Presentation: Attack Trees, Security Modeling for Agile Teams

Track: Security: Red XOR Blue Team

Location: Mountbatten, 6th flr.

Duration: 5:25pm - 6:15pm

Day of week: Monday

Level: Advanced

Share this on:


Agile software development and security often don’t feel like good bedfellows. Many traditional security methodologies for analysing risk and threats are based on old military or government based software development methodologies which favour traditional, slow moving, low change systems.

Attack tree’s is a new way of understanding how your system might be attacked and how to prioritise security measures to be implemented.  It makes it easy for product managers and technical architects to have a conversation about the prioritisation of security features, and to understand whether a new feature will affect the security of the system.  Additionally, it’s designed to ensure that the whole team has visibility and even ownership of the compliance and security process for the product, meaning that security is no longer something that is done to the team.

This methodology has been trialed, adopted and used in the UK Government under the auspices of the Government Digital Service for agile programs, and the National Center for Cyber Security from a security perspective.

This session will teach you how to approach your system in a new way, reviewing how to think like an attacker, how to document, evaluate and rate the threats, and how to communicate it effectively to both the team and to senior leadership as well as to traditional security practitioners.

Speaker: Michael Brunton-Spall

Independent Security Consultant, previously Deputy Director for Technology and Operation, & Head of CyberSecurity of Government Digital Service

Michael Brunton-Spall is an independent Cybersecurity consultant, working for the UK Government.  Michael is a former Deputy Director with the Cabinet Office, where he headed up Technology and Operations for the Government Digital Service as well as being head of Cybersecurity.  Michael has worked in technology for over 15 years, in topics as varied as embedded device development, games console programming, low latency trading and web publishing. 
Michael coauthored the book on Agile Application Security and has delivered popular conference talks on various topics ranging from Microservices to Agile Security.

Find Michael Brunton-Spall at

Last Year's Tracks

Monday, 5 March

Tuesday, 6 March

Wednesday, 7 March