When devops meets security Michael Brunton-Spall I'm from the - - PowerPoint PPT Presentation

when devops meets security
SMART_READER_LITE
LIVE PREVIEW

When devops meets security Michael Brunton-Spall I'm from the - - PowerPoint PPT Presentation

Feb 02, 2023 138 likes •849 views

When devops meets security Michael Brunton-Spall I'm from the Government and I'm here to help I'm from security and I'm here to help Government Digital Service Simpler, Clearer, Faster The state of information security in 2015

slide-1
SLIDE 1
slide-2
SLIDE 2

When devops meets security

Michael Brunton-Spall

slide-3
SLIDE 3

”I'm from the Government and I'm here to help”

slide-4
SLIDE 4

”I'm from security and I'm here to help”

slide-5
SLIDE 5

Government Digital Service

slide-6
SLIDE 6

Simpler, Clearer, Faster

slide-7
SLIDE 7

The state of information security in 2015

slide-8
SLIDE 8

BS7799-1:1999

slide-9
SLIDE 9

ISO27001:2005

slide-10
SLIDE 10

Approval to operate

slide-11
SLIDE 11

Accreditation

slide-12
SLIDE 12

Certification

slide-13
SLIDE 13

PCI

slide-14
SLIDE 14

What does this look like?

slide-15
SLIDE 15

Traditional model

slide-16
SLIDE 16

Idea Code Production Test Design Risk Analysis Design Review Code Review Penetration Test

slide-17
SLIDE 17

How do we deal with changes?

slide-18
SLIDE 18
slide-19
SLIDE 19

Agile changes everything

slide-20
SLIDE 20

Only do what's needed now

slide-21
SLIDE 21

Release It!

slide-22
SLIDE 22

MVP and iterate

slide-23
SLIDE 23

Focus on flow and cycle time

slide-24
SLIDE 24

A security nightmare!

slide-25
SLIDE 25

A brave new world for security

slide-26
SLIDE 26

Security needs to be an enabler

slide-27
SLIDE 27

We reviewed agile projects across government

slide-28
SLIDE 28

Biggest consistent fjnding?

slide-29
SLIDE 29

There is no consistency

slide-30
SLIDE 30

Most teams don't know how to do this

slide-31
SLIDE 31

So what can we do?

slide-32
SLIDE 32

Principles over rules

slide-33
SLIDE 33

The UK Government published 8 principles

slide-34
SLIDE 34

1 - Accept uncertainty

slide-35
SLIDE 35

2 - Security as part of the team

slide-36
SLIDE 36

3 - Understand the risks

slide-37
SLIDE 37

4 - Trust decision making

slide-38
SLIDE 38

5 - Security is part of everything

slide-39
SLIDE 39

6 - User experience is important

slide-40
SLIDE 40

7 - Audit decisions

slide-41
SLIDE 41

8 - Understand big picture impact

slide-42
SLIDE 42

But what does that mean?

slide-43
SLIDE 43

Imagine a new project

slide-44
SLIDE 44

Choose security model that's appropriate

slide-45
SLIDE 45

At project inception

slide-46
SLIDE 46

Understand the threats

slide-47
SLIDE 47

Educate decision makers to risks

slide-48
SLIDE 48

Make risk decisions, per story, in the team

slide-49
SLIDE 49

What do you do about it?

slide-50
SLIDE 50

Avoid

slide-51
SLIDE 51

Transfer

slide-52
SLIDE 52

Accept

slide-53
SLIDE 53

Mitigate

slide-54
SLIDE 54

Temporarily Accept

slide-55
SLIDE 55

What sort of controls might we use?

slide-56
SLIDE 56

Active countermeasures

slide-57
SLIDE 57

Deter, Detect, Prevent

slide-58
SLIDE 58

Reactive countermeasures

slide-59
SLIDE 59

Correct, Respond, Recover

slide-60
SLIDE 60

Traditional security people understand this

slide-61
SLIDE 61

But there's more

slide-62
SLIDE 62

Anti-personas

slide-63
SLIDE 63

Misuse cases

slide-64
SLIDE 64

Attack trees

slide-65
SLIDE 65

https://www.schneier.com/paper-secure-methodology.pdf

slide-66
SLIDE 66

Red teams

slide-67
SLIDE 67

Automated penetration testing

slide-68
SLIDE 68

Automated Integrated Repeatable

slide-69
SLIDE 69
slide-70
SLIDE 70

Thanks !