Overview
Syllabus
Intro
What is agile?
Individuals and Interactions over process and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
A process for assuring the preservation of confidentiality, integrity and availability of information
Criminal users on the internet
Platform Capitalism
Advanced Persistent Threats
Change control
Complexity theory
Simple Systems - A bike
Complicated systems - A car
Complex Systems - Traffic
Microservices and security
"Software that can fit in my head" James Lewis
Small systems focused on one business domain
Business based
Contracts for communication
Simple services with clear boundaries
Security must be an enabler for the team
The unit of delivery is the team
The unit of decision making is the team
Appoint a suitably senior and empowered decision maker
Workshop with whole team
Misuse cases
Applying ISO 27001 controls in agile
4 mechanisms: Avoid, Mitigate, Transfer, Accept
6 Controls: Deter, Prevent, Correct, Recover, Detect, Compensate
Record decisions against stories
Record deferred security debt
Security bugs are not evenly distributed
Product Owner/Service Manager is in control
Regular releases reduces risk
Infrastructure as testable code
Dealing with patches
One Government service released code once every 6 months
1 day = 4 years of practice
Summary
Agile doesn't make us less secure
Taught by
GOTO Conferences