Pipeline? Taco Bakker, IT Area Lead Continuous Delivery ING QCon - - PowerPoint PPT Presentation

pipeline
SMART_READER_LITE
LIVE PREVIEW

Pipeline? Taco Bakker, IT Area Lead Continuous Delivery ING QCon - - PowerPoint PPT Presentation

Mar 16, 2023 410 likes •814 views

Can we Shift-left security in a CD Pipeline? Taco Bakker, IT Area Lead Continuous Delivery ING QCon London, March 4 th 2019 t t Craftsmanship 2 Can we Shift-left security in a CD Pipeline? 3 About me this.name = Taco Bakker;

slide-1
SLIDE 1

t t

Taco Bakker, IT Area Lead Continuous Delivery ING

QCon London, March 4th 2019

Can we Shift-left security in a CD Pipeline?

slide-2
SLIDE 2

2

Craftsmanship

slide-3
SLIDE 3

Can we Shift-left security in a CD Pipeline?

3

slide-4
SLIDE 4

About me

4

this.name = “Taco Bakker”; this.company = “ING”; this.jobtitle = “IT Area Lead Continuous Delivery”; this.expertise = {“DevOps”,”Continuous Delivery”,”Lean Six Sigma”}; this.hobby = {“travel”,”photography”}; This.responsibility = “Roll out standard CD pipeline for all IT engineers

  • f ING worldwide”;
slide-5
SLIDE 5

ING is a top financial enterprise, operating since 1881

Customers 33 Million Private, Corporate and Institutional Customers Countries 41 In Europe, Asia, Australia, North and South America Employees 52,000

Market leaders Benelux Growth markets Commercial Banking Challengers

5

slide-6
SLIDE 6

ING is an IT company with a Banking Licence

6

slide-7
SLIDE 7

7

  • 3. Risk and Compliancy
  • 2. The Software Delivery Value Chain
  • 1. Introduction
  • 4. How it all comes together
  • 5. Example
  • 6. Conclusions
slide-8
SLIDE 8

Agile/Scrum and DevOps are becoming a commodity in many companies

8

slide-9
SLIDE 9

Accelerate Software Delivery is an important reason for adopting Agile

9

slide-10
SLIDE 10

“The findings from our research program show clearly that the value of adopting DevOps is even larger than we had initially thought, and the gap between high performers and low performers continues to grow.”

Having Dev and Ops working together on a common purpose increases performance

10

slide-11
SLIDE 11

Been there, done that, got the T-shirt!

11

slide-12
SLIDE 12

DevOps is probably the first step of a journey

12

DevOps BizzDevOps SecDevOps

FinHRBoardRiskTradeLegalControlWhateverBizSecDevOps?

slide-13
SLIDE 13

13

  • 3. Risk and Compliancy
  • 2. The Software Delivery Value Chain
  • 1. Introduction
  • 4. How it all comes together
  • 5. Example
  • 6. Conclusions
slide-14
SLIDE 14

Software Delivery is a Value Stream from “idea” to “customer”

discover design code build deploy test release

slide-15
SLIDE 15

You can optimize (lean) the Value Stream to improve the process

discover design code build deploy test release Remove waiting times Remove Hand-

  • vers

Build quality in Automate

slide-16
SLIDE 16

Automation of the process makes Continuous Delivery possible

16

slide-17
SLIDE 17

Lead time to Production with CD Less than one hour

Continuous Delivery ensures fast delivery of software to production

17

Lead time to Production without CD A week to a month

slide-18
SLIDE 18

But what is the use if not everything is software?

18

slide-19
SLIDE 19

19

  • 3. Risk and Compliancy
  • 2. The Software Delivery Value Chain
  • 1. Introduction
  • 4. How it all comes together
  • 5. Example
  • 6. Conclusions
slide-20
SLIDE 20

Banks have to adhere to (local) rules & regulations

20

Foreign Account Tax Compliance Act Payment Accounts Directive

Sanctions Legislation

slide-21
SLIDE 21

At ING this has been translated into Policies

21

Policy on External Connections Policy on Service Naming Standards Policy on IT Security Policy on Business Continuity Management Rules & Regulations

Note: this is just a limited set of examples. It does not reflex the real ING Policies!

slide-22
SLIDE 22

The Policies identify possible Risks

22

Dev Prod

slide-23
SLIDE 23

Controls are put in place to mitigate the risks

23

Dev Prod

4-eyes principle Change Board

slide-24
SLIDE 24

The Controls must be implemented into (local) processes

24

Coder A Approver B Deployer C

slide-25
SLIDE 25

From the processes we derive evidence for Regulators

25

Coder A Approver B Deployer C

Access Rules For A,B & C List of change approvals Approval of process description Test results Risk Assessment

slide-26
SLIDE 26

Security ends up at the right side of the Value Chain

discover design code build build deploy test

Security Release

Big opportunity to make the process faster and the life of engineers better!

slide-27
SLIDE 27

27

  • 3. Risk and Compliancy
  • 2. The Software Delivery Value Chain
  • 1. Introduction
  • 4. How it all comes together
  • 5. Example
  • 6. Conclusions
slide-28
SLIDE 28

Concept of One Engineering Culture Everything as Code Shift-Left Immutability

To improve we need some principles

28

slide-29
SLIDE 29

“…converge components identified as commodity from the existing pipelines into one global engineering journey…”

Concept of One

29

slide-30
SLIDE 30

Promote the global identity for engineers ahead of individual team identity.

From a tooling culture to an engineering culture

30

  • Managing

Culture

  • Waterfall
  • Upfront Reqs
  • Task Breakdowns
  • Business Cases
  • Heavy Reporting
  • Tech Prescription
  • Impostions

Past

  • Tooling

Culture

  • Shallow Agile
  • Local Product

Ownership

  • Heavy Oversight
  • Bias toward Hype
  • Shadow IT

Today

  • Engineering

Culture

  • Deep Agile
  • Global Product

Ownership

  • Fail Fast (learn)
  • Proven and Simple

Technology

  • Outcome Focused

Target

slide-31
SLIDE 31

Everything as Code

31

Code Infrastructure Code Pipeline and Configuration as Code Test Plan and Test Cases Code Risk Controls and Assessments

“…transmute repeatable engineering actions and documentation as code…”

slide-32
SLIDE 32

Shift Left

32

Testing

“…shift runtime complexity into design time by moving engineering responsibility to the left

  • f testing…”

Do not digitize the current process, but redesign and transmute to code or automation

slide-33
SLIDE 33

Immutability

33

Immutalizer Immutalizer

  • Applications
  • Containers
  • Virtual Machines
  • Firewalls
  • Data Stores
  • Data Models
  • Authentication
  • Authorization
  • Systems
  • Domains

Release Rollback “…freeze and protect the state

  • f production assets from

change by applying immutable patterns and designs…”

slide-34
SLIDE 34

34

  • 3. Risk and Compliancy
  • 2. The Software Delivery Value Chain
  • 1. Introduction
  • 4. How it all comes together
  • 5. Example
  • 6. Conclusions
slide-35
SLIDE 35

From a tool-oriented CD Pipeline with paperwork

35 Customer

Code Build Deploy Test Release

CD Pipeline

Test tools TFS Build Visual studio Release Manager Test Manager Release Manager Team Foundation Server Team Foundation Server Team Foundation Server Team Foundation Server Team Foundation Server Microsoft Microsoft Microsoft Microsoft Microsoft

DevOps

slide-36
SLIDE 36

To an Engineering CD Pipeline

36

ServiceNow Azure Boards Wiki DevOps Repos Pipelines Active Directory Ansible TerraForm Kafka Containers Virtual Machines Secrets Evidence

slide-37
SLIDE 37

37

  • 3. Risk and Compliancy
  • 2. The Software Delivery Value Chain
  • 1. Introduction
  • 4. How it all comes together
  • 5. Example
  • 6. Conclusions
slide-38
SLIDE 38

You can shift-left security if you redesign your controls Identify true bottlenecks in your Value Stream Set a dot on the horizon, based on your principles Change the culture towards true engineering Code is Craftsmanship

Conclusions

38

slide-39
SLIDE 39

39