Build & Maintain Complex Distributed Systems
June 11–12, 2018: Training
June 12–14, 2018: Tutorials & Conference
San Jose, CA

Attack trees, security modeling for agile teams

Michael Brunton-Spall (Government Digital Service)
1:30pm–5:00pm Tuesday, June 12, 2018
Location: LL21 E/F Level: Non-technical
Secondary topics:  Systems Architecture & Infrastructure

Prerequisite knowledge

This workshop assumes no existing knowledge of security or risk management, nor any technical knowledge.

Materials or downloads needed in advance

Collaboration will be via shouted out sugestions and worked examples, so no technical materials will be needed


Agile software development and security often don’t seem to be good bedfellows. Many traditional security methodologies for analysing risk and threats are based on old military or government development methodologies which are slow to change and well documented.

This methodology has been trialed, adopted and used in the UK Government under the auspices of the Government Digital Service for agile programs, and the National Center for Cyber Security from a security perspective.

This session will teach you how to approach your system in a new way, reviewing how to think like an attacker, how to document, evaluate and rate the threats, and how to communicate it effectively to both the team and to senior leadership.

You’ll take away an overview of the methodology, follow through a worked example, and see the outputs produced for senior level consumption and for team consumption.

Workshop only:
In a 3 hour workshop, you’ll get an overview of the process, as well as help participate in a live demonstration of applying the methodology to a series of scenarios, seeing how the workshop is run, how to facilitate good questions, and seeing the output transcribed live into tools to format and present the findings.

Photo of Michael Brunton-Spall

Michael Brunton-Spall

Government Digital Service

Michael Brunton-Spall is an independent security consultant. Formally Deputy Director for technology and operations, and prior to that the Head of Cybersecurity at the Government Digital Service.
Michael is a regular conference speaker, published author of Agile Application Security and enthusiastic agilist and security geek. Prior to doing this, Michael has a varied background of jobs, ranging from low level embedded hardware, gaming development on consoles and scaling and operating the Guardian Newspaper.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)