Explore the intersection of agile methodologies and cybersecurity in this thought-provoking conference talk by independent cybersecurity expert Michael Brunton-Spall. Delve into the tension between agile practices and traditional security approaches, and discover practical solutions for integrating security into agile workflows. Learn about the complexities of modern systems, the importance of team-based decision making, and how to apply ISO 27001 controls in an agile environment. Gain insights on misuse cases, security debt management, and the benefits of regular releases for risk reduction. Understand why infrastructure as testable code and efficient patch management are crucial in today's development landscape. Challenge the notion that agile practices compromise security and leave with actionable strategies to enhance both agility and cybersecurity in your organization.
Overview
Syllabus
Intro
What is agile?
Individuals and Interactions over process and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
A process for assuring the preservation of confidentiality, integrity and availability of information
Criminal users on the internet
Platform Capitalism
Advanced Persistent Threats
Change control
Complexity theory
Simple Systems - A bike
Complicated systems - A car
Complex Systems - Traffic
Microservices and security
"Software that can fit in my head" James Lewis
Small systems focused on one business domain
Business based
Contracts for communication
Simple services with clear boundaries
Security must be an enabler for the team
The unit of delivery is the team
The unit of decision making is the team
Appoint a suitably senior and empowered decision maker
Workshop with whole team
Misuse cases
Applying ISO 27001 controls in agile
4 mechanisms: Avoid, Mitigate, Transfer, Accept
6 Controls: Deter, Prevent, Correct, Recover, Detect, Compensate
Record decisions against stories
Record deferred security debt
Security bugs are not evenly distributed
Product Owner/Service Manager is in control
Regular releases reduces risk
Infrastructure as testable code
Dealing with patches
One Government service released code once every 6 months
1 day = 4 years of practice
Summary
Agile doesn't make us less secure
Taught by
GOTO Conferences
