SESSION + Live Q&A

Attack Trees, Security Modeling for Agile Teams

Agile software development and security often don’t feel like good bedfellows. Many traditional security methodologies for analysing risk and threats are based on old military or government based software development methodologies which favour traditional, slow moving, low change systems.

Attack tree’s is a new way of understanding how your system might be attacked and how to prioritise security measures to be implemented.  It makes it easy for product managers and technical architects to have a conversation about the prioritisation of security features, and to understand whether a new feature will affect the security of the system.  Additionally, it’s designed to ensure that the whole team has visibility and even ownership of the compliance and security process for the product, meaning that security is no longer something that is done to the team.

This methodology has been trialed, adopted and used in the UK Government under the auspices of the Government Digital Service for agile programs, and the National Center for Cyber Security from a security perspective.

This session will teach you how to approach your system in a new way, reviewing how to think like an attacker, how to document, evaluate and rate the threats, and how to communicate it effectively to both the team and to senior leadership as well as to traditional security practitioners.


Speaker

Michael Brunton-Spall

Independent Security Consultant, previously Deputy Director for Technology and Operation, & Head of CyberSecurity of Government Digital Service

Michael Brunton-Spall is an independent Cybersecurity consultant, working for the UK Government.  Michael is a former Deputy Director with the Cabinet Office, where he headed up Technology and Operations for the Government Digital Service as well as being head of Cybersecurity.  Michael...

Read more
Find Michael Brunton-Spall at:

From the same track

SESSION + Live Q&A Security

Encryption Without Magic, Risk Mngmnt Without Pain

In-depth technical inquiry about cryptography in a wider context: how it helps to narrow more significant risks to controlled attack surfaces, enables managing the risk efficiently and elegantly, how tools and algorithms sit in a broader context of managing infrastructure-wide risks associated...

Anastasiia Voitova

Head of Customer Solutions, Security Software Engineer @CossackLabs

SESSION + Live Q&A Security

Bigger, Faster and More Secure

Many people don't care about security. It's OK, don't worry! I'm not judging. Security is the world of defense, of caution and of risk. Securing systems is hard and we don't have great solutions to the many challenges it poses. Security folk on the whole are the least exciting people to invite...

Laura Bell

Founder of SafeStack

UNCONFERENCE + Live Q&A Security

Security Open Space

SESSION + Live Q&A Security

Security Champions: Only YOU Can Prevent File Forgery

As a Developer, there will come a time when you realize that you have the power to not only ship awesome features, but also protect them so that no one else can tamper with all your hard work. Every Developer is responsible for coding securely, but there are a brave few among us that will take...

Marisa Fagan

Product Security Lead @Synopsys

SESSION + Live Q&A Security

EternalBlue: Exploit Analysis and Beyond

In this presentation we will analyze the EternalBlue exploit that was leaked in early 2017 which was then abused to great effect throughout the year.   Beginning a journey into InfoSec research can be daunting. We will discuss how targeted analysis can help develop security skills while...

Emma McCall

Security Analyst @RiotGames

View full Schedule