Does agile make us less secure

Transcript

1. Michael Brunton-Spall @bruntonspall Does agile make us less secure? Agile

   Cambridge 27 Sept 2018

2. Michael Brunton-Spall @bruntonspall Michael Brunton-Spall He/His/Him https://tinyletter.com/cyberweekly

3. Michael Brunton-Spall @bruntonspall Does agile make us less secure?

4. Michael Brunton-Spall @bruntonspall What is agile?

5. Michael Brunton-Spall @bruntonspall Individuals and interactions over process and tools

6. Michael Brunton-Spall @bruntonspall Working software over comprehensive documentation

7. Michael Brunton-Spall @bruntonspall Customer collaboration over contract negotiation

8. Michael Brunton-Spall @bruntonspall Responding to change over following a plan

9. Michael Brunton-Spall @bruntonspall What is Security?

10. Michael Brunton-Spall @bruntonspall A process for assuring the preservation of

    confidentiality, integrity and availability of information

11. Michael Brunton-Spall @bruntonspall A process for assuring the preservation of

    confidentiality, integrity and availability of information

12. Michael Brunton-Spall @bruntonspall Process Documentation Contracts Plans

13. Michael Brunton-Spall @bruntonspall Proposition 1

14. Michael Brunton-Spall @bruntonspall Security in its current form does not

    work

15. 27/09/2018 17 Michael Brunton-Spall @bruntonspall 2006

16. 27/09/2018 18 Michael Brunton-Spall @bruntonspall 2010

17. 27/09/2018 19 Michael Brunton-Spall @bruntonspall 2013

18. 27/09/2018 20 Michael Brunton-Spall @bruntonspall 2018

19. Michael Brunton-Spall @bruntonspall Criminal users on the internet

20. Michael Brunton-Spall @bruntonspall At least $1.5t a year

21. Michael Brunton-Spall @bruntonspall

22. Michael Brunton-Spall @bruntonspall https://www.europol.europa.eu/publications-documents/banking-trojans-stone-age-to-space

23. Michael Brunton-Spall @bruntonspall Platform Capitalism

24. Michael Brunton-Spall @bruntonspall Cybercrime as a service https://www.bromium.com/resource/into-the-web-of-profit/#

25. Michael Brunton-Spall @bruntonspall

26. Michael Brunton-Spall @bruntonspall

27. Michael Brunton-Spall @bruntonspall Advanced Persistent Threats

28. Michael Brunton-Spall @bruntonspall

29. Michael Brunton-Spall @bruntonspall

30. Michael Brunton-Spall @bruntonspall WildNeutron https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/

31. Michael Brunton-Spall @bruntonspall Certification Accreditation PCI ISO27001

32. 27/09/2018 34 Michael Brunton-Spall @bruntonspall

33. 27/09/2018 35 Michael Brunton-Spall @bruntonspall

34. 27/09/2018 36 Michael Brunton-Spall @bruntonspall

35. 27/09/2018 37 Michael Brunton-Spall @bruntonspall

36. 27/09/2018 38 Michael Brunton-Spall @bruntonspall

37. 27/09/2018 39 Michael Brunton-Spall @bruntonspall

38. 27/09/2018 40 Michael Brunton-Spall @bruntonspall

39. Michael Brunton-Spall @bruntonspall Proposition 2

40. Michael Brunton-Spall @bruntonspall Simple systems are more secure

41. Michael Brunton-Spall @bruntonspall Complexity theory

42. Michael Brunton-Spall @bruntonspall Simple Systems – A bike

43. Michael Brunton-Spall @bruntonspall Complicated systems – A car

44. Michael Brunton-Spall @bruntonspall Complex Systems - Traffic

45. Michael Brunton-Spall @bruntonspall We don’t solve motorway congestion by assuring

    tires

46. Michael Brunton-Spall @bruntonspall Microservices and security

47. Michael Brunton-Spall @bruntonspall "Software that can fit in my head"

    James Lewis

48. Michael Brunton-Spall @bruntonspall Small systems focused on one business domain

49. Michael Brunton-Spall @bruntonspall Business based

50. Michael Brunton-Spall @bruntonspall Own their own data

51. Michael Brunton-Spall @bruntonspall Contracts for communication

52. Michael Brunton-Spall @bruntonspall Agile means building the simplest thing that

    works

53. Michael Brunton-Spall @bruntonspall Proposition 3

54. Michael Brunton-Spall @bruntonspall Security must be an enabler for the

    team

55. Michael Brunton-Spall @bruntonspall The unit of delivery is the team

56. Michael Brunton-Spall @bruntonspall The unit of decision making is the

    team

57. Michael Brunton-Spall @bruntonspall “Appoint a suitably senior and empowered decision

    maker”

58. Michael Brunton-Spall @bruntonspall Workshop with whole team*

59. 27/09/2018 61 Michael Brunton-Spall @bruntonspall

60. Michael Brunton-Spall @bruntonspall Visible outputs for walls

61. Michael Brunton-Spall @bruntonspall Threat Actor Personas

62. Michael Brunton-Spall @bruntonspall Han Solo Motivation Han Solo is motivated

    primarily by money, but also works with the rebel alliance. Han is capable of using common tools as well as modifying existing tools on the fly Han doesn’t want to be caught and so takes an effort to avoid head on confrontations Capabilities Resources: 2/5 Capability: 4/5 Bravery: 2/5 Criminal connections: 3/5 Connections Rebel Alliance, Hutts

63. Michael Brunton-Spall @bruntonspall Misuse cases

64. Michael Brunton-Spall @bruntonspall Understand the riskier stories

65. Michael Brunton-Spall @bruntonspall Applying ISO27001 controls in agile

66. Michael Brunton-Spall @bruntonspall 4 mechanisms: Avoid, Mitigate, Transfer, Accept

67. Michael Brunton-Spall @bruntonspall 6 Controls: Deter, Prevent, Correct, Recover, Detect,

    Compensate

68. Michael Brunton-Spall @bruntonspall Record decisions against stories

69. Michael Brunton-Spall @bruntonspall Record deferred security debt

70. Michael Brunton-Spall @bruntonspall Security bugs are not evenly distributed

71. Michael Brunton-Spall @bruntonspall Product Owner/Service Manager is in control

72. Michael Brunton-Spall @bruntonspall Proposition 4

73. Michael Brunton-Spall @bruntonspall Regular releases reduces risk

74. Michael Brunton-Spall @bruntonspall

75. Michael Brunton-Spall @bruntonspall

76. Michael Brunton-Spall @bruntonspall GOV.UK fixed Heartbleed within approx 2 hours

    https://insidegovuk.blog.gov.uk/2014/04/11/govuk-and-the-heartbleed-openssl-bug/

77. Michael Brunton-Spall @bruntonspall Infrastructure as code

78. Michael Brunton-Spall @bruntonspall

79. Michael Brunton-Spall @bruntonspall Infrastructure as testable code

80. Michael Brunton-Spall @bruntonspall

81. Michael Brunton-Spall @bruntonspall

82. Michael Brunton-Spall @bruntonspall Dealing with patches

83. Michael Brunton-Spall @bruntonspall What machines are affected?

84. Michael Brunton-Spall @bruntonspall

85. Michael Brunton-Spall @bruntonspall

86. Michael Brunton-Spall @bruntonspall Updating machines in test

87. Michael Brunton-Spall @bruntonspall

88. Michael Brunton-Spall @bruntonspall Just some machines?

89. Michael Brunton-Spall @bruntonspall

90. Michael Brunton-Spall @bruntonspall Repeat in production

91. Michael Brunton-Spall @bruntonspall One Government service released every 6 months

92. Michael Brunton-Spall @bruntonspall GOV.UK released around 8 times per day

93. Michael Brunton-Spall @bruntonspall 1 day = 4 years of practice

94. Michael Brunton-Spall @bruntonspall 4 Propositions

95. Michael Brunton-Spall @bruntonspall Security in its current form does not

    work

96. Michael Brunton-Spall @bruntonspall Simple systems are more secure

97. Michael Brunton-Spall @bruntonspall Security must be an enabler for the

    team

98. Michael Brunton-Spall @bruntonspall Regular releases reduces risk

99. Michael Brunton-Spall @bruntonspall Agile makes us more secure, not less

    secure

100. Michael Brunton-Spall @bruntonspall Michael Brunton-Spall [email protected] https://tinyletter.com/cyberweekly