Agile Relevance in the age of Continuous Everything ....
3 likes201 views
Agile has made it possible to deliver a lot product lines and service lines almost like instant coffee , tea and instant everything. It has created a lot of diverse needs especially the need to keep pace with Dev and Operations and everything is expected to continuous along the pipeline without breaking anything along the way. This would mean features , security , builds , releases and the whole nine yards that go with putting your app or product out there. We shall look at DEVSECOPS along with why everything else associated with this initiative that needs to be continuous . Without this mindset agile shall be a term that shall not have much of relevance let alone deliver a product or feature in the best quality and time frame.
Ad
More Related Content
What's hot (20)
Similar to Agile Relevance in the age of Continuous Everything .... (20)
Ad
Recently uploaded (20)
Ad
Agile Relevance in the age of Continuous Everything ....
- 1. CONTINOUS EVERYTHING IN THE AGE OF INSTANT EVERYTHING KIRAN DIVAKARAN @ETURNTI
- 2. Misys BFL Consultant and Technology Evangelist with companies to help them in their business transformation and digital transformation journeys Training and mentoring Architects and Technology leaders Enterprise Architecture Expert with the Digital India Initiative Ex Vice Chair TOGAF® Standing Committee Governing Board Member CCICI WHAT DO I DO ?
- 3. NEED FOR EVERYTHING COUNTINOUS AND BOUNDARY LESS
- 4. NOT ONLY IN PRODUCT PIPELINES BUT ALSO IN INDUSTRY VALUE CHAINS
- 5. ALL OF THIS NEEDS A CONTINUUM AND NOT BROKEN PIECES -JACK WELSH
- 6. AGE OF BOUNDARYLESS INFORMATION FLOW
- 7. APIs EVERY WHERE ENTERPRISE ARCHITECTURE AND BLURRING THE BOUNDARIES, API ECONOMY -DISCOVERING NEW BUSINESS MODELS AT INTERSECTIONS – MDI GURGAON
- 8. Courtesy : DZone APIs WITHIN A VALUE CHAIN
- 10. In 2017, the Equifax credit reporting agency used Struts in an online portal, and due to Equifax not identifying and patching a vulnerable version of Struts, attackers were able to capture personal consumer information such as names, Social Security numbers, birth dates and addresses of over 148 million US consumers, nearly 700,000 UK residents, and more than 19,000 Canadian customers. EQUIFAX SCAM
- 11. VALUE CHAIN CUTTING ACROSS MANY DOMAINS TO ACHIEVE BIZ VALUE
- 12. SALESFORCE.COM GENERATES 50 PERCENT OF ITS REVENUES VIA ITS API VIA ITS API. TRAVEL SITE, EXPEDIA, A WHOPPING 90 PERCENT OF ITS REVENUE IS CONDUCTED VIA ITS API.
- 13. EVERYTHING AROUND US HAS TO BE CONTINOUS
- 14. Continuous Everything Continuous Production Continuous Integration Continuous Automation Continuous Governance Continuous Monitoring Continuous Testing WHERE DOES THIS LEAVE US WITH SECURITY ? Continuous Security
- 16. DEVOPS IS A JOURNEY ITSELF INTRODUCING SECURITY ADDS TO THE COMPLEXITY
- 17. CAN SECURITY PACE WITH THE RATE AT WHICH CODE IS PUSHED ?
- 18. ENTER DEV SECOPS / SEC DEV / RUGGED DEV OPS = SECURITY AUTOMATION AT SCALE
- 19. IMPACT OF SECURITY ON BUSINESS Proliferation of Shadow IT Business Agility impacted due to slow security cycles. Security unable to keep pace with Business Adhoc projects and rogue development True DevOps requires maturity Slow threat assessments Not enough patching Reactive security posture of the company SECURITY OPERATIONS
- 20. WHAT ARE WE MISSING HERE ? Courtesy :Henrik Kniberg
- 21. 1. We need to discover a solution that is valuable, usable, feasible and viable. 2. We need to deliver a solution that is reliable, scalable, performant and maintainable. & Of Course SECURE WHAT WE ARE NOT CAPTURING ARE THE UNDERLYING ISSUES
- 22. Value Risk - will they use/buy it? Usability Risk - can they use it? Feasibility Risk - can we build it? Business Viability Risk - will this work for our business? Security Risk – Is our solution vulnerable or hack proof ? SOLVE OR BRAINSTORM ON THESE RISKS BEFORE YOU WRITE A LINE OF CODE
- 23. DISCOVERY AND DELIVERY Courtesy : Marty Cagan SVPG Build to learn Build to run a business DUAL TRACK AGILE - JEFF PATTON More frequent Iterations per week 1 or 2 Iterations per week PRODUCT MANAGERS / DESIGNERS ENGINEERS
- 24. Adapted from Courtesy : Marty Cagan SVPG SECURITY ADDING SECURITY TO THE ATTRIBUTE LIST
- 25. Courtesy : Marty Cagan SVPG
- 26. MOST OFTEN USED AT GOOGLE Courtesy : Marty Cagan SVPG
- 27. Y-COMBINATOR TERMINOLOGY AiRBnB USES IT Courtesy : Marty Cagan SVPG
- 28. Courtesy : Marty Cagan SVPG SPRINTS THAT WE NEED TO CONSIDER
- 29. By 2021, DevSecOps practices will be embedded in 80 per cent of development teams, up from 15 per cent in 2017. -Gartner
- 30. DEV SEC OPS - WHY Pace of innovation meets – Pace of Security Automation Scalable Architectures need Scalable Security Vulnerabilities need to be healed at the rate at which software is getting churned. Risk Identification and Remediation at the speed of delivery
- 31. Slow threat assessments Can't patch fast enough Reactive security posture Lack of business agility Slow to onboard new customers Slow turn around time Trailblazer dev projects gone wrong Lack of SecOps agility PROBLEMS AS THEY STAND
- 32. DEVELOPMENT ARCHITECTURE QA OPERATIONS TRADITIONAL S/W DEVELOPMENT – NOT CONTINOUS
- 33. WHAT WE NEED ? MONITORING & SECURITY TO BE ADDED TO MAKE IT CONTINOUS PLAN – CODE –BUILD-TEST-RELEASE-DEPLOY-OPERATE-MONITOR-PLAN
- 34. CLOUD ADDS TO THE COMPLEXITY MOVING TO THE CLOUD BABY STEPS MORE THAN ONE CLOUD MULTI CLOUD SCENARIO SECURITY RESOURCES & CHECKLISTS COMPLIANCE AND REGULATIONS OPEX
- 35. DEVS OPS DESIGN REVIEW TEST UNIT TEST MOCK TESTS PERFORMANCE SECURITY MEMORY MANAGEMENT NRFS SECURITY RESPONSIVE NESS RUN STUFF BREAK THE BUILD REPEAT HOW DEVELOPERS SEE OPS FOLKS ?
- 36. WHAT DEVELOPERS WANT ? Ease of checking in and checking out Able to play and experiment with emerging technologies Ability to push code regardless of the platform ABOVE ALL A GOOD NIGHTS SLEEP
- 37. DEVS DEV ITIL COMPLIANCE REDUCE CARBON FOOTPRINT TEST GO GREEN SUPPORT DIFF ENVS TICKETING SECURITY VIRTUALIZE CMRB PCI DSS KEEP THE LIGHTS ON WRITE CODE TEST SOME AND RELEASE HOW OPERATIONS FOLKS SEE DEVELOPERS NETWORKS OS ACCESS CONTROL
- 38. WHAT MAKES SECURITY FOLKS RELAX ALL VULNERABILITIES ARE DISCOVERED AND FIXED IN TIME ALL COMPLIANCES AND REGULATIONS ARE MET ALL ATTACKS HAVE A PLANNED STRATEGY AND NO SURPISES ABLE TO KEEP IN PACE WITH THE SPEED OF DEVELOPMENT AUTOMATED PROCESSES FOR STATIC AND DYNAMIC TEST ( SAST , DAST , IAST )
- 39. WHAT WE NEED IS TOOLS AND PROCESS ? MONITORING & SECURITY TO BE ADDED TO MAKE IT CONTINOUS CHECKS PRESENT CHECKS PRESENT NEEDS ACTION NEEDS ACTION NEEDS ACTION NEEDS ACTION
- 40. CI / CD SOLUTION IS ONE OF THE IMPORTANT TOOLS FOR DEVSECOPS
- 41. CI / CD PIPLELINE IS WHERE THE ACTION HAPPENS BUILD PROCESSES ALONG THAT 1. REVIEW ACCESS ROLES 2. HARDENNING SERVERS AND NODES 3. ARTIFACTS / THIRD PARTY LIBS VALIDATION BEFORE ADDING THEM TO THE TRUNK 4. STATIC CODE ANALYSIS 5. DYNAMIC ANALYSIS
- 42. MILLION DOLLAR QUESTION ? WHO BROKE THE BUILD ?
- 43. DO NOT LET SECURITY BREAK YOUR BUILD When Cl breaks (and it breaks) it impacts everyone and everything in the process. Creating a significant delay in the release cycle. Start implementing security before the Continuous integration stage. If you have 365 developers and each developer breaks only a single build once a year (usually much more), you have an average of one build break per day.
- 44. SECURITY CANNOT BE A BLOCKER IT HAS TO KEEP PACE
- 45. SECURITY WISH LIST OPERATIONAL CHECKS AUTOMATIC FAULT DETECTION AND CORRECTION AUTOMATION REMIADIATION AUTOMATIC AUDITING & FORENSICS CODE LEVEL CHECKS SECURE CODING PRACTICES PRO ACTIVE CONTROLS IN THE CODE BUILD LEVEL CHECKS VULNERABILITY CHECKS CONFIGURATION SCRUBBING DEPLOY CHECKS CONTINOUS VULNERABILITY SCANS PICK ONLY AUTHENTIC IMAGES GRANT JUST ENOUGH SERVER ACCESS
- 46. Command and Control Low trust Organizations Empowered High trust Organizations
- 47. DEVOPS IS FOR HORSES TOO NOT ONLY UNICORNS MYTH
- 48. IF YOU CAN DO IT FOR SAP YOU CAN DO IT FOR ANYTHING
- 49. PROBLEMS & SOLUTIONS IN FRONT OF US
- 50. PUSH THE RESPONSIBILTY TO THE DEVELOPERS Whitepaper : ROI of Shifting Left in your SDLC
- 51. AIM FOR LESS FALSE POSITIVES AIM FOR HIGH QUALITY AIM FOR SPEED OF DELIVERY
- 52. SECURITY NEEDS MORE THAN JUST LIP SERVICE Typically the ratio of DEVto OPSto SEC is 100/ 10 / 1
- 53. APPLICATION SECURITY ACCOUNTS FOR ABOUT 29 ~ 40 % OF ALL BREACHES
- 54. Automatic has issues as Security Issues if found cannot be stopped How To Put The Sec In DevOps – Helen Bravo Manual has better control not faster
- 55. THE NETFLIX WAY Aardvark and Repokid PRINCIPLE OF LEAST PRIVILEGE
- 56. Positive testing determines that your application works as expected. If an error is encountered during positive testing, the test fails. Negative testing ensures that your application can gracefully handle invalid input or unexpected user behavior.
- 57. Invite both sides of the table to the meeting DEV and OPS Incidents Threat Modelling Security Sprints Etc.
- 59. MEASURE MEASURE & MEASURE
- 60. FEED BACK PENETRATION RESULTS INTO UNIT TESTS
- 61. CREATE A CULTURE WHICH IS HIGH ON THE SECURITY DNA Make it public when you fix things and update on internal wiki Share Point or CMDB for all fixes on Security Do not make it personal fix the issue not the person Arrange for tech talks to spread the know how of the fixes Educate DEV and OPS to read security tool analysis well Shadow resources who could build capabilities
- 62. The further right the project is on the DevOps scale the further left it should start implementing security checks
- 64. COST OF NOT FIXING AT THE RIGHT TIME SHIFT LEFT TO GAIN Courtesy : Tanya Janca, Senior Cloud Developer Advocate, Microsoft
- 65. MOVE SECURITY UP THE CHAIN IN REVERSE ORDER Courtesy : Tanya Janca, Senior Cloud Developer Advocate, Microsoft
- 66. CONTINOUS LEARNING IS KEY
- 67. ACTION ITEMS POST THIS CONFERENCE
- 68. Add security verification to Cl/CD Pipelines Critical security bugs break the build In the first three months following this presentation you should: Create Negative Unit Tests from existing positive unit tests Lessons on top 3 security bugs High security bugs break the build Within six months you should: Regular lessons on AppSec, including a security exercise or simulation Improvements of security processes for speed and removal of obstacles Creation of parallel security pipeline Medium security bugs break the build NEXT STEPS FOR YOU
- 69. LIST OF TOOLS OUT THERE
- 70. USEFUL THOUGHT TO CARRY ☺
- 71. REFERENCES 1. https://www.linkedin.com/pulse/dynamics-devops-adoption-dr-pallab-saha/ 2. https://www.youtube.com/watch?v=Qa_Fq7wWRdA 3. https://developer.akamai.com/blog/2017/10/11/cdns-evolving-role-new-devops-world 4. https://www.youtube.com/watch?v=Qa_Fq7wWRdA 5. https://www.youtube.com/watch?v=i43yWwcQfTs&list=PLjNII-Jkdjfz5EXWlGMBRk63PC8uJsHMo&index=3 6. https://www.youtube.com/watch?v=ayKTn2ZgGJI 7. https://www.youtube.com/watch?v=0KG9XRCKK78&t=108s 8. https://www.waratek.com/waf-to-runtime-protection/ 9. https://www.opengroup.org/cio/ReferenceArc-Final1.pdf