Page 1
Michael Brunton-SpallLead Security ArchitectGovernment Digital Service@bruntonspall
Page 2
Being secure and agile
GDSMichael Brunton-Spall
GOTO Amsterdam 2016
Page 3
Michael Brunton-Spall@bruntonspallHe/His/Him
GDSMichael Brunton-Spall
Page 4
Lead Security ArchitectCabinet OfficeUK Government
GDSMichael Brunton-Spall
Page 5
I'm from the Government, and I'm here to help
GDSMichael Brunton-Spall
Page 6
I'm from security, and I'm here to help
GDSMichael Brunton-Spall
Page 7
The state of security
GDSMichael Brunton-Spall
Page 8
Certification AccreditationPCIISO27001
GDSMichael Brunton-Spall
Page 9
GDSMichael Brunton-Spall
Page 10
Change control boards
GDSMichael Brunton-Spall
Page 11
GDSMichael Brunton-Spall
Page 12
Agile changes everything
GDSMichael Brunton-Spall
Page 13
What is agile?
GDSMichael Brunton-Spall
Page 14
GDSMichael Brunton-Spall
Page 15
While the things on the right have value
GDSMichael Brunton-Spall
Page 16
The things on the left have more value
GDSMichael Brunton-Spall
Page 17
Individuals and interactions over processes and tools
GDSMichael Brunton-Spall
Page 18
Working software over comprehensive documentation
GDSMichael Brunton-Spall
Page 19
Responding to change over following a plan
GDSMichael Brunton-Spall
Page 20
Customer collaboration over contract negotiation
GDSMichael Brunton-Spall
Page 21
Contracts, Planning, Documentation, Processes and Tools
GDSMichael Brunton-Spall
Page 22
Collaboration, Change, Deliverables, People
GDSMichael Brunton-Spall
Page 23
Building software together
GDSMichael Brunton-Spall
Page 24
Support and trust
GDSMichael Brunton-Spall
Page 25
Simplicity
GDSMichael Brunton-Spall
Page 26
Maximising work not done
GDSMichael Brunton-Spall
Page 27
"Minimising the lead time for delivering business value" @tastapod
GDSMichael Brunton-Spall
Page 28
What does this mean today?
GDSMichael Brunton-Spall
Page 29
Minimum viable product or service
GDSMichael Brunton-Spall
Page 30
Iterate
GDSMichael Brunton-Spall
Page 31
Release early, release often
GDSMichael Brunton-Spall
Page 32
GDSMichael Brunton-Spall
Page 33
Principles
GDSMichael Brunton-Spall
Page 34
Protect personal data
GDSMichael Brunton-Spall
https://www.cesg.gov.uk/guidance/protecting-bulk-personal-data
Page 35
Security design principles
GDSMichael Brunton-Spall
https://www.cesg.gov.uk/guidance/security-design-principles-digital-services-0
Page 36
8 Principles of risk management
GDSMichael Brunton-Spall
https://www.gov.uk/government/publications/principles-of-effective-cyber-security-risk-management
Page 37
Accept uncertaintySecurity as part of the teamUnderstand the risks
GDSMichael Brunton-Spall
Page 38
Trust decision making Security is part of everythingUser experience is important
GDSMichael Brunton-Spall
Page 39
Audit decisionsUnderstand big picture impact
GDSMichael Brunton-Spall
Page 40
How does agile help?
GDSMichael Brunton-Spall
Page 41
Continual delivery of business value
GDSMichael Brunton-Spall
Page 42
Continual acceptance of risk
GDSMichael Brunton-Spall
Page 43
Secure Agile Development
GDSMichael Brunton-Spall
Page 44
Security must be an enabler of the team
GDSMichael Brunton-Spall
Page 45
Safety engineering and security engineering
GDSMichael Brunton-Spall
Page 46
The unit of delivery is the team
GDSMichael Brunton-Spall
Page 47
The unit of decision making is the team
GDSMichael Brunton-Spall
Page 48
Risk
GDSMichael Brunton-Spall
Page 49
Educate the team to the threats
GDSMichael Brunton-Spall
Page 50
Keep a running risk log
GDSMichael Brunton-Spall
Page 51
Apply risk decisions per story
GDSMichael Brunton-Spall
Page 52
Apply controls per story
GDSMichael Brunton-Spall
Page 53
Security debt
GDSMichael Brunton-Spall
Page 54
Simple systems are more secure
GDSMichael Brunton-Spall
Page 55
Choosing the secure method must be the easiest option
GDSMichael Brunton-Spall
Page 56
Security as an enabler
GDSMichael Brunton-Spall
Page 57
Secure Agile Operations
GDSMichael Brunton-Spall
Page 58
Infrastructure as code
GDSMichael Brunton-Spall
Page 59
GDSMichael Brunton-Spall
Page 60
Infrastructure as testable code
GDSMichael Brunton-Spall
Page 61
GDSMichael Brunton-Spall
Page 62
GDSMichael Brunton-Spall
Page 63
Dealing with patches
GDSMichael Brunton-Spall
Page 64
What machines are affected?
GDSMichael Brunton-Spall
Page 65
GDSMichael Brunton-Spall
Page 66
GDSMichael Brunton-Spall
Page 67
Updating machines in test
GDSMichael Brunton-Spall
Page 68
GDSMichael Brunton-Spall
Page 69
Just some machines?
GDSMichael Brunton-Spall
Page 70
GDSMichael Brunton-Spall
Page 71
Repeat in production
GDSMichael Brunton-Spall
Page 72
What does Agile and DevOps give you?
GDSMichael Brunton-Spall
Page 73
Automated Testing
GDSMichael Brunton-Spall
Page 74
Infrastructure as code
GDSMichael Brunton-Spall
Page 75
Fast repeatable deploys
GDSMichael Brunton-Spall
Page 76
Audit logs
GDSMichael Brunton-Spall
Page 77
Code review of infrastructure changes
GDSMichael Brunton-Spall
Page 78
Confidence!
GDSMichael Brunton-Spall
Page 79
Why does that matter?
GDSMichael Brunton-Spall
Page 80
Australian Signals Directorate
GDSMichael Brunton-Spall
http://www.asd.gov.au/publications/protect/top_4_mitigations.htm
Page 81
Application whitelisting
GDSMichael Brunton-Spall
Page 82
Patching
GDSMichael Brunton-Spall
Page 83
Patching (again)
GDSMichael Brunton-Spall
Page 84
Minimise administrative controls
GDSMichael Brunton-Spall
Page 85
Done well, agile techniques mean more secure software
GDSMichael Brunton-Spall
Page 86
We're hiring!https://gds.blog.gov.uk/jobs
GDSMichael Brunton-Spall
Page 87
Michael Brunton-Spall Lead Security ArchitectGovernment Digital Service @bruntonspall