Does agile make us less secure? Security in a post devops world YOW! Sydney 2019 Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall He/His/Him michael@bruntonspall.com Michael Brunton-Spall Bruntonspall Ltd
The second most scariest words in the English language Michael Brunton-Spall Bruntonspall Ltd
The second most scariest words in the English language “Hi, I’m from the Government and I’m here to help” Michael Brunton-Spall Bruntonspall Ltd
The scariest words in the English language? Michael Brunton-Spall Bruntonspall Ltd
The scariest words in the English language? “Hi, I’m from security and I’m here to help” Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
https://cyberweekly.net Michael Brunton-Spall Bruntonspall Ltd
Why is security evolving Where we’ve come from Where we are going Michael Brunton-Spall Bruntonspall Ltd
How to rethink security practices in organisations Michael Brunton-Spall Bruntonspall Ltd
Some Context Michael Brunton-Spall Bruntonspall Ltd
2006 Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 12
2010 Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 13
2013 Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 14
2015 Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 15
2019 Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 16
Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 21
Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 22
Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 23
Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 24
Michael Brunton-Spall Bruntonspall Ltd
Maginot Line
1930 France Michael Brunton-Spall Bruntonspall Ltd
“We’d really like Germany not to invade us” Michael Brunton-Spall Bruntonspall Ltd
In WW1, they came slowly overland and built trenches Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
The Germans had invented Blitzkrieg “Lightning Strike” which simply went around Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
The French were fighting a war from 1920 against an adversary using 1939 techniques Michael Brunton-Spall Bruntonspall Ltd
Evolution
Michael Brunton-Spall Bruntonspall Ltd
Custom built minicomputer Michael Brunton-Spall Bruntonspall Ltd
Servers in data center Michael Brunton-Spall Bruntonspall Ltd
Colocated servers Michael Brunton-Spall Bruntonspall Ltd
Virtual private servers Michael Brunton-Spall Bruntonspall Ltd
Virtual machines at scale Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
Why Wardley Maps? Michael Brunton-Spall Bruntonspall Ltd
We can see changing landscapes Michael Brunton-Spall Bruntonspall Ltd
We can discuss strategies Michael Brunton-Spall Bruntonspall Ltd
A map isn’t reality, it’s just an abstraction Michael Brunton-Spall Bruntonspall Ltd
Things evolve Michael Brunton-Spall Bruntonspall Ltd
As servers move from physical to virtual, single to multiple, practice evolves Michael Brunton-Spall Bruntonspall Ltd
Coevolution of product and practice
Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
How do we administer servers? Michael Brunton-Spall Bruntonspall Ltd
Worries about hard drives, CPU’s, power etc Michael Brunton-Spall Bruntonspall Ltd
Cloud providers give us abstractions Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
We stop worrying about whether a hard drive fails in a server Michael Brunton-Spall Bruntonspall Ltd
This results in changing operations practice Michael Brunton-Spall Bruntonspall Ltd
DevOps, SRE Michael Brunton-Spall Bruntonspall Ltd
This results in different developer consumption of operations Michael Brunton-Spall Bruntonspall Ltd
Kubernetes, Serverless Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
What does this mean for security? Michael Brunton-Spall Bruntonspall Ltd
How we think about security has to change Michael Brunton-Spall Bruntonspall Ltd
Security practices have to evolve Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
Traditional security is about assurance Michael Brunton-Spall Bruntonspall Ltd
Where will my data sit Michael Brunton-Spall Bruntonspall Ltd
Where does the data go Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
This works when you have individual servers Michael Brunton-Spall Bruntonspall Ltd
This doesn’t work with modern cloud Michael Brunton-Spall Bruntonspall Ltd
This doesn’t work th the e same same with modern cloud Michael Brunton-Spall Bruntonspall Ltd
Security is currently fighting a war from a decade ago Michael Brunton-Spall Bruntonspall Ltd
Mapping Security
Michael Brunton-Spall Bruntonspall Ltd
“Skate to where the puck is going, not where it has been” Wayne Gretsky Michael Brunton-Spall Bruntonspall Ltd
Where the puck was yesterday Michael Brunton-Spall Bruntonspall Ltd
What are solved problems? Michael Brunton-Spall Bruntonspall Ltd
Commonly solved the same way Michael Brunton-Spall Bruntonspall Ltd
Productionised processes Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
SDLC, Assurance of suppliers, network assurance, hardware assurance Michael Brunton-Spall Bruntonspall Ltd
All cloud customers have similar concerns in this area Michael Brunton-Spall Bruntonspall Ltd
Buy don’t Build Michael Brunton-Spall Bruntonspall Ltd
Compliance via certificates ISO27001, CSA, ISO27017, SOC, FISMA, HIPAA … Michael Brunton-Spall Bruntonspall Ltd
Where the puck is today Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
Continuous Integration, Continuous Deployment, DevOps Michael Brunton-Spall Bruntonspall Ltd
Patching Michael Brunton-Spall Bruntonspall Ltd
How quickly can you patch? Michael Brunton-Spall Bruntonspall Ltd
DevOps Michael Brunton-Spall Bruntonspall Ltd
How secure is your code? Michael Brunton-Spall Bruntonspall Ltd
Code review and Pull requests Michael Brunton-Spall Bruntonspall Ltd
Staff identity and single sign on Michael Brunton-Spall Bruntonspall Ltd
Zero Trust Networking Michael Brunton-Spall Bruntonspall Ltd
Michael Brunton-Spall Bruntonspall Ltd
But where is the puck going? Michael Brunton-Spall Bruntonspall Ltd
Recommend
More recommend
![Bibliography [Agile Alliance2001] Agile Alliance, Principles: The Agile Alliance (2001),](https://c.sambuz.com/850124/bibliography-agile-alliance2001-agile-alliance-principles-s.jpg)
