Explore a conference talk that delves into the intersection of agile methodologies and secure system design. Learn how agile practices can lead to more securely designed and operated systems, despite common misconceptions. Discover the speaker's perspective as a Senior Technical Architect at The Government Digital Service on balancing agility and security. Gain insights into key agile principles, security design principles, and risk management strategies. Understand how to integrate security into agile teams, maintain a running risk log, apply controls per story, and manage security debt. Explore practical approaches to choosing secure methods, dealing with patches, automated testing, and application whitelisting. This talk challenges traditional views on security in agile environments and provides actionable strategies for creating robust, secure systems while maintaining agility.
Overview
Syllabus
Intro
Lead Security Architect Cabinet Office UK Government
Certification Accreditation PCI ISO27001
Change control boards
Agile changes everything
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Responding to change over following a plan
Customer collaboration over contract negotiation
Contracts, Planning, Documentation, Processes and Tools
Building software together
Maximising work not done
Minimum viable product or service
Protect personal data
Security design principles
8 Principles of risk management
Accept uncertainty Security as part of the team Understand the risks
Trust decision making Security is part of everything User experience is important
Audit decisions Understand big picture impact
How does agile help?
Continual delivery of business value
Security must be an enabler of the team
Safety engineering and security engineering
The unit of delivery is the team
The unit of decision making is the team
Educate the team to the threats
Keep a running risk log
Apply risk decisions per story
Apply controls per story
Security debt
Choosing the secure method must be the easiest option
Dealing with patches
Updating machines in test
Automated Testing
Fast repeatable deploys
Code review of infrastructure changes
Application whitelisting
Minimise administrative controls
Taught by
GOTO Conferences
