Build resilient systems at scale
28–30 October 2015 • Amsterdam, The Netherlands

Agile security: An introduction for developers

Michael Brunton-Spall (Bruntonspall Ltd)
16:00–17:30 Wednesday, 28/10/2015
Location: Emerald Room
Average rating: ****.
(4.62, 29 ratings)

Prerequisite Knowledge

You need no previous experience of computer security to take anything away. You should have experience of agile software development.

Materials or downloads needed in advance

Clone this project from github and run vagrant up.

If you have problems with the vagrant up command then access this file manually and then do a vagrant box add --name bruntonspall/security-testing .


As we move towards architectures designed to cope with changing requirements, and eternal services that go live and iterate, how can we manage change in a secure way? How can we possibly build secure systems in this environment?

If you work in a governmental or regulated industry, then you’ll already be familiar with the hollow promises of accreditation. That’s commonly the thing left until the end, about the same time as the testing, and gives rise to the concept that security is the team that just says No.

What if it could be different? What if a service could be continually accredited, continually tested against a baseline of security tests, and that the team was able to own and manage the risk register?

In this tutorial, I will talk through how government is changing its approach to accreditation, to building secure services. We’ll cover things from continuous security testing through to living risk registers, team threat assessments, and security embracing the entire service design.

Photo of Michael Brunton-Spall

Michael Brunton-Spall

Bruntonspall Ltd

Michael Brunton-Spall is an independent security consultant. Previously, Michael was deputy director for technology and operations and head of cybersecurity at the UK Government Digital Service and held a number of jobs ranging from creating low-level embedded hardware to gaming development on consoles to scaling and operating the Guardian newspaper. He is a regular conference speaker, the author of Agile Application Security, and an enthusiastic Agilist and security geek.