SESSION + Live Q&A
Attack Trees, Security Modeling for Agile Teams
Agile software development and security often don’t feel like good bedfellows. Many traditional security methodologies for analysing risk and threats are based on old military or government based software development methodologies which favour traditional, slow moving, low change systems.
Attack tree’s is a new way of understanding how your system might be attacked and how to prioritise security measures to be implemented. It makes it easy for product managers and technical architects to have a conversation about the prioritisation of security features, and to understand whether a new feature will affect the security of the system. Additionally, it’s designed to ensure that the whole team has visibility and even ownership of the compliance and security process for the product, meaning that security is no longer something that is done to the team.
This methodology has been trialed, adopted and used in the UK Government under the auspices of the Government Digital Service for agile programs, and the National Center for Cyber Security from a security perspective.
This session will teach you how to approach your system in a new way, reviewing how to think like an attacker, how to document, evaluate and rate the threats, and how to communicate it effectively to both the team and to senior leadership as well as to traditional security practitioners.
Speaker
Michael Brunton-Spall
Independent Security Consultant, previously Deputy Director for Technology and Operation, & Head of CyberSecurity of Government Digital Service
Michael Brunton-Spall is an independent Cybersecurity consultant, working for the UK Government. Michael is a former Deputy Director with the Cabinet Office, where he headed up Technology and Operations for the Government Digital Service as well as being head of Cybersecurity. Michael...
Read moreFind Michael Brunton-Spall at:
Location
Mountbatten, 6th flr.
Track
Topics
SecurityAgileSecurity AssessmentObservabilityShare
From the same track
Encryption Without Magic, Risk Mngmnt Without Pain
In-depth technical inquiry about cryptography in a wider context: how it helps to narrow more significant risks to controlled attack surfaces, enables managing the risk efficiently and elegantly, how tools and algorithms sit in a broader context of managing infrastructure-wide risks associated...
Anastasiia Voitova
Head of Customer Solutions, Security Software Engineer @CossackLabs
Bigger, Faster and More Secure
Many people don't care about security. It's OK, don't worry! I'm not judging. Security is the world of defense, of caution and of risk. Securing systems is hard and we don't have great solutions to the many challenges it poses. Security folk on the whole are the least exciting people to invite...
Laura Bell
Founder of SafeStack
Security Open Space
Security Champions: Only YOU Can Prevent File Forgery
As a Developer, there will come a time when you realize that you have the power to not only ship awesome features, but also protect them so that no one else can tamper with all your hard work. Every Developer is responsible for coding securely, but there are a brave few among us that will take...
Marisa Fagan
Product Security Lead @Synopsys
EternalBlue: Exploit Analysis and Beyond
In this presentation we will analyze the EternalBlue exploit that was leaked in early 2017 which was then abused to great effect throughout the year. Beginning a journey into InfoSec research can be daunting. We will discuss how targeted analysis can help develop security skills while...
Emma McCall
Security Analyst @RiotGames