SLIDE 1
Being secure and agile
GDS Michael Brunton-Spall
Michael Brunton-Spall Lead Security Architect Government Digital - - PowerPoint PPT Presentation
Michael Brunton-Spall Lead Security Architect Government Digital - - PowerPoint PPT Presentation
Michael Brunton-Spall Lead Security Architect Government Digital Service @bruntonspall Being secure and agile GOTO Amsterdam 2016 Michael Brunton-Spall GDS Michael Brunton-Spall @bruntonspall He/His/Him Michael Brunton-Spall GDS Lead
SLIDE 2
SLIDE 3
Michael Brunton-Spall @bruntonspall He/His/Him
GDS Michael Brunton-Spall
SLIDE 4
Lead Security Architect Cabinet Office UK Government
GDS Michael Brunton-Spall
SLIDE 5
I'm from the Government, and I'm here to help
GDS Michael Brunton-Spall
SLIDE 6
I'm from security, and I'm here to help
GDS Michael Brunton-Spall
SLIDE 7
The state of security
GDS Michael Brunton-Spall
SLIDE 8
Certification Accreditation PCI ISO27001
GDS Michael Brunton-Spall
SLIDE 9
GDS Michael Brunton-Spall
SLIDE 10
Change control boards
GDS Michael Brunton-Spall
SLIDE 11
GDS Michael Brunton-Spall
SLIDE 12
Agile changes everything
GDS Michael Brunton-Spall
SLIDE 13
What is agile?
GDS Michael Brunton-Spall
SLIDE 14
GDS Michael Brunton-Spall
SLIDE 15
While the things on the right have value
GDS Michael Brunton-Spall
SLIDE 16
The things on the left have more value
GDS Michael Brunton-Spall
SLIDE 17
Individuals and interactions over processes and tools
GDS Michael Brunton-Spall
SLIDE 18
Working software over comprehensive documentation
GDS Michael Brunton-Spall
SLIDE 19
Responding to change
- ver following a plan
GDS Michael Brunton-Spall
SLIDE 20
Customer collaboration
- ver contract negotiation
GDS Michael Brunton-Spall
SLIDE 21
Contracts, Planning, Documentation, Processes and Tools
GDS Michael Brunton-Spall
SLIDE 22
Collaboration, Change, Deliverables, People
GDS Michael Brunton-Spall
SLIDE 23
Building software together
GDS Michael Brunton-Spall
SLIDE 24
Support and trust
GDS Michael Brunton-Spall
SLIDE 25
Simplicity
GDS Michael Brunton-Spall
SLIDE 26
Maximising work not done
GDS Michael Brunton-Spall
SLIDE 27
"Minimising the lead time for delivering business value" @tastapod
GDS Michael Brunton-Spall
SLIDE 28
What does this mean today?
GDS Michael Brunton-Spall
SLIDE 29
Minimum viable product or service
GDS Michael Brunton-Spall
SLIDE 30
Iterate
GDS Michael Brunton-Spall
SLIDE 31
Release early, release often
GDS Michael Brunton-Spall
SLIDE 32
GDS Michael Brunton-Spall
SLIDE 33
Principles
GDS Michael Brunton-Spall
SLIDE 34
Protect personal data
GDS Michael Brunton-Spall
https://www.cesg.gov.uk/guidance/protecting-bulk-personal-data
SLIDE 35
Security design principles
GDS Michael Brunton-Spall
https://www.cesg.gov.uk/guidance/security-design-principles-digital-services-0
SLIDE 36
8 Principles of risk management
GDS Michael Brunton-Spall
https://www.gov.uk/government/publications/principles-of-effective-cyber-security-risk-management
SLIDE 37
Accept uncertainty Security as part of the team Understand the risks
GDS Michael Brunton-Spall
SLIDE 38
Trust decision making Security is part of everything User experience is important
GDS Michael Brunton-Spall
SLIDE 39
Audit decisions Understand big picture impact
GDS Michael Brunton-Spall
SLIDE 40
How does agile help?
GDS Michael Brunton-Spall
SLIDE 41
Continual delivery of business value
GDS Michael Brunton-Spall
SLIDE 42
Continual acceptance
- f risk
GDS Michael Brunton-Spall
SLIDE 43
Secure Agile Development
GDS Michael Brunton-Spall
SLIDE 44
Security must be an enabler of the team
GDS Michael Brunton-Spall
SLIDE 45
Safety engineering and security engineering
GDS Michael Brunton-Spall
SLIDE 46
The unit of delivery is the team
GDS Michael Brunton-Spall
SLIDE 47
The unit of decision making is the team
GDS Michael Brunton-Spall
SLIDE 48
Risk
GDS Michael Brunton-Spall
SLIDE 49
Educate the team to the threats
GDS Michael Brunton-Spall
SLIDE 50
Keep a running risk log
GDS Michael Brunton-Spall
SLIDE 51
Apply risk decisions per story
GDS Michael Brunton-Spall
SLIDE 52
Apply controls per story
GDS Michael Brunton-Spall
SLIDE 53
Security debt
GDS Michael Brunton-Spall
SLIDE 54
Simple systems are more secure
GDS Michael Brunton-Spall
SLIDE 55
Choosing the secure method must be the easiest option
GDS Michael Brunton-Spall
SLIDE 56
Security as an enabler
GDS Michael Brunton-Spall
SLIDE 57
Secure Agile Operations
GDS Michael Brunton-Spall
SLIDE 58
Infrastructure as code
GDS Michael Brunton-Spall
SLIDE 59
GDS Michael Brunton-Spall
SLIDE 60
Infrastructure as testable code
GDS Michael Brunton-Spall
SLIDE 61
GDS Michael Brunton-Spall
SLIDE 62
GDS Michael Brunton-Spall
SLIDE 63
Dealing with patches
GDS Michael Brunton-Spall
SLIDE 64
What machines are affected?
GDS Michael Brunton-Spall
SLIDE 65
GDS Michael Brunton-Spall
SLIDE 66
GDS Michael Brunton-Spall
SLIDE 67
Updating machines in test
GDS Michael Brunton-Spall
SLIDE 68
GDS Michael Brunton-Spall
SLIDE 69
Just some machines?
GDS Michael Brunton-Spall
SLIDE 70
GDS Michael Brunton-Spall
SLIDE 71
Repeat in production
GDS Michael Brunton-Spall
SLIDE 72
What does Agile and DevOps give you?
GDS Michael Brunton-Spall
SLIDE 73
Automated Testing
GDS Michael Brunton-Spall
SLIDE 74
Infrastructure as code
GDS Michael Brunton-Spall
SLIDE 75
Fast repeatable deploys
GDS Michael Brunton-Spall
SLIDE 76
Audit logs
GDS Michael Brunton-Spall
SLIDE 77
Code review of infrastructure changes
GDS Michael Brunton-Spall
SLIDE 78
Confidence!
GDS Michael Brunton-Spall
SLIDE 79
Why does that matter?
GDS Michael Brunton-Spall
SLIDE 80
Australian Signals Directorate
GDS Michael Brunton-Spall
http://www.asd.gov.au/publications/protect/top_4_mitigations.htm
SLIDE 81
Application whitelisting
GDS Michael Brunton-Spall
SLIDE 82
Patching
GDS Michael Brunton-Spall
SLIDE 83
Patching (again)
GDS Michael Brunton-Spall
SLIDE 84
Minimise administrative controls
GDS Michael Brunton-Spall
SLIDE 85
Done well, agile techniques mean more secure software
GDS Michael Brunton-Spall
SLIDE 86
We're hiring! https://gds.blog.gov.uk/jobs
GDS Michael Brunton-Spall
SLIDE 87