Does agile make us less secure

Slide 1

Slide 1 text

Michael Brunton-Spall @bruntonspall Does agile make us less secure? Agile Cambridge 27 Sept 2018

Slide 2

Slide 2 text

Michael Brunton-Spall @bruntonspall Michael Brunton-Spall He/His/Him https://tinyletter.com/cyberweekly

Slide 3

Slide 3 text

Michael Brunton-Spall @bruntonspall Does agile make us less secure?

Slide 4

Slide 4 text

Michael Brunton-Spall @bruntonspall What is agile?

Slide 5

Slide 5 text

Michael Brunton-Spall @bruntonspall Individuals and interactions over process and tools

Slide 6

Slide 6 text

Michael Brunton-Spall @bruntonspall Working software over comprehensive documentation

Slide 7

Slide 7 text

Michael Brunton-Spall @bruntonspall Customer collaboration over contract negotiation

Slide 8

Slide 8 text

Michael Brunton-Spall @bruntonspall Responding to change over following a plan

Slide 9

Slide 9 text

Michael Brunton-Spall @bruntonspall What is Security?

Slide 10

Slide 10 text

Michael Brunton-Spall @bruntonspall A process for assuring the preservation of confidentiality, integrity and availability of information

Slide 11

Slide 11 text

Michael Brunton-Spall @bruntonspall A process for assuring the preservation of confidentiality, integrity and availability of information

Slide 12

Slide 12 text

Michael Brunton-Spall @bruntonspall Process Documentation Contracts Plans

Slide 13

Slide 13 text

Michael Brunton-Spall @bruntonspall Proposition 1

Slide 14

Slide 14 text

Michael Brunton-Spall @bruntonspall Security in its current form does not work

Slide 15

Slide 15 text

27/09/2018 17 Michael Brunton-Spall @bruntonspall 2006

Slide 16

Slide 16 text

27/09/2018 18 Michael Brunton-Spall @bruntonspall 2010

Slide 17

Slide 17 text

27/09/2018 19 Michael Brunton-Spall @bruntonspall 2013

Slide 18

Slide 18 text

27/09/2018 20 Michael Brunton-Spall @bruntonspall 2018

Slide 19

Slide 19 text

Michael Brunton-Spall @bruntonspall Criminal users on the internet

Slide 20

Slide 20 text

Michael Brunton-Spall @bruntonspall At least $1.5t a year

Slide 21

Slide 21 text

Michael Brunton-Spall @bruntonspall

Slide 22

Slide 22 text

Michael Brunton-Spall @bruntonspall https://www.europol.europa.eu/publications-documents/banking-trojans-stone-age-to-space

Slide 23

Slide 23 text

Michael Brunton-Spall @bruntonspall Platform Capitalism

Slide 24

Slide 24 text

Michael Brunton-Spall @bruntonspall Cybercrime as a service https://www.bromium.com/resource/into-the-web-of-profit/#

Slide 25

Slide 25 text

Michael Brunton-Spall @bruntonspall

Slide 26

Slide 26 text

Michael Brunton-Spall @bruntonspall

Slide 27

Slide 27 text

Michael Brunton-Spall @bruntonspall Advanced Persistent Threats

Slide 28

Slide 28 text

Michael Brunton-Spall @bruntonspall

Slide 29

Slide 29 text

Michael Brunton-Spall @bruntonspall

Slide 30

Slide 30 text

Michael Brunton-Spall @bruntonspall WildNeutron https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/

Slide 31

Slide 31 text

Michael Brunton-Spall @bruntonspall Certification Accreditation PCI ISO27001

Slide 32

Slide 32 text

27/09/2018 34 Michael Brunton-Spall @bruntonspall

Slide 33

Slide 33 text

27/09/2018 35 Michael Brunton-Spall @bruntonspall

Slide 34

Slide 34 text

27/09/2018 36 Michael Brunton-Spall @bruntonspall

Slide 35

Slide 35 text

27/09/2018 37 Michael Brunton-Spall @bruntonspall

Slide 36

Slide 36 text

27/09/2018 38 Michael Brunton-Spall @bruntonspall

Slide 37

Slide 37 text

27/09/2018 39 Michael Brunton-Spall @bruntonspall

Slide 38

Slide 38 text

27/09/2018 40 Michael Brunton-Spall @bruntonspall

Slide 39

Slide 39 text

Michael Brunton-Spall @bruntonspall Proposition 2

Slide 40

Slide 40 text

Michael Brunton-Spall @bruntonspall Simple systems are more secure

Slide 41

Slide 41 text

Michael Brunton-Spall @bruntonspall Complexity theory

Slide 42

Slide 42 text

Michael Brunton-Spall @bruntonspall Simple Systems – A bike

Slide 43

Slide 43 text

Michael Brunton-Spall @bruntonspall Complicated systems – A car

Slide 44

Slide 44 text

Michael Brunton-Spall @bruntonspall Complex Systems - Traffic

Slide 45

Slide 45 text

Michael Brunton-Spall @bruntonspall We don’t solve motorway congestion by assuring tires

Slide 46

Slide 46 text

Michael Brunton-Spall @bruntonspall Microservices and security

Slide 47

Slide 47 text

Michael Brunton-Spall @bruntonspall "Software that can fit in my head" James Lewis

Slide 48

Slide 48 text

Michael Brunton-Spall @bruntonspall Small systems focused on one business domain

Slide 49

Slide 49 text

Michael Brunton-Spall @bruntonspall Business based

Slide 50

Slide 50 text

Michael Brunton-Spall @bruntonspall Own their own data

Slide 51

Slide 51 text

Michael Brunton-Spall @bruntonspall Contracts for communication

Slide 52

Slide 52 text

Michael Brunton-Spall @bruntonspall Agile means building the simplest thing that works

Slide 53

Slide 53 text

Michael Brunton-Spall @bruntonspall Proposition 3

Slide 54

Slide 54 text

Michael Brunton-Spall @bruntonspall Security must be an enabler for the team

Slide 55

Slide 55 text

Michael Brunton-Spall @bruntonspall The unit of delivery is the team

Slide 56

Slide 56 text

Michael Brunton-Spall @bruntonspall The unit of decision making is the team

Slide 57

Slide 57 text

Michael Brunton-Spall @bruntonspall “Appoint a suitably senior and empowered decision maker”

Slide 58

Slide 58 text

Michael Brunton-Spall @bruntonspall Workshop with whole team*

Slide 59

Slide 59 text

27/09/2018 61 Michael Brunton-Spall @bruntonspall

Slide 60

Slide 60 text

Michael Brunton-Spall @bruntonspall Visible outputs for walls

Slide 61

Slide 61 text

Michael Brunton-Spall @bruntonspall Threat Actor Personas

Slide 62

Slide 62 text

Michael Brunton-Spall @bruntonspall Han Solo Motivation Han Solo is motivated primarily by money, but also works with the rebel alliance. Han is capable of using common tools as well as modifying existing tools on the fly Han doesn’t want to be caught and so takes an effort to avoid head on confrontations Capabilities Resources: 2/5 Capability: 4/5 Bravery: 2/5 Criminal connections: 3/5 Connections Rebel Alliance, Hutts

Slide 63

Slide 63 text

Michael Brunton-Spall @bruntonspall Misuse cases

Slide 64

Slide 64 text

Michael Brunton-Spall @bruntonspall Understand the riskier stories

Slide 65

Slide 65 text

Michael Brunton-Spall @bruntonspall Applying ISO27001 controls in agile

Slide 66

Slide 66 text

Michael Brunton-Spall @bruntonspall 4 mechanisms: Avoid, Mitigate, Transfer, Accept

Slide 67

Slide 67 text

Michael Brunton-Spall @bruntonspall 6 Controls: Deter, Prevent, Correct, Recover, Detect, Compensate

Slide 68

Slide 68 text

Michael Brunton-Spall @bruntonspall Record decisions against stories

Slide 69

Slide 69 text

Michael Brunton-Spall @bruntonspall Record deferred security debt

Slide 70

Slide 70 text

Michael Brunton-Spall @bruntonspall Security bugs are not evenly distributed

Slide 71

Slide 71 text

Michael Brunton-Spall @bruntonspall Product Owner/Service Manager is in control

Slide 72

Slide 72 text

Michael Brunton-Spall @bruntonspall Proposition 4

Slide 73

Slide 73 text

Michael Brunton-Spall @bruntonspall Regular releases reduces risk

Slide 74

Slide 74 text

Michael Brunton-Spall @bruntonspall

Slide 75

Slide 75 text

Michael Brunton-Spall @bruntonspall

Slide 76

Slide 76 text

Michael Brunton-Spall @bruntonspall GOV.UK fixed Heartbleed within approx 2 hours https://insidegovuk.blog.gov.uk/2014/04/11/govuk-and-the-heartbleed-openssl-bug/

Slide 77

Slide 77 text

Michael Brunton-Spall @bruntonspall Infrastructure as code

Slide 78

Slide 78 text

Michael Brunton-Spall @bruntonspall

Slide 79

Slide 79 text

Michael Brunton-Spall @bruntonspall Infrastructure as testable code

Slide 80

Slide 80 text

Michael Brunton-Spall @bruntonspall

Slide 81

Slide 81 text

Michael Brunton-Spall @bruntonspall

Slide 82

Slide 82 text

Michael Brunton-Spall @bruntonspall Dealing with patches

Slide 83

Slide 83 text

Michael Brunton-Spall @bruntonspall What machines are affected?

Slide 84

Slide 84 text

Michael Brunton-Spall @bruntonspall

Slide 85

Slide 85 text

Michael Brunton-Spall @bruntonspall

Slide 86

Slide 86 text

Michael Brunton-Spall @bruntonspall Updating machines in test

Slide 87

Slide 87 text

Michael Brunton-Spall @bruntonspall

Slide 88

Slide 88 text

Michael Brunton-Spall @bruntonspall Just some machines?

Slide 89

Slide 89 text

Michael Brunton-Spall @bruntonspall

Slide 90

Slide 90 text

Michael Brunton-Spall @bruntonspall Repeat in production

Slide 91

Slide 91 text

Michael Brunton-Spall @bruntonspall One Government service released every 6 months

Slide 92

Slide 92 text

Michael Brunton-Spall @bruntonspall GOV.UK released around 8 times per day

Slide 93

Slide 93 text

Michael Brunton-Spall @bruntonspall 1 day = 4 years of practice

Slide 94

Slide 94 text

Michael Brunton-Spall @bruntonspall 4 Propositions

Slide 95

Slide 95 text

Michael Brunton-Spall @bruntonspall Security in its current form does not work

Slide 96

Slide 96 text

Michael Brunton-Spall @bruntonspall Simple systems are more secure

Slide 97

Slide 97 text

Michael Brunton-Spall @bruntonspall Security must be an enabler for the team

Slide 98

Slide 98 text

Michael Brunton-Spall @bruntonspall Regular releases reduces risk

Slide 99

Slide 99 text

Michael Brunton-Spall @bruntonspall Agile makes us more secure, not less secure

Slide 100

Slide 100 text

Michael Brunton-Spall @bruntonspall Michael Brunton-Spall [email protected] https://tinyletter.com/cyberweekly