Scribd Logo
Upload

Welcome to Scribd!

  • A Journey To Secure Devops: Pete Chestna, Director of Developer Engagement Veracode, Inc

    Uploaded by

    cchongan
    28 views29 pages

    Original Title

    Veracode_DevOpsJourney

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    28 views29 pages

    A Journey To Secure Devops: Pete Chestna, Director of Developer Engagement Veracode, Inc

    Uploaded by

    cchongan

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 29

    A Journey to

    Secure DevOps
    Pete Chestna, Director of Developer Engagement
    Veracode, Inc

    © 2016 VERACODE INC. 1


    Goals

    • Development methodologies used at Veracode –


    Waterfall, Agile, DevOps
    – People
    – Process
    – Technology
    – Security
    • Veracode’s journey
    – What did we change
    – What were the results
    © 2016 VERACODE INC. 2
    Veracode Timeline

    • 2006 – Veracode founded/Waterfall


    • 2012 – Agile
    • 2013 – Purina
    • 2014 – Microservices
    • 2015 - DevOps

    © 2016 VERACODE INC. 3


    Transformation – People/Org/Culture

    Felt like…
    Management Individual
    • Leading change • Uncertainty/fear/anger
    • Organizational • Organizational
    – Breaking the silos – New manager
    – New specialties – New team/peers

    • New Skills – care & feeding • New skills – x-functional


    • New expectations • New expectations

    © 2016 VERACODE INC. 4


    Transformation - Process

    Looked like…

    Most of the change occurred in Agile


    • Waterfall -> Agile was revolutionary
    • Agile -> DevOps was evolutionary
    • Like the Monty Python theory of dinosaurs

    © 2016 VERACODE INC. 5


    Transformation - Technology

    Waterfall
    Agile
    DevOps

    © 2016 VERACODE INC. 6


    In the beginning…

    There was Waterfall


    Waterfall - Process

    Finding anything
    late creates a
    cycle of waste

    © 2016 VERACODE INC. 8


    Waterfall - People
    R A D Q S O
    e r e u e p
    q c v a c e
    u h e l u r
    i i l i r a
    r t o t i t
    e e p y t i
    m c m y o
    e t e n
    n u n s
    t r t
    s e

    © 2016 VERACODE INC. 9


    Waterfall - Technology
    • Gantt charts Old School

    • Text documents
    • Requirements
    • Architecture
    • Designs
    • Test plans
    • Manual tests
    • Manual deploy
    • Shell scripts
    •© 2016SQL scripts
    VERACODE INC. 10
    Waterfall - Security

    Occurred during Back end of


    testing cycle process

    Unpredictable
    Mostly manual
    amount of work

    © 2016 VERACODE INC. 11


    © 2016 VERACODE INC.
    Coming of Age: Agile
    12
    Agile - Process

    © 2016 VERACODE INC. 13


    Copyright 2005, Mountain Goat Software
    Agile - People
    Org

    Dev/QA

    IT Dept

    OPS

    Security
    © 2016 VERACODE INC. 14
    Agile – Technology Initially

    © 2016 VERACODE INC. 15


    Agile – Security – Early Days

    5 4
    Security Static
    Results Analysis

    Security
    Results 3

    Agile
    Build
    Backlog

    1 2

    Develop Check in Hardening


    Sprint

    © 2016 VERACODE INC. 16


    Agile – Security –
    Automated and Integrated
    7 6

    Static
    Synchronize
    Analysis

    3
    Agile
    Static
    Backlog Analysis

    1 2 5

    Build
    Develop Build
    & Test

    4
    Nightly
    Check in
    © 2016 VERACODE INC. 17
    Agile – Security is not limited to
    automation of static analysis!

    Security Security as
    Security Grooming part of the
    Champions (Requirements Definition of
    Review) Done

    Threat Secure Code


    Pen Testing
    Modeling Review

    Pre-
    Productions
    Dynamic
    © 2016 VERACODE INC.
    Analysis 18
    Agile –
    Culture clash with OPS and Security

    © 2016 VERACODE INC. 19


    We Have Arrived: DevOps
    DevOps - Process

    © 2016 VERACODE INC. 21


    DevOps - People

    Break the Change


    Reorganize
    Silos the Culture

    © 2016 VERACODE INC. 22


    DevOps - Technology

    Automate! Feature Rolling Make


    Automate! switching upgrades incremental
    for Zero changes
    Automate! controlled downtime
    rollout

    © 2016 VERACODE INC. 23


    DevOps - Security

    © 2016 VERACODE INC. 24


    DevOps - Security

    © 2016 VERACODE INC. 25


    DevOps – Security –
    Integrated into CD Pipeline
    7
    No Yes
    Synchronize Pass?

    3
    CD
    6 6 7

    Backlog Static Static Unit Deploy to


    Analysis
    Analysis Tests QA/Stage

    1 2 5 8 8

    Build Build Dynamic Regression


    Develop
    & Test
    CI Analysis Testing

    Per
    Stage
    4
    Check-in then
    CI/CD Pass? Prod
    Check in
    Pipeline Yes
    © 2016 VERACODE INC. 26
    DevOps – Pervasive Security
    Plan Code Build Test Stage Deploy Monitor

    Training
    (eLearning, instructor led, metadata driven)

    Static Application Security Testing + 3rd Party Risk Analysis

    Dynamic Application Security Testing

    Runtime Application
    Self Protection

    Threat Modeling
    Remediation and Mitigation Guidance Manual Penetration Testing
    Security Grooming
    Secure Code Reviews Red Team Activities
    Secure Design

    © 2016 VERACODE INC. 27


    This Is Our Journey

    • Revolution at the micro level


    Innovation • Evolution at the macro level

    • Always constructively dissatisfied


    Continuous • Hypothesize, prototype, measure
    Improvement • Sharpen the saw

    • Project Purina
    Empathy • We have been where our customers are
    going
    © 2016 VERACODE INC. 28
    Thank You!

    © 2016 VERACODE INC. 29

    You might also like