Rugged: Being Secure & Agile • Michael Brunton-Spall • GOTO 2016

This presentation was recorded at GOTO Amsterdam 2016 http://gotoams.nl Michael Brunton-Spall - Senior Technical Architect at The Government Digital Service ABSTRACT I believe that agile methods of development and operation can lead to more securely designed and operated systems than is possible via non agile methods. But doing so requires work and thought. Agile methodologies however have generally been said [...] TIMECODES 0:00 Introduction 0:33 Lead Security Architect Cabinet Office UK Government 1:52 Certification Accreditation PCI ISO27001 4:04 Change control boards 5:20 Agile changes everything 7:02 Individuals and interactions over processes and tools 7:29 Working software over comprehensive documentation 7:54 Responding to change over following a plan 9:20 Customer collaboration over contract negotiation 9:52 Contracts, Planning, Documentation, Processes and Tools 10:10 Building software together 11:43 Maximising work not done 13:29 Minimum viable product or service 18:18 Protect personal data 19:20 Security design principles 20:35 8 Principles of risk management 21:01 Accept uncertainty Security as part of the team Understand the risks 22:09 Trust decision making Security is part of everything User experience is important 23:23 Audit decisions Understand big picture impact 24:57 How does agile help? 25:13 Continual delivery of business value 25:37 Security must be an enabler of the team 25:59 Safety engineering and security engineering 27:26 The unit of delivery is the team 27:33 The unit of decision making is the team 28:19 Educate the team to the threats 29:35 Keep a running risk log 29:54 Apply risk decisions per story 30:25 Apply controls per story 30:56 Security debt 31:47 Choosing the secure method must be the easiest option 35:25 Dealing with patches 37:35 Updating machines in test 38:46 Automated Testing 40:54 Fast repeatable deploys 43:07 Code review of infrastructure changes 43:54 Application whitelisting 44:33 Minimise administrative controls Download slides and read the full abstract here: http://gotocon.com/amsterdam-2016/presentation/Rugged:%20Being%20Secure%20and%20Agile RECOMMENDED BOOKS Subramaniam & Hunt • Practices of an Agile Developer • https://amzn.to/2XjbWor Uncle Bob • Clean Agile • https://amzn.to/3tpAqb5 Derby, Larsen & Schwaber • Agile Retrospectives • https://amzn.to/3hB4eNk Jeff Sutherland • Scrum: The Art of Doing Twice the Work in Half the Time • https://amzn.to/2X4GQAD https://twitter.com/GOTOcon https://www.linkedin.com/company/goto- https://www.instagram.com/goto_con https://www.facebook.com/GOTOConferences Looking for a unique learning experience? Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech Sign up for updates and specials at https://gotopia.tech/newsletter SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily. https://www.youtube.com/user/GotoConferences/?sub_confirmation=1