Michael Brunton-SpallLead Security ArchitectGovernment Digital Service@bruntonspall
Being secure and agile
GDSMichael Brunton-Spall
GOTO Amsterdam 2016
Michael Brunton-Spall@bruntonspallHe/His/Him
GDSMichael Brunton-Spall
Lead Security ArchitectCabinet OfficeUK Government
GDSMichael Brunton-Spall
I'm from the Government, and I'm here to help
GDSMichael Brunton-Spall
I'm from security, and I'm here to help
GDSMichael Brunton-Spall
The state of security
GDSMichael Brunton-Spall
Certification AccreditationPCIISO27001
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
Change control boards
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
Agile changes everything
GDSMichael Brunton-Spall
What is agile?
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
While the things on the right have value
GDSMichael Brunton-Spall
The things on the left have more value
GDSMichael Brunton-Spall
Individuals and interactions over processes and tools
GDSMichael Brunton-Spall
Working software over comprehensive documentation
GDSMichael Brunton-Spall
Responding to change over following a plan
GDSMichael Brunton-Spall
Customer collaboration over contract negotiation
GDSMichael Brunton-Spall
Contracts, Planning, Documentation, Processes and Tools
GDSMichael Brunton-Spall
Collaboration, Change, Deliverables, People
GDSMichael Brunton-Spall
Building software together
GDSMichael Brunton-Spall
Support and trust
GDSMichael Brunton-Spall
Simplicity
GDSMichael Brunton-Spall
Maximising work not done
GDSMichael Brunton-Spall
"Minimising the lead time for delivering business value" @tastapod
GDSMichael Brunton-Spall
What does this mean today?
GDSMichael Brunton-Spall
Minimum viable product or service
GDSMichael Brunton-Spall
Iterate
GDSMichael Brunton-Spall
Release early, release often
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
Principles
GDSMichael Brunton-Spall
Protect personal data
GDSMichael Brunton-Spall
https://www.cesg.gov.uk/guidance/protecting-bulk-personal-data
Security design principles
GDSMichael Brunton-Spall
https://www.cesg.gov.uk/guidance/security-design-principles-digital-services-0
8 Principles of risk management
GDSMichael Brunton-Spall
https://www.gov.uk/government/publications/principles-of-effective-cyber-security-risk-management
Accept uncertaintySecurity as part of the teamUnderstand the risks
GDSMichael Brunton-Spall
Trust decision making Security is part of everythingUser experience is important
GDSMichael Brunton-Spall
Audit decisionsUnderstand big picture impact
GDSMichael Brunton-Spall
How does agile help?
GDSMichael Brunton-Spall
Continual delivery of business value
GDSMichael Brunton-Spall
Continual acceptance of risk
GDSMichael Brunton-Spall
Secure Agile Development
GDSMichael Brunton-Spall
Security must be an enabler of the team
GDSMichael Brunton-Spall
Safety engineering and security engineering
GDSMichael Brunton-Spall
The unit of delivery is the team
GDSMichael Brunton-Spall
The unit of decision making is the team
GDSMichael Brunton-Spall
Risk
GDSMichael Brunton-Spall
Educate the team to the threats
GDSMichael Brunton-Spall
Keep a running risk log
GDSMichael Brunton-Spall
Apply risk decisions per story
GDSMichael Brunton-Spall
Apply controls per story
GDSMichael Brunton-Spall
Security debt
GDSMichael Brunton-Spall
Simple systems are more secure
GDSMichael Brunton-Spall
Choosing the secure method must be the easiest option
GDSMichael Brunton-Spall
Security as an enabler
GDSMichael Brunton-Spall
Secure Agile Operations
GDSMichael Brunton-Spall
Infrastructure as code
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
Infrastructure as testable code
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
Dealing with patches
GDSMichael Brunton-Spall
What machines are affected?
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
Updating machines in test
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
Just some machines?
GDSMichael Brunton-Spall
GDSMichael Brunton-Spall
Repeat in production
GDSMichael Brunton-Spall
What does Agile and DevOps give you?
GDSMichael Brunton-Spall
Automated Testing
GDSMichael Brunton-Spall
Infrastructure as code
GDSMichael Brunton-Spall
Fast repeatable deploys
GDSMichael Brunton-Spall
Audit logs
GDSMichael Brunton-Spall
Code review of infrastructure changes
GDSMichael Brunton-Spall
Confidence!
GDSMichael Brunton-Spall
Why does that matter?
GDSMichael Brunton-Spall
Australian Signals Directorate
GDSMichael Brunton-Spall
http://www.asd.gov.au/publications/protect/top_4_mitigations.htm
Application whitelisting
GDSMichael Brunton-Spall
Patching
GDSMichael Brunton-Spall
Patching (again)
GDSMichael Brunton-Spall
Minimise administrative controls
GDSMichael Brunton-Spall
Done well, agile techniques mean more secure software
GDSMichael Brunton-Spall
We're hiring!https://gds.blog.gov.uk/jobs
GDSMichael Brunton-Spall
Michael Brunton-Spall Lead Security ArchitectGovernment Digital Service @bruntonspall