Building securely with agile

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

GDS Michael Brunton-Spall Building securely with agile

Slide 3

Slide 3 text

GDS Michael Brunton-Spall I work for the Government Digital Service

Slide 4

Slide 4 text

GDS Michael Brunton-Spall Why bother?

Slide 5

Slide 5 text

GDS Michael Brunton-Spall What are the threats?

Slide 6

Slide 6 text

GDS Michael Brunton-Spall Data loss and theft

Slide 7

Slide 7 text

GDS Michael Brunton-Spall 7 GDS Michael Brunton-Spall http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ http://www.nbcnews.com/id/8985989/#.VQgdgWSsU8Z http://news.bbc.co.uk/1/hi/uk/7103911.stm

Slide 8

Slide 8 text

GDS Michael Brunton-Spall 8 GDS Michael Brunton-Spall http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Slide 9

Slide 9 text

GDS Michael Brunton-Spall Criminal users on the internet

Slide 10

Slide 10 text

GDS Michael Brunton-Spall GameOver/Zeus Banking Malware

Slide 11

Slide 11 text

GDS Michael Brunton-Spall "FBI Fraud Scheme Zeus Trojan" by FBI. Licensed under Public Domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:FBI_Fraud_Scheme_Zeus_Trojan.jpg

Slide 12

Slide 12 text

GDS Michael Brunton-Spall Advanced Persistent Threats

Slide 13

Slide 13 text

GDS Michael Brunton-Spall 13 GDS Michael Brunton-Spall https://www2.fireeye.com/fin4.html

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

GDS Michael Brunton-Spall The state of information security

Slide 16

Slide 16 text

GDS Michael Brunton-Spall Accreditation Certification Approval to operate

Slide 17

Slide 17 text

GDS Michael Brunton-Spall

Slide 18

Slide 18 text

GDS Michael Brunton-Spall 18 GDS Michael Brunton-Spall

Slide 19

Slide 19 text

GDS Michael Brunton-Spall Agile changes everything

Slide 20

Slide 20 text

GDS Michael Brunton-Spall A security nightmare!

Slide 21

Slide 21 text

GDS Michael Brunton-Spall How can we deal with it?

Slide 22

Slide 22 text

GDS Michael Brunton-Spall Principles over rules

Slide 23

Slide 23 text

GDS Michael Brunton-Spall The UK Government published 8 principles https://www.gov.uk/government/publications/principles-of-effective-cyber-security-risk-management

Slide 24

Slide 24 text

GDS Michael Brunton-Spall But what do they mean?

Slide 25

Slide 25 text

GDS Michael Brunton-Spall Let's get practical

Slide 26

Slide 26 text

GDS Michael Brunton-Spall Automated Penetration Testing

Slide 27

Slide 27 text

GDS Michael Brunton-Spall The bare minimum level

Slide 28

Slide 28 text

GDS Michael Brunton-Spall Embed security on the team Audit decisions

Slide 29

Slide 29 text

GDS Michael Brunton-Spall nginx Web UserApi PaymentApi https://github.com/bruntonspall/security-workshop https://github.com/continuumsecurity/bdd-security

Slide 30

Slide 30 text

GDS Michael Brunton-Spall What about big picture impact?

Slide 31

Slide 31 text

GDS Michael Brunton-Spall Component security doesn't matter if there are fundamental exploits in the business process

Slide 32

Slide 32 text

GDS Michael Brunton-Spall Most information disclosure risks are business process

Slide 33

Slide 33 text

GDS Michael Brunton-Spall Can I submit a fake claim if I know someone elses username?

Slide 34

Slide 34 text

GDS Michael Brunton-Spall Can we automate this?

Slide 35

Slide 35 text

GDS Michael Brunton-Spall Misuse cases

Slide 36

Slide 36 text

GDS Michael Brunton-Spall Given the system contains a claim When a hacker posts their bank details to the payments api using a username Then the payment should not be sent to the criminal

Slide 37

Slide 37 text

GDS Michael Brunton-Spall Given the system contains a claim When a fraudster updates their account to a real customers address Then the payment should not be sent to the criminal

Slide 38

Slide 38 text

GDS Michael Brunton-Spall Executed like other user acceptance tests

Slide 39

Slide 39 text

GDS Michael Brunton-Spall Give confidence that a story hasn't had an impact elsewhere

Slide 40

Slide 40 text

GDS Michael Brunton-Spall Gives confidence in business process

Slide 41

Slide 41 text

GDS Michael Brunton-Spall Example:

Slide 42

Slide 42 text

GDS Michael Brunton-Spall But can we do more?

Slide 43

Slide 43 text

GDS Michael Brunton-Spall What can we do in an agile team?

Slide 44

Slide 44 text

GDS Michael Brunton-Spall Choose security model that's appropriate

Slide 45

Slide 45 text

GDS Michael Brunton-Spall Understand the threats

Slide 46

Slide 46 text

GDS Michael Brunton-Spall Educate decision makers to risks

Slide 47

Slide 47 text

GDS Michael Brunton-Spall Make risk decisions on a per story basis

Slide 48

Slide 48 text

GDS Michael Brunton-Spall “Allow user to enter bank details to be paid by bank transfer”

Slide 49

Slide 49 text

GDS Michael Brunton-Spall “Add 2 factor authentication to staff login system”

Slide 50

Slide 50 text

GDS Michael Brunton-Spall “Allow user to enter multiple holiday periods”

Slide 51

Slide 51 text

GDS Michael Brunton-Spall What do you do about the risk?

Slide 52

Slide 52 text

GDS Michael Brunton-Spall Don't do it, use cheques instead

Slide 53

Slide 53 text

GDS Michael Brunton-Spall Use a banking third party

Slide 54

Slide 54 text

GDS Michael Brunton-Spall Just do it

Slide 55

Slide 55 text

GDS Michael Brunton-Spall Encrypt bank details on submission using public key cryptography

Slide 56

Slide 56 text

GDS Michael Brunton-Spall How to assess the risk?

Slide 57

Slide 57 text

GDS Michael Brunton-Spall Record decision in a log

Slide 58

Slide 58 text

GDS Michael Brunton-Spall … probably a wiki

Slide 59

Slide 59 text

GDS Michael Brunton-Spall Connect the risk log to the story tracker

Slide 60

Slide 60 text

GDS Michael Brunton-Spall When a story is played, the risks get updated

Slide 61

Slide 61 text

GDS Michael Brunton-Spall It's clear what current risk is

Slide 62

Slide 62 text

GDS Michael Brunton-Spall You could even automate it!

Slide 63

Slide 63 text

GDS Michael Brunton-Spall In summary

Slide 64

Slide 64 text

GDS Michael Brunton-Spall We have a duty of care when developing software

Slide 65

Slide 65 text

GDS Michael Brunton-Spall Choose the right process for you Apply some basic principles Dedicate someone to it Align security and delivery

Slide 66

Slide 66 text

GDS Michael Brunton-Spall We're still learning, so let us know if this works for you or not

Slide 67

Slide 67 text

GDS Michael Brunton-Spall We are of course hiring: gds.blog.gov.uk/jobs

Slide 68

Slide 68 text

GDS Michael Brunton-Spall Michael Brunton-Spall Technical Architect Government Digital Service @bruntonspall [email protected]