation of

    confidentiality, integrity and availability of information
  12. Michael Brunton-Spall @bruntonspall Process Documentation Contracts Plans

  13. Michael Brunton-Spall @bruntonspall Proposition 1

  14. Michael Brunton-Spall @bruntonspall Security in its current form does not

    work
  15. 27/09/2018 17 Michael Brunton-Spall @bruntonspall 2006

  16. 27/09/2018 18 Michael Brunton-Spall @bruntonspall 2010

  17. 27/09/2018 19 Michael Brunton-Spall @bruntonspall 2013

  18. 27/09/2018 20 Michael Brunton-Spall @bruntonspall 2018

  19. Michael Brunton-Spall @bruntonspall Criminal users on the internet

  20. Michael Brunton-Spall @bruntonspall At least $1.5t a year

  21. Michael Brunton-Spall @bruntonspall

  22. Michael Brunton-Spall @bruntonspall https://www.europol.europa.eu/publications-documents/banking-trojans-stone-age-to-space

  23. Michael Brunton-Spall @bruntonspall Platform Capitalism

  24. Michael Brunton-Spall @bruntonspall Cybercrime as a service https://www.bromium.com/resource/into-the-web-of-profit/#

  25. Michael Brunton-Spall @bruntonspall

  26. Michael Brunton-Spall @bruntonspall

  27. Michael Brunton-Spall @bruntonspall Advanced Persistent Threats

  28. Michael Brunton-Spall @bruntonspall

  29. Michael Brunton-Spall @bruntonspall

  30. Michael Brunton-Spall @bruntonspall WildNeutron https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/

  31. Michael Brunton-Spall @bruntonspall Certification Accreditation PCI ISO27001

  32. 27/09/2018 34 Michael Brunton-Spall @bruntonspall

  33. 27/09/2018 35 Michael Brunton-Spall @bruntonspall

  34. 27/09/2018 36 Michael Brunton-Spall @bruntonspall

  35. 27/09/2018 37 Michael Brunton-Spall @bruntonspall

  36. 27/09/2018 38 Michael Brunton-Spall @bruntonspall

  37. 27/09/2018 39 Michael Brunton-Spall @bruntonspall

  38. 27/09/2018 40 Michael Brunton-Spall @bruntonspall

  39. Michael Brunton-Spall @bruntonspall Proposition 2

  40. Michael Brunton-Spall @bruntonspall Simple systems are more secure

  41. Michael Brunton-Spall @bruntonspall Complexity theory

  42. Michael Brunton-Spall @bruntonspall Simple Systems – A bike

  43. Michael Brunton-Spall @bruntonspall Complicated systems – A car

  44. Michael Brunton-Spall @bruntonspall Complex Systems - Traffic

  45. Michael Brunton-Spall @bruntonspall We don’t solve motorway congestion by assuring

    tires
  46. Michael Brunton-Spall @bruntonspall Microservices and security

  47. Michael Brunton-Spall @bruntonspall "Software that can fit in my head"

    James Lewis
  48. Michael Brunton-Spall @bruntonspall Small systems focused on one business domain

  49. Michael Brunton-Spall @bruntonspall Business based

  50. Michael Brunton-Spall @bruntonspall Own their own data

  51. Michael Brunton-Spall @bruntonspall Contracts for communication

  52. Michael Brunton-Spall @bruntonspall Agile means building the simplest thing that

    works
  53. Michael Brunton-Spall @bruntonspall Proposition 3

  54. Michael Brunton-Spall @bruntonspall Security must be an enabler for the

    team
  55. Michael Brunton-Spall @bruntonspall The unit of delivery is the team

  56. Michael Brunton-Spall @bruntonspall The unit of decision making is the

    team
  57. Michael Brunton-Spall @bruntonspall “Appoint a suitably senior and empowered decision

    maker”
  58. Michael Brunton-Spall @bruntonspall Workshop with whole team*

  59. 27/09/2018 61 Michael Brunton-Spall @bruntonspall

  60. Michael Brunton-Spall @bruntonspall Visible outputs for walls

  61. Michael Brunton-Spall @bruntonspall Threat Actor Personas

  62. Michael Brunton-Spall @bruntonspall Han Solo Motivation Han Solo is motivated

    primarily by money, but also works with the rebel alliance. Han is capable of using common tools as well as modifying existing tools on the fly Han doesn’t want to be caught and so takes an effort to avoid head on confrontations Capabilities Resources: 2/5 Capability: 4/5 Bravery: 2/5 Criminal connections: 3/5 Connections Rebel Alliance, Hutts
  63. Michael Brunton-Spall @bruntonspall Misuse cases

  64. Michael Brunton-Spall @bruntonspall Understand the riskier stories

  65. Michael Brunton-Spall @bruntonspall Applying ISO27001 controls in agile

  66. Michael Brunton-Spall @bruntonspall 4 mechanisms: Avoid, Mitigate, Transfer, Accept

  67. Michael Brunton-Spall @bruntonspall 6 Controls: Deter, Prevent, Correct, Recover, Detect,

    Compensate
  68. Michael Brunton-Spall @bruntonspall Record decisions against stories

  69. Michael Brunton-Spall @bruntonspall Record deferred security debt

  70. Michael Brunton-Spall @bruntonspall Security bugs are not evenly distributed

  71. Michael Brunton-Spall @bruntonspall Product Owner/Service Manager is in control

  72. Michael Brunton-Spall @bruntonspall Proposition 4

  73. Michael Brunton-Spall @bruntonspall Regular releases reduces risk

  74. Michael Brunton-Spall @bruntonspall

  75. Michael Brunton-Spall @bruntonspall

  76. Michael Brunton-Spall @bruntonspall GOV.UK fixed Heartbleed within approx 2 hours

    https://insidegovuk.blog.gov.uk/2014/04/11/govuk-and-the-heartbleed-openssl-bug/
  77. Michael Brunton-Spall @bruntonspall Infrastructure as code

  78. Michael Brunton-Spall @bruntonspall

  79. Michael Brunton-Spall @bruntonspall Infrastructure as testable code

  80. Michael Brunton-Spall @bruntonspall

  81. Michael Brunton-Spall @bruntonspall

  82. Michael Brunton-Spall @bruntonspall Dealing with patches

  83. Michael Brunton-Spall @bruntonspall What machines are affected?

  84. Michael Brunton-Spall @bruntonspall

  85. Michael Brunton-Spall @bruntonspall

  86. Michael Brunton-Spall @bruntonspall Updating machines in test

  87. Michael Brunton-Spall @bruntonspall

  88. Michael Brunton-Spall @bruntonspall Just some machines?

  89. Michael Brunton-Spall @bruntonspall

  90. Michael Brunton-Spall @bruntonspall Repeat in production

  91. Michael Brunton-Spall @bruntonspall One Government service released every 6 months

  92. Michael Brunton-Spall @bruntonspall GOV.UK released around 8 times per day

  93. Michael Brunton-Spall @bruntonspall 1 day = 4 years of practice

  94. Michael Brunton-Spall @bruntonspall 4 Propositions

  95. Michael Brunton-Spall @bruntonspall Security in its current form does not

    work
  96. Michael Brunton-Spall @bruntonspall Simple systems are more secure

  97. Michael Brunton-Spall @bruntonspall Security must be an enabler for the

    team
  98. Michael Brunton-Spall @bruntonspall Regular releases reduces risk

  99. Michael Brunton-Spall @bruntonspall Agile makes us more secure, not less

    secure
  100. Michael Brunton-Spall @bruntonspall Michael Brunton-Spall michael@brunton-spall.co.uk https://tinyletter.com/cyberweekly