Can we Shift-left security in a CD Pipeline? Taco Bakker, IT Area Lead Continuous Delivery ING QCon London, March 4 th 2019 t t
Craftsmanship 2
Can we Shift-left security in a CD Pipeline? 3
About me this.name = “Taco Bakker”; this.company = “ING”; this.jobtitle = “IT Area Lead Continuous Delivery”; this.expertise = {“DevOps”,”Continuous Delivery”,” Lean Six Sigma”}; this.hobby = {“ travel ”,” photography ”}; This.responsibility = “ Roll out standard CD pipeline for all IT engineers of ING worldwide”; 4
ING is a top financial enterprise, operating since 1881 Countries Customers Employees 41 33 Million In Europe, Asia, Private, Corporate and 52,000 Australia, North and Institutional Customers South America Market leaders Benelux Challengers Growth markets Commercial Banking 5
ING is an IT company with a Banking Licence 6
1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 7
Agile/Scrum and DevOps are becoming a commodity in many companies 8
Accelerate Software Delivery is an important reason for adopting Agile 9
Having Dev and Ops working together on a common purpose increases performance “The findings from our research program show clearly that the value of adopting DevOps is even larger than we had initially thought, and the gap between high performers and low performers continues to grow.” 10
Been there, done that, got the T-shirt! 11
DevOps is probably the first step of a journey DevOps BizzDevOps SecDevOps FinHRBoardRiskTradeLegalControlWhateverBizSecDevOps? 12
1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 13
Software Delivery is a Value Stream from “idea” to “customer” discover code deploy release design build test
You can optimize (lean) the Value Stream to improve the process discover code deploy release design build test Remove Hand- Remove waiting Build quality in Automate times overs
Automation of the process makes Continuous Delivery possible 16
Continuous Delivery ensures fast delivery of software to production Lead time to Production Lead time to Production with CD without CD Less than one hour A week to a month 17
But what is the use if not everything is software? 18
1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 19
Banks have to adhere to (local) rules & regulations Payment Accounts Directive Foreign Account Tax Compliance Act Sanctions Legislation 20
At ING this has been translated into Policies Policy on Service Naming Policy on External Connections Standards Rules & Regulations Policy on Business Continuity Policy on IT Security Management Note: this is just a limited set of examples. It does not reflex the real ING Policies! 21
The Policies identify possible Risks Dev Prod 22
Controls are put in place to mitigate the risks 4-eyes principle Change Board Dev Prod 23
The Controls must be implemented into (local) processes Coder Deployer Approver A C B 24
From the processes we derive evidence for Regulators Risk Approval of Access Rules Assessment process For A,B & C description Test results List of change approvals Coder Deployer Approver A C B 25
Security ends up at the right side of the Value Chain discover code build test design build deploy Release Security Big opportunity to make the process faster and the life of engineers better!
1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 27
To improve we need some principles Concept of One Engineering Culture Everything as Code Shift-Left Immutability 28
Concept of One “ … converge components identified as commodity from the existing pipelines into one global engineering journey… ” 29
From a tooling culture to an engineering culture Target Past Today • Engineering • Managing • Tooling Culture Culture Culture • Deep Agile • Waterfall • Shallow Agile • Global Product • Upfront Reqs Ownership • Local Product • Task Breakdowns Ownership • Fail Fast (learn) • Business Cases • Heavy Oversight • Proven and Simple • Heavy Reporting Technology • Bias toward Hype • Tech Prescription • Shadow IT • Outcome Focused • Impostions Promote the global identity for engineers ahead of individual team identity . 30
Everything as Code Code Infrastructure as “ …transmute repeatable engineering actions and Pipeline and Configuration Code documentation as code … ” Test Plan and Test Cases Code Code Risk Controls and Assessments 31
Shift Left “ … shift runtime complexity into design time by moving engineering responsibility to the left of testing… ” Do not digitize the current process, but redesign and transmute to code or automation Testing 32
Immutability Immutalizer Applications Rollback Containers “ …freeze and protect the state Virtual Machines of production assets from Firewalls change by apply ing immutable Data Stores Data Models patterns and designs… ” Release Authentication Immutalizer Authorization Systems Domains 33
1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 34
From a tool-oriented CD Pipeline with paperwork CD Pipeline Customer DevOps Code Build Deploy Test Release Test tools Team Foundation Team Foundation Team Foundation Team Foundation Team Foundation Server Server Server Server Server Visual TFS Release Test Release studio Build Manager Manager Manager Microsoft Microsoft Microsoft Microsoft Microsoft 35
To an Engineering CD Pipeline ServiceNow Ansible Azure Containers Boards Virtual Machines TerraForm Wiki Secrets Evidence DevOps Repos Pipelines Kafka Active Directory 36
1. Introduction 2. The Software Delivery Value Chain 3. Risk and Compliancy 4. How it all comes together 5. Example 6. Conclusions 37
Conclusions You can shift-left security if you redesign your controls Identify true bottlenecks in your Value Stream Set a dot on the horizon, based on your principles Change the culture towards true engineering Code is Craftsmanship 38
39
Recommend
More recommend