Build resilient systems at scale
May 27–29, 2015 • Santa Clara, CA

How to build a secure system and keep it secure in the face of changing requirements

Michael Brunton-Spall (Bruntonspall Ltd)
9:00am–10:30am Wednesday, 05/27/2015
Location: Mission City M1-2
Average rating: ****.
(4.21, 19 ratings)
Slides:   1-PDF 

Prerequisite Knowledge

You need no previous experience of computer security to take anything away. You should have experience of agile software development.

Materials or downloads needed in advance

Clone this project from github and run vagrant up.

If you have problems with the vagrant up command then access this file manually and then do a vagrant box add --name bruntonspall/security-testing .


As we move towards architectures designed to cope with changing requirements, and eternal services that go live and iterate, how can we manage change in a secure way? How can we possibly build secure systems in this environment?

If you work in a governmental or regulated industry, then you’ll already be familiar with the hollow promises of accreditation. That’s commonly the thing left until the end, about the same time as the testing, and gives rise to the concept that security is the team that just says No.

What if it could be different? What if a service could be continually accredited, continually tested against a baseline of security tests, and that the team was able to own and manage the risk register?

In this tutorial, I will talk through how government is changing its approach to accreditation, to building secure services. We’ll cover things from continuous security testing through to living risk registers, team threat assessments, and security embracing the entire service design.

Photo of Michael Brunton-Spall

Michael Brunton-Spall

Bruntonspall Ltd

Michael Brunton-Spall is technical architect at the Government Digital Service. He travels the country helping government agencies and services embrace the digital now.

Previously Michael worked at the Guardian for six years, helping to build and scale the website, building the API, helping run the platform team, and acting as developer advocate, talking at conferences and events.

Comments on this page are now closed.


Picture of Michael Brunton-Spall
Michael Brunton-Spall
05/27/2015 5:01am PDT

Thanks Austin.
Apologies for the late notice of the box information.

I believe the vagrant box should work out of the box, but some people were reporting some library issues. You should be able to change to the bdd-security directory and do ./ authentication or ./ app_scan to see it all work.

Austin Chambers
05/27/2015 2:53am PDT

Fyi — The command line as-provided didn’t work for me. I changed it to the following, and it worked:
“vagrant box add —name bruntonspall/security-testing ./”

Thiago, If you still want a copy, I can put it on a USB key for you. I’m directly behind the camera.

Thiago Figueiro
05/27/2015 1:44am PDT

I really wish the instructions were sent sooner as I didn’t have time to download the stuff last night.

I’m trying to do it this morning and I’m stuck with this:

==> default: Adding box ‘bruntonspall/security-testing’ (v0) for provider: virtualbox
default: Downloading:
default: Progress: 5% (Rate: 67434/s, Estimated time remaining: 2:20:30)

Any way around this?