pipeline
play

Pipeline? Taco Bakker, IT Area Lead Continuous Delivery ING QCon - PowerPoint PPT Presentation

Can we Shift-left security in a CD Pipeline? Taco Bakker, IT Area Lead Continuous Delivery ING QCon London, March 4 th 2019 t t Craftsmanship 2 Can we Shift-left security in a CD Pipeline? 3 About me this.name = Taco Bakker;


  1. Can we Shift-left security in a CD Pipeline? Taco Bakker, IT Area Lead Continuous Delivery ING QCon London, March 4 th 2019 t t

  2. Craftsmanship 2

  3. Can we Shift-left security in a CD Pipeline? 3

  4. About me this.name = “Taco Bakker”; this.company = “ING”; this.jobtitle = “IT Area Lead Continuous Delivery”; this.expertise = {“DevOps”,”Continuous Delivery”,” Lean Six Sigma”}; this.hobby = {“ travel ”,” photography ”}; This.responsibility = “ Roll out standard CD pipeline for all IT engineers of ING worldwide”; 4

  5. ING is a top financial enterprise, operating since 1881 Countries Customers Employees 41 33 Million In Europe, Asia, Private, Corporate and 52,000 Australia, North and Institutional Customers South America Market leaders Benelux Challengers Growth markets Commercial Banking 5

  6. ING is an IT company with a Banking Licence 6

  7. 1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 7

  8. Agile/Scrum and DevOps are becoming a commodity in many companies 8

  9. Accelerate Software Delivery is an important reason for adopting Agile 9

  10. Having Dev and Ops working together on a common purpose increases performance “The findings from our research program show clearly that the value of adopting DevOps is even larger than we had initially thought, and the gap between high performers and low performers continues to grow.” 10

  11. Been there, done that, got the T-shirt! 11

  12. DevOps is probably the first step of a journey DevOps BizzDevOps SecDevOps FinHRBoardRiskTradeLegalControlWhateverBizSecDevOps? 12

  13. 1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 13

  14. Software Delivery is a Value Stream from “idea” to “customer” discover code deploy release design build test

  15. You can optimize (lean) the Value Stream to improve the process discover code deploy release design build test Remove Hand- Remove waiting Build quality in Automate times overs

  16. Automation of the process makes Continuous Delivery possible 16

  17. Continuous Delivery ensures fast delivery of software to production Lead time to Production Lead time to Production with CD without CD Less than one hour A week to a month 17

  18. But what is the use if not everything is software? 18

  19. 1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 19

  20. Banks have to adhere to (local) rules & regulations Payment Accounts Directive Foreign Account Tax Compliance Act Sanctions Legislation 20

  21. At ING this has been translated into Policies Policy on Service Naming Policy on External Connections Standards Rules & Regulations Policy on Business Continuity Policy on IT Security Management Note: this is just a limited set of examples. It does not reflex the real ING Policies! 21

  22. The Policies identify possible Risks Dev Prod 22

  23. Controls are put in place to mitigate the risks 4-eyes principle Change Board Dev Prod 23

  24. The Controls must be implemented into (local) processes Coder Deployer Approver A C B 24

  25. From the processes we derive evidence for Regulators Risk Approval of Access Rules Assessment process For A,B & C description Test results List of change approvals Coder Deployer Approver A C B 25

  26. Security ends up at the right side of the Value Chain discover code build test design build deploy Release Security Big opportunity to make the process faster and the life of engineers better!

  27. 1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 27

  28. To improve we need some principles Concept of One Engineering Culture Everything as Code Shift-Left Immutability 28

  29. Concept of One “ … converge components identified as commodity from the existing pipelines into one global engineering journey… ” 29

  30. From a tooling culture to an engineering culture Target Past Today • Engineering • Managing • Tooling Culture Culture Culture • Deep Agile • Waterfall • Shallow Agile • Global Product • Upfront Reqs Ownership • Local Product • Task Breakdowns Ownership • Fail Fast (learn) • Business Cases • Heavy Oversight • Proven and Simple • Heavy Reporting Technology • Bias toward Hype • Tech Prescription • Shadow IT • Outcome Focused • Impostions Promote the global identity for engineers ahead of individual team identity . 30

  31. Everything as Code Code Infrastructure as “ …transmute repeatable engineering actions and Pipeline and Configuration Code documentation as code … ” Test Plan and Test Cases Code Code Risk Controls and Assessments 31

  32. Shift Left “ … shift runtime complexity into design time by moving engineering responsibility to the left of testing… ” Do not digitize the current process, but redesign and transmute to code or automation Testing 32

  33. Immutability Immutalizer  Applications Rollback  Containers “ …freeze and protect the state  Virtual Machines of production assets from  Firewalls change by apply ing immutable  Data Stores  Data Models patterns and designs… ” Release  Authentication Immutalizer  Authorization  Systems  Domains 33

  34. 1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 34

  35. From a tool-oriented CD Pipeline with paperwork CD Pipeline Customer DevOps Code Build Deploy Test Release Test tools Team Foundation Team Foundation Team Foundation Team Foundation Team Foundation Server Server Server Server Server Visual TFS Release Test Release studio Build Manager Manager Manager Microsoft Microsoft Microsoft Microsoft Microsoft 35

  36. To an Engineering CD Pipeline ServiceNow Ansible Azure Containers Boards Virtual Machines TerraForm Wiki Secrets Evidence DevOps Repos Pipelines Kafka Active Directory 36

  37. 1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 37

  38. Conclusions You can shift-left security if you redesign your controls Identify true bottlenecks in your Value Stream Set a dot on the horizon, based on your principles Change the culture towards true engineering Code is Craftsmanship 38

  39. 39

Recommend


More recommend