Download as PDF, PPTX
![@meekrosoft
“we find that the conflict
[between DevOps and Audit]
is just a perception ...
DevOps in fact can be
considered as a practice
that offers better
Audit/Compliance as
compliance.”](https://image.slidesharecdn.com/designingasecuresoftwaredevelopmentprocesswithdevops-200124135050/75/Designing-a-secure-software-development-process-with-DevOps-54-2048.jpg)
![@meekrosoft
“we find that the conflict
[between DevOps and Audit]
is just a perception ...
DevOps in fact can be
considered as a practice
that offers better
Audit/Compliance as
compliance.”](https://crownmelresort.com/image.slidesharecdn.com/designingasecuresoftwaredevelopmentprocesswithdevops-200124135050/75/Designing-a-secure-software-development-process-with-DevOps-54-2048.jpg)
Uploaded byMike Long
Designing a secure software development process with DevOps
The document outlines the principles of designing a secure Software Development Life Cycle (SDLC) integrated with DevOps, emphasizing the importance of compliance, security goals, and cultural practices. It discusses historical lessons from various project management frameworks and stresses the need for streamlined processes to avoid inefficiencies in regulated industries. Key topics include implementing compliance controls, automating audits, and fostering a security-conscious culture within software development teams.
More Related Content
Similar to Designing a secure software development process with DevOps
Designing a secure software development process with DevOps
- 1. @meekrosoft Designing a SecureSDLC with DevOps Mike Long @meekrosoft
- 2.
- 3. @meekrosoft Agenda ● SDLC BINGO ●What can we learn from history? ● Why define a SDLC? ● The role of DevOps ● Establishing security goals for a SDLC ● Implementation compliance controls ● Driving Security Culture with a SDLC
- 4. @meekrosoft Spot the cargocult! Software Development Life Cycle BINGO
- 5.
- 6. @meekrosoft “...the implementation described aboveis risky and invites failure”
- 7.
- 8. @meekrosoft Prince2 “This strongemphasis on tailoring has led some users to complain that PRINCE2 is unfalsifiable, i.e. it is impossible to tell whether PRINCE2 "works" or constitutes "best practice" if any problems encountered with a project can be blamed on inappropriate application of PRINCE2 rather than on PRINCE2 itself.”
- 9.
- 10. @meekrosoft Rational Unified Process “Webelieve that a branded process like RUP, or XP, is out -- because such a thing is just a collection of practices. Instead practices will become first class citizens” Ivar Jacobson https://www.techrepublic.com/article/80-of-software-is-no-brain-work-ivar-jacobson/
- 11.
- 12. @meekrosoft SCRUM “I really amcoming to think that software developers of all stripes should have no adherence to any “Agile” method of any kind” Ron Jeffries https://ronjeffries.com/articles/018-01ff/abandon-1/
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19. @meekrosoft What can welearn from history?
- 20. @meekrosoft All have adiagram
- 21. @meekrosoft All will eventuallybe ridiculed (often by their creators) “...the implementation described above is risky and invites failure” “This strong emphasis on tailoring has led some users to complain that PRINCE2 is unfalsifiable, i.e. it is impossible to tell whether PRINCE2 "works" or constitutes "best practice" if any problems encountered with a project can be blamed on inappropriate application of PRINCE2 rather than on PRINCE2 itself.” “We believe that a branded process like RUP, or XP, is out -- because such a thing is just a collection of practices. Instead practices will become first class citizens” Ivar Jacobson https://www.techrepublic.com/article/80-of-softwar e-is-no-brain-work-ivar-jacobson/ “I really am coming to think that software developers of all stripes should have no adherence to any “Agile” method of any kind” Ron Jeffries https://ronjeffries.com/articles/018-01ff/abandon-1/
- 22. @meekrosoft Subject to confirmationbias http://chainsawsuit.com/comic/2014/09/16/on-research/
- 23.
- 24.
- 25.
- 26. @meekrosoft Why define aSDLC in the first place?
- 27.
- 28. @meekrosoft Great advice forentrepreneurs, terrible advice if you make software that can: ● Control economies ● Drive cars ● Control insulin ● Manage critical infrastructure
- 29.
- 30.
- 31. @meekrosoft Regulated Industries ACME Corp. Translateinto processes Continuous Documentation Meetings and Signoffs §1.1 Regulations
- 32. @meekrosoft Regulated Industries ACME Corp. Translateinto processes Continuous Documentation Meetings and Signoffs §1.1 Regulations
- 33. @meekrosoft Compliance with Standards ●Ensure that products and services are safe, reliable and of good quality. ● Reduce costs by minimizing waste and errors and increasing productivity. ● Help companies to access new markets
- 34. @meekrosoft Defined Processes ImproveQuality “Checklists seem to provide protection against such failures. They remind us of the minimum necessary steps and make them explicit. They not only offer the possibility of verification but also instill a kind of discipline of higher performance.”
- 35. @meekrosoft SW Compliance acrossthe value stream Confidential - Do Not Share Scope Product Management Software Development IT Operations
- 36.
- 37.
- 38.
- 39. @meekrosoft So how dowe get rid of “silos, batches, queues and gates” while staying compliant?
- 40. @meekrosoft The role ofDevOps in Compliance A short introduction
- 41.
- 42.
- 43.
- 44. @meekrosoft DevOps is aSocioTechnical System
- 45. @meekrosoft DevOps is aSocioTechnical System
- 46.
- 47. @meekrosoft Compliance ALSO isa SocioTechnical System
- 48. @meekrosoft Compliance ALSO isa SocioTechnical System ?
- 49.
- 50. @meekrosoft We found thatexternal approvals were negatively correlated with lead time, deployment frequency, and restore time, and had no correlation with change fail rate. In short, approval by an external body (such as a manager or CAB) simply doesn’t work to increase the stability of production systems, measured by the time to restore service and change fail rate. However, it certainly slows things down. It is, in fact, worse than having no change approval process at all. Forsgren PhD, Nicole. Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations . IT Revolution Press. Kindle Edition. Change Advisory Board
- 51. @meekrosoft The Risk “The absenceof change approval controls creates the risk of untested and unauthorized code being introduced into production.”
- 52. @meekrosoft The Challenge “Companies thatdecide to move to a DevOps model find the transition difficult as manual processes become blockers for rapid rates of change.”
- 53. @meekrosoft The Reality “PCI/DSS requirementis to use two different accounts, not necessarily two different human beings.”
- 54. @meekrosoft “we find thatthe conflict [between DevOps and Audit] is just a perception ... DevOps in fact can be considered as a practice that offers better Audit/Compliance as compliance.”
- 55.
- 56. @meekrosoft A short introduction Establishingsecurity goals for a SDLC
- 57.
- 58.
- 59. @meekrosoft ● Code reviews ●Coding Standards ● Verifiable builds ● Test coverage ● Static Analysis ● Vulnerability Scanning ● Verifiable deployments Conformance to process
- 60. @meekrosoft Audit Traceability ACME Corp. Translateinto processes Continuous Documentation Meetings and Signoffs §1.1 Regulations
- 61. @meekrosoft Immutable Infrastructure +Hash == Traceability “If everything is source code, no-one needs access to production” @topopal Immutable infrastructure Software package hash
- 62. @meekrosoft Standard Tooling ● Lowersattack surface ● Faster to onboard new users ● “Rising tide lifts all boats”
- 63. @meekrosoft Software Assurance MaturityModel. https://owaspsamm.org
- 64.
- 65.
- 66. @meekrosoft Step 0: ValueStream Mapping
- 67. @meekrosoft Step 1: Defineyour (automated) process Process Scope Product Management Software Development IT Operations Nexus Jenkins Cucumber SonarQube Docker Crucible Bitbucket
- 68.
- 69. @meekrosoft compliancedb.comcompliancedb.com Step 3: Automatethe Audit Trail System of Record Build Test Security Analysis Deploy to Staging Release Candidate? Create Artifact Code Review Data Unit Test Result Functional Test Result Analysis Result Deployment Result Compliance State
- 70. @meekrosoft Step 4: Enforcecompliance in the pipelines master
- 71. @meekrosoft Step 5: AutomateRelease Controls and Audit Documentation compliancedb.com master Release2?Release1
- 72. @meekrosoft Step 6: Usethe time you used to spend on meetings and paperwork to catch up on the latest devops cr*p
- 73. @meekrosoft Driving Security Culture witha SDLC A short introduction
- 74. @meekrosoft 740Over 740 applicationsgoing through one delivery pipeline Aim for one pipeline
- 75.
- 76. @meekrosoft Google Binary Authenticationfor Borg BAB Product Management Software Development Release Control Production
- 77.
- 78. @meekrosoftWith DevOps youCAN comply!
- 79.