When DevOps Meets Security

Explore the intersection of DevOps and security in this 27-minute conference talk from GOTO London 2015. Discover how the revolution in operations is impacting security practices, moving away from traditional change control processes towards improved communication and business agility. Learn about the UK Government's 8 security principles, including accepting uncertainty, integrating security into teams, and understanding risks. Examine various security models, threat assessment techniques, and risk mitigation strategies. Gain insights into misuse cases, attack trees, red teams, and automated penetration testing. Understand how to balance security needs with user experience and decision-making in an agile environment.

Introduction
Government Digital Service
The state of information security in 2015
Approval to operate
Accreditation
Certification
Traditional model
Agile changes everything
Focus on flow and cycle time
A security nightmare!
A brave new world for security
Security needs to be an enabler
Biggest consistent finding?
Principles over rules
The UK Government published 8 principles
Accept uncertainty
Security as part of the team
Understand the risks
Trust decision making
Security is part of everything
User experience is important
Audit decisions
Understand big picture impact
Choose security model that's appropriate
Understand the threats
Educate decision makers to risks
Make risk decisions, per story, in the team
What do you do about it?
Transfer
Mitigate
Deter, Detect, Prevent
Reactive countermeasures
Correct, Respond, Recover
Traditional security people understand this
Misuse cases
Attack trees
Red teams
Automated penetration testing
Automated Integrated Repeatable