when devops meets security
play

When devops meets security Michael Brunton-Spall I'm from the - PowerPoint PPT Presentation

When devops meets security Michael Brunton-Spall I'm from the Government and I'm here to help I'm from security and I'm here to help Government Digital Service Simpler, Clearer, Faster The state of information security in 2015


  1. When devops meets security Michael Brunton-Spall

  2. ”I'm from the Government and I'm here to help”

  3. ”I'm from security and I'm here to help”

  4. Government Digital Service

  5. Simpler, Clearer, Faster

  6. The state of information security in 2015

  7. BS7799-1:1999

  8. ISO27001:2005

  9. Approval to operate

  10. Accreditation

  11. Certification

  12. PCI

  13. What does this look like?

  14. Traditional model

  15. Idea Design Code Test Production Risk Design Code Penetration Analysis Review Review Test

  16. How do we deal with changes?

  17. Agile changes everything

  18. Only do what's needed now

  19. Release It!

  20. MVP and iterate

  21. Focus on flow and cycle time

  22. A security nightmare!

  23. A brave new world for security

  24. Security needs to be an enabler

  25. We reviewed agile projects across government

  26. Biggest consistent fjnding?

  27. There is no consistency

  28. Most teams don't know how to do this

  29. So what can we do?

  30. Principles over rules

  31. The UK Government published 8 principles

  32. 1 - Accept uncertainty

  33. 2 - Security as part of the team

  34. 3 - Understand the risks

  35. 4 - Trust decision making

  36. 5 - Security is part of everything

  37. 6 - User experience is important

  38. 7 - Audit decisions

  39. 8 - Understand big picture impact

  40. But what does that mean?

  41. Imagine a new project

  42. Choose security model that's appropriate

  43. At project inception

  44. Understand the threats

  45. Educate decision makers to risks

  46. Make risk decisions, per story, in the team

  47. What do you do about it?

  48. Avoid

  49. Transfer

  50. Accept

  51. Mitigate

  52. Temporarily Accept

  53. What sort of controls might we use?

  54. Active countermeasures

  55. Deter, Detect, Prevent

  56. Reactive countermeasures

  57. Correct, Respond, Recover

  58. Traditional security people understand this

  59. But there's more

  60. Anti-personas

  61. Misuse cases

  62. Attack trees

  63. https://www.schneier.com/paper-secure-methodology.pdf

  64. Red teams

  65. Automated penetration testing

  66. Automated Integrated Repeatable

  67. Thanks !

Recommend


More recommend