SlideShare une entreprise Scribd logo

DOES14 - Simon Storm - Promontory

Télécharger en tant que PPTX, PDF
Gene Kim
Gene Kim

Positioning Agile and Continuous Delivery for Auditors and Examiners Video of presentation: https://www.youtube.com/watch?v=P2C7uIHgotA Simon Storm, Director, Enterprise Applications, Promontory Interfinancial Network at DevOps Enterprise Summit 2014 Agile emphasizes self managing teams that regularly change how they work to improve productivity. Auditors and examiners want to ensure that management is actively providing oversight and that the team is following a consistent and repeatable development process. Continuous Delivery and Infrastructure as Code requires operations engineers to commit code into source code control systems and it encourages developers to have sufficient access to help troubleshoot production problems. Meanwhile, auditors and examiners are strong believers in separation of duties. These are just a few examples of how new development processes are creating serious challenges for audited and regulated companies. Given the conflicting priorities, how is a highly regulated or audited company supposed to implement either Agile or Continuous delivery without violating the core principles of these development approaches? In this talk we will review 25 actionable items to help position Agile and Continuous Delivery so that your next audit is a success. Come with your own challenges as well as items that you are implementing so that the discussion period at the end of the presentation can include a meaningful session on additional tips and tricks you are employing or find solutions to your particular challenges.

Économie & finance
1  sur  35
Positioning Agile and Continuous Delivery for Auditors and Examiners
Credits Dion Director of IT Architecture Development Team • Fred Senior Java Developer, Senior Architect • Ahmed Senior Continuous Delivery Engineer • Geeta Quality Assurance Engineer • Bonita Business Analyst • Allan Database Developer • Jamil Business Analyst Operations Team • Brad Network Engineer • Karthik Senior Network Engineer • Richard Senior System Engineer • Thomas Senior System Engineer • Reji Senior Application Engineer, Architect • Aditya Application Engineer • Rajesh Senior Application Engineer • Charlie Database Administrator, Senior Architect
Where to Start  Have the right mindset • Look at audits and examinations as a challenge, not a burden • Understand that audits are in place for the benefit of consumers  Understand your auditor’s goals • Does this entity have a sound development practice? • Do they have repeatable processes that ensure consistent results? • Do you have the appropriate controls in place? • Does your management team understand the risk they are exposed to?
Taking a Step Back…Let’s Start with the Bible During an examination, the examiner explained that he wanted to see our “Bible”, aka our SDLC. He wanted every step to be documented and auditable so he could be sure that every project followed the exact process, every time. Credit: http://www.stpatselkhorn.org/AdultFormation/BibleStudy.aspx
Tips and Techniques for Audits and Exams 1 - 6 : Common Sense & Agile Education 7 - 12 : Continuous Delivery Education 13 - 18 : Demonstrating Maturity 19 - 21 : Orchestrate for Improved Quality 22 - 24 : Source Code Control is KEY 25 : Getting Ahead
Common Sense & Agile Education Credit: http://flickfacts.com/movie/4925/back-to-school
Common Sense & Agile Education #1 Socialize Your Plans! #2 Don’t Risk the Crown Jewels #3 Demonstrate Your Expertise ̶ Training Programs (Secure Coding, etc.) ̶ Meetups & User Groups ̶ Conferences (DevOps Enterprise!) #4 Map Agile to Waterfall #5 Explain Benefits of Shorter Cycle Time #6 Explain How Small Batches Reduces Risk Schedule risk  Feature creep  Gold plating Quality risk  New bugs  Instability Business risk  Wrong functionality  Missed opportunity
#4 Map Agile SDLC to Waterfall SDLC Design Waterfall Agile Design The entire application is designed at one time The design evolves as the application is developed The design is created by technical resources working from the requirements The design is created by the developers working with the key stakeholders The design is based on the best estimate of how the application is used The design is based on customer behavior Design Review The design is reviewed by technical resources to ensure completeness and accuracy The design is shown as a working solution to the Product Owner and other stakeholders Changes to the design may have a may have major ripple effect to the rest of the application The design is continually revisited and adjusts to customer need Design Sign Off Specific step where designated parties agree that the design is complete and accurate Implicit to the process when everyone agrees that the work is acceptable to go to production (Sprint Review)
Common Sense & Agile Education #1 Socialize Your Plans! #2 Don’t Risk the Crown Jewels #3 Demonstrate Your Expertise ̶ Training Programs (Secure Coding, etc.) ̶ Meetups & User Groups ̶ Conferences (DevOps Enterprise!) #4 Map Agile to Waterfall #5 Explain Benefits of Shorter Cycle Time #6 Explain How Small Batches Reduces Risk Schedule risk  Feature creep  Gold plating Quality risk  New bugs  Instability Business risk  Wrong functionality  Missed opportunity
Continuous Delivery Education
Continuous Delivery Education #7 An Automated Process is far more Auditable! #8 Correct Version of the Application ̶ great tools to mange environment sprawl #9 Infrastructure as Code ̶ Environments stay in sync ̶ Environments can be built on demand ̶ Environments are documented and version controlled #10 Static Code Analysis #11 Automated Testing #12 Repository Management
Sonar – Tracking Over Time 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 Number of Issues Issues Issues - Blocker Issues - Critical Issues - Major Issues - Minor Issues - Info
Continuous Delivery Education #7 An Automated Process is far more Auditable! #8 Correct Version of the Application ̶ great tools to mange environment sprawl #9 Infrastructure as Code ̶ Environments stay in sync ̶ Environments can be built on demand ̶ Environments are documented and version controlled #10 Static Code Analysis #11 Automated Testing #12 Repository Management
#11 Automated Testing – Unexpected Result Automated tests are the answer to MANY questions about reducing risk….but they open the door to a whole new world of questions  Who validated that the automated test worked correctly?  How do you know that the test meets the desired result?  How can you be sure you have sufficient coverage?  Where are the tests for specific user stories?
Continuous Delivery Education #7 An Automated Process is far more Auditable! #8 Correct Version of the Application ̶ great tools to mange environment sprawl #9 Infrastructure as Code ̶ Environments stay in sync ̶ Environments can be built on demand ̶ Environments are documented and version controlled #10 Static Code Analysis #11 Automated Testing #12 Repository Management
Demonstrating Maturity Credit: http://ihkstories.com/maturity-is-not-when-we-start-speaking-big-thingsit-is-when-we-start-understanding-small-things/
#13 Go Digital Online Agile Boards An Auditor once pulled a sticky off our physical board that was in the Ready for Test queue. He asked “if I don’t put this back, how do you know this was tested?”
#14 Automating Sign-Offs Credit: http://www.polscheit.de/plugins/jira/group-sign-off/images/GroupSignOff-Banner.png
#15 Automating Documentation Credit: http://jiraxporter.xpand it.com/download/attachments/327684/Banner.png?version=1&modificationDate=1364461203281&api=v2
Bank Assetpoint Agile Implementation Retrieved from Jira Retrieved from Jira
#16 Logging Pipeline Activity
#17 Capturing Meaningful Metrics 0 10 20 30 40 50 60 70 80 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Positive Sprint Quality Trend 0 2 4 6 8 10 12 14 16 18 1 2 3 4 5 6 7 8 9 10 Sprint 2014-1 Done QA In Progress Backlog
#18 Add one more meeting Sprint Planning Review Meeting • Additional demonstration of oversight • Shows that we are willing to adapt to meet company goals • Great catch-all for interested stakeholders
Orchestrate for Improved Quality Credit: http://accupackmidwest.com/quality-control
#19 Keep QA Firmly in the Process  When new code comes into Test Environment  When new code can be moved to a higher environment  Perform the deployment to the Staging Environment  Perform the deployment to Production Environment
#20 Don’t Forget Operations The System Engineering Team to controls when code can enter the Staging Environment Application Engineering Team controls when code can enter the Production Environment
#21 When All Else Fails – Email! Email notifications keep parties informed  Security  Compliance  Management  Operations  Product Owner
Source Code Control is KEY
#22 Demonstrate Permissions Making sure that the appropriate controls are in place in GIT are critical. You will need to use a management tool on top of GIT like Stash.
#23 Code Reviews with Pull Requests
#24 Secure Your Pull Requests Custom GIT Hook
Getting Ahead Credit: https://dzihxiql01vk4.cloudfront.net/wp-content/uploads/2013/06/Get-Ahead-with-Repricing.jpg
#25 Be Aware of Outstanding Audit Risks  Get Ahead of Permission Questions • Jenkins, Puppet, Nexus, Stash, etc.  Using Active Directory to manage permissions is a good start, but who is reviewing Active Directory?  Continuous Improvement means that you are not following the same process over and over • Allowing Agile Teams to change their development process to make themselves more efficient is scary to auditors
Here's what I would like help with  How do you ensure (and regularly audit) that the appropriate people have the appropriate access to the appropriate tools?  How to do you empower individuals but still ensure you have management oversight?
Questions? Thank you! Simon Storm sstorm@promnetwork.com @simonpstorm www.linkedin.com/pub/simon-storm/0/b32/3b6/

Recommandé

DevOps@Morpho for ParisDevOps - 2nd of December 2014
DevOps@Morpho for ParisDevOps - 2nd of December 2014DevOps@Morpho for ParisDevOps - 2nd of December 2014
DevOps@Morpho for ParisDevOps - 2nd of December 2014Jean-Charles JOREL
 
Docker Enables DevOps
Docker Enables DevOpsDocker Enables DevOps
Docker Enables DevOpsBoyd Hemphill
 
Enterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using JenkinsEnterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using JenkinsCollabNet
 
Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Tracy Kennedy
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
 
Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Andreas Rehn
 
Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)dev2ops
 
A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...CollabNet
 

Recommandé

DevOps@Morpho for ParisDevOps - 2nd of December 2014
DevOps@Morpho for ParisDevOps - 2nd of December 2014DevOps@Morpho for ParisDevOps - 2nd of December 2014
DevOps@Morpho for ParisDevOps - 2nd of December 2014Jean-Charles JOREL
 
Docker Enables DevOps
Docker Enables DevOpsDocker Enables DevOps
Docker Enables DevOpsBoyd Hemphill
 
Enterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using JenkinsEnterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using JenkinsCollabNet
 
Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Tracy Kennedy
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
 
Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Andreas Rehn
 
Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)dev2ops
 
A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...CollabNet
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeGene Kim
 
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...Gene Kim
 
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyDevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyCA Technologies
 
A Leaner PMO in The Federal Government
A Leaner PMO in The Federal GovernmentA Leaner PMO in The Federal Government
A Leaner PMO in The Federal GovernmentFadi Stephan
 
Agile Trends in Government
Agile Trends in GovernmentAgile Trends in Government
Agile Trends in GovernmentLitheSpeed
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014m1splacedsoul
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panoramanfteodoro
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of ViewBob Sanders
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspectivehong_nona
 
Blueprinting DevOps for Digital Transformation_v4
Blueprinting DevOps for Digital Transformation_v4Blueprinting DevOps for Digital Transformation_v4
Blueprinting DevOps for Digital Transformation_v4Aswin Kumar
 
Continuous Delivery and Infrastructure as Code
Continuous Delivery and Infrastructure as CodeContinuous Delivery and Infrastructure as Code
Continuous Delivery and Infrastructure as CodeSascha Möllering
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsJDOLIV
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
Lan & Wan
Lan & WanLan & Wan
Lan & WanLan & Wan Solutions
 
DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...
DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...
DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...Gene Kim
 
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at VerizonDOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at VerizonGene Kim
 

Contenu connexe

En vedette

DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeGene Kim
 
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...Gene Kim
 
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyDevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyCA Technologies
 
A Leaner PMO in The Federal Government
A Leaner PMO in The Federal GovernmentA Leaner PMO in The Federal Government
A Leaner PMO in The Federal GovernmentFadi Stephan
 
Agile Trends in Government
Agile Trends in GovernmentAgile Trends in Government
Agile Trends in GovernmentLitheSpeed
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014m1splacedsoul
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panoramanfteodoro
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of ViewBob Sanders
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspectivehong_nona
 
Blueprinting DevOps for Digital Transformation_v4
Blueprinting DevOps for Digital Transformation_v4Blueprinting DevOps for Digital Transformation_v4
Blueprinting DevOps for Digital Transformation_v4Aswin Kumar
 
Continuous Delivery and Infrastructure as Code
Continuous Delivery and Infrastructure as CodeContinuous Delivery and Infrastructure as Code
Continuous Delivery and Infrastructure as CodeSascha Möllering
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsJDOLIV
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 

En vedette (20)

DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
 
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
 
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
 
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyDevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than Technology
 
A Leaner PMO in The Federal Government
A Leaner PMO in The Federal GovernmentA Leaner PMO in The Federal Government
A Leaner PMO in The Federal Government
 
Agile Trends in Government
Agile Trends in GovernmentAgile Trends in Government
Agile Trends in Government
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of View
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective
 
Blueprinting DevOps for Digital Transformation_v4
Blueprinting DevOps for Digital Transformation_v4Blueprinting DevOps for Digital Transformation_v4
Blueprinting DevOps for Digital Transformation_v4
 
Continuous Delivery and Infrastructure as Code
Continuous Delivery and Infrastructure as CodeContinuous Delivery and Infrastructure as Code
Continuous Delivery and Infrastructure as Code
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence Qualifications
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 

Plus de Gene Kim

DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...
DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...
DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...Gene Kim
 
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at VerizonDOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at VerizonGene Kim
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsDOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsGene Kim
 
DOES SFO 2016 - Daniel Perez - Doubling Down on ChatOps in the Enterprise
DOES SFO 2016 - Daniel Perez - Doubling Down on ChatOps in the EnterpriseDOES SFO 2016 - Daniel Perez - Doubling Down on ChatOps in the Enterprise
DOES SFO 2016 - Daniel Perez - Doubling Down on ChatOps in the EnterpriseGene Kim
 
DOES SFO 2016 - Greg Maxey and Laurent Rochette - DSL at Scale
DOES SFO 2016 - Greg Maxey and Laurent Rochette - DSL at ScaleDOES SFO 2016 - Greg Maxey and Laurent Rochette - DSL at Scale
DOES SFO 2016 - Greg Maxey and Laurent Rochette - DSL at ScaleGene Kim
 
DOES SFO 2016 - Rich Jackson & Rosalind Radcliffe - The Mainframe DevOps Team...
DOES SFO 2016 - Rich Jackson & Rosalind Radcliffe - The Mainframe DevOps Team...DOES SFO 2016 - Rich Jackson & Rosalind Radcliffe - The Mainframe DevOps Team...
DOES SFO 2016 - Rich Jackson & Rosalind Radcliffe - The Mainframe DevOps Team...Gene Kim
 
DOES SFO 2016 - Greg Padak - Default to Open
DOES SFO 2016 - Greg Padak - Default to OpenDOES SFO 2016 - Greg Padak - Default to Open
DOES SFO 2016 - Greg Padak - Default to OpenGene Kim
 
DOES SFO 2016 - Michael Nygard - Tempo, Maneuverability, Initiative
DOES SFO 2016 - Michael Nygard - Tempo, Maneuverability, InitiativeDOES SFO 2016 - Michael Nygard - Tempo, Maneuverability, Initiative
DOES SFO 2016 - Michael Nygard - Tempo, Maneuverability, InitiativeGene Kim
 
DOES SFO 2016 - Alexa Alley - Value Stream Mapping
DOES SFO 2016 - Alexa Alley - Value Stream MappingDOES SFO 2016 - Alexa Alley - Value Stream Mapping
DOES SFO 2016 - Alexa Alley - Value Stream MappingGene Kim
 
DOES SFO 2016 - Mark Imbriaco - Lessons From the Bleeding Edge
DOES SFO 2016 - Mark Imbriaco - Lessons From the Bleeding EdgeDOES SFO 2016 - Mark Imbriaco - Lessons From the Bleeding Edge
DOES SFO 2016 - Mark Imbriaco - Lessons From the Bleeding EdgeGene Kim
 
DOES SFO 2016 - Topo Pal - DevOps at Capital One
DOES SFO 2016 - Topo Pal - DevOps at Capital OneDOES SFO 2016 - Topo Pal - DevOps at Capital One
DOES SFO 2016 - Topo Pal - DevOps at Capital OneGene Kim
 
DOES SFO 2016 - Cornelia Davis - DevOps: Who Does What?
DOES SFO 2016 - Cornelia Davis - DevOps: Who Does What?DOES SFO 2016 - Cornelia Davis - DevOps: Who Does What?
DOES SFO 2016 - Cornelia Davis - DevOps: Who Does What?Gene Kim
 
DOES SFO 2016 - Avan Mathur - Planning for Huge Scale
DOES SFO 2016 - Avan Mathur - Planning for Huge ScaleDOES SFO 2016 - Avan Mathur - Planning for Huge Scale
DOES SFO 2016 - Avan Mathur - Planning for Huge ScaleGene Kim
 
DOES SFO 2016 - Chris Fulton - CD for DBs
DOES SFO 2016 - Chris Fulton - CD for DBsDOES SFO 2016 - Chris Fulton - CD for DBs
DOES SFO 2016 - Chris Fulton - CD for DBsGene Kim
 
DOES SFO 2016 - Marc Priolo - Are we there yet?
DOES SFO 2016 - Marc Priolo - Are we there yet? DOES SFO 2016 - Marc Priolo - Are we there yet?
DOES SFO 2016 - Marc Priolo - Are we there yet? Gene Kim
 
DOES SFO 2016 - Steve Brodie - The Future of DevOps in the Enterprise
DOES SFO 2016 - Steve Brodie - The Future of DevOps in the EnterpriseDOES SFO 2016 - Steve Brodie - The Future of DevOps in the Enterprise
DOES SFO 2016 - Steve Brodie - The Future of DevOps in the EnterpriseGene Kim
 
DOES SFO 2016 - Aimee Bechtle - Utilizing Distributed Dojos to Transform a Wo...
DOES SFO 2016 - Aimee Bechtle - Utilizing Distributed Dojos to Transform a Wo...DOES SFO 2016 - Aimee Bechtle - Utilizing Distributed Dojos to Transform a Wo...
DOES SFO 2016 - Aimee Bechtle - Utilizing Distributed Dojos to Transform a Wo...Gene Kim
 
DOES SFO 2016 - Ray Krueger - Speed as a Prime Directive
DOES SFO 2016 - Ray Krueger - Speed as a Prime DirectiveDOES SFO 2016 - Ray Krueger - Speed as a Prime Directive
DOES SFO 2016 - Ray Krueger - Speed as a Prime DirectiveGene Kim
 
DOES SFO 2016 - Paula Thrasher & Kevin Stanley - Building Brilliant Teams
DOES SFO 2016 - Paula Thrasher & Kevin Stanley - Building Brilliant Teams DOES SFO 2016 - Paula Thrasher & Kevin Stanley - Building Brilliant Teams
DOES SFO 2016 - Paula Thrasher & Kevin Stanley - Building Brilliant Teams Gene Kim
 
DOES SFO 2016 - Kevina Finn-Braun & J. Paul Reed - Beyond the Retrospective: ...
DOES SFO 2016 - Kevina Finn-Braun & J. Paul Reed - Beyond the Retrospective: ...DOES SFO 2016 - Kevina Finn-Braun & J. Paul Reed - Beyond the Retrospective: ...
DOES SFO 2016 - Kevina Finn-Braun & J. Paul Reed - Beyond the Retrospective: ...Gene Kim
 

Plus de Gene Kim (20)

DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...
DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...
DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...
 
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at VerizonDOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsDOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
 
DOES SFO 2016 - Daniel Perez - Doubling Down on ChatOps in the Enterprise
DOES SFO 2016 - Daniel Perez - Doubling Down on ChatOps in the EnterpriseDOES SFO 2016 - Daniel Perez - Doubling Down on ChatOps in the Enterprise
DOES SFO 2016 - Daniel Perez - Doubling Down on ChatOps in the Enterprise
 
DOES SFO 2016 - Greg Maxey and Laurent Rochette - DSL at Scale
DOES SFO 2016 - Greg Maxey and Laurent Rochette - DSL at ScaleDOES SFO 2016 - Greg Maxey and Laurent Rochette - DSL at Scale
DOES SFO 2016 - Greg Maxey and Laurent Rochette - DSL at Scale
 
DOES SFO 2016 - Rich Jackson & Rosalind Radcliffe - The Mainframe DevOps Team...
DOES SFO 2016 - Rich Jackson & Rosalind Radcliffe - The Mainframe DevOps Team...DOES SFO 2016 - Rich Jackson & Rosalind Radcliffe - The Mainframe DevOps Team...
DOES SFO 2016 - Rich Jackson & Rosalind Radcliffe - The Mainframe DevOps Team...
 
DOES SFO 2016 - Greg Padak - Default to Open
DOES SFO 2016 - Greg Padak - Default to OpenDOES SFO 2016 - Greg Padak - Default to Open
DOES SFO 2016 - Greg Padak - Default to Open
 
DOES SFO 2016 - Michael Nygard - Tempo, Maneuverability, Initiative
DOES SFO 2016 - Michael Nygard - Tempo, Maneuverability, InitiativeDOES SFO 2016 - Michael Nygard - Tempo, Maneuverability, Initiative
DOES SFO 2016 - Michael Nygard - Tempo, Maneuverability, Initiative
 
DOES SFO 2016 - Alexa Alley - Value Stream Mapping
DOES SFO 2016 - Alexa Alley - Value Stream MappingDOES SFO 2016 - Alexa Alley - Value Stream Mapping
DOES SFO 2016 - Alexa Alley - Value Stream Mapping
 
DOES SFO 2016 - Mark Imbriaco - Lessons From the Bleeding Edge
DOES SFO 2016 - Mark Imbriaco - Lessons From the Bleeding EdgeDOES SFO 2016 - Mark Imbriaco - Lessons From the Bleeding Edge
DOES SFO 2016 - Mark Imbriaco - Lessons From the Bleeding Edge
 
DOES SFO 2016 - Topo Pal - DevOps at Capital One
DOES SFO 2016 - Topo Pal - DevOps at Capital OneDOES SFO 2016 - Topo Pal - DevOps at Capital One
DOES SFO 2016 - Topo Pal - DevOps at Capital One
 
DOES SFO 2016 - Cornelia Davis - DevOps: Who Does What?
DOES SFO 2016 - Cornelia Davis - DevOps: Who Does What?DOES SFO 2016 - Cornelia Davis - DevOps: Who Does What?
DOES SFO 2016 - Cornelia Davis - DevOps: Who Does What?
 
DOES SFO 2016 - Avan Mathur - Planning for Huge Scale
DOES SFO 2016 - Avan Mathur - Planning for Huge ScaleDOES SFO 2016 - Avan Mathur - Planning for Huge Scale
DOES SFO 2016 - Avan Mathur - Planning for Huge Scale
 
DOES SFO 2016 - Chris Fulton - CD for DBs
DOES SFO 2016 - Chris Fulton - CD for DBsDOES SFO 2016 - Chris Fulton - CD for DBs
DOES SFO 2016 - Chris Fulton - CD for DBs
 
DOES SFO 2016 - Marc Priolo - Are we there yet?
DOES SFO 2016 - Marc Priolo - Are we there yet? DOES SFO 2016 - Marc Priolo - Are we there yet?
DOES SFO 2016 - Marc Priolo - Are we there yet?
 
DOES SFO 2016 - Steve Brodie - The Future of DevOps in the Enterprise
DOES SFO 2016 - Steve Brodie - The Future of DevOps in the EnterpriseDOES SFO 2016 - Steve Brodie - The Future of DevOps in the Enterprise
DOES SFO 2016 - Steve Brodie - The Future of DevOps in the Enterprise
 
DOES SFO 2016 - Aimee Bechtle - Utilizing Distributed Dojos to Transform a Wo...
DOES SFO 2016 - Aimee Bechtle - Utilizing Distributed Dojos to Transform a Wo...DOES SFO 2016 - Aimee Bechtle - Utilizing Distributed Dojos to Transform a Wo...
DOES SFO 2016 - Aimee Bechtle - Utilizing Distributed Dojos to Transform a Wo...
 
DOES SFO 2016 - Ray Krueger - Speed as a Prime Directive
DOES SFO 2016 - Ray Krueger - Speed as a Prime DirectiveDOES SFO 2016 - Ray Krueger - Speed as a Prime Directive
DOES SFO 2016 - Ray Krueger - Speed as a Prime Directive
 
DOES SFO 2016 - Paula Thrasher & Kevin Stanley - Building Brilliant Teams
DOES SFO 2016 - Paula Thrasher & Kevin Stanley - Building Brilliant Teams DOES SFO 2016 - Paula Thrasher & Kevin Stanley - Building Brilliant Teams
DOES SFO 2016 - Paula Thrasher & Kevin Stanley - Building Brilliant Teams
 
DOES SFO 2016 - Kevina Finn-Braun & J. Paul Reed - Beyond the Retrospective: ...
DOES SFO 2016 - Kevina Finn-Braun & J. Paul Reed - Beyond the Retrospective: ...DOES SFO 2016 - Kevina Finn-Braun & J. Paul Reed - Beyond the Retrospective: ...
DOES SFO 2016 - Kevina Finn-Braun & J. Paul Reed - Beyond the Retrospective: ...
 

Dernier

Call Girls In Yusuf Sarai Women Seeking Men 9654467111
Call Girls In Yusuf Sarai Women Seeking Men 9654467111Call Girls In Yusuf Sarai Women Seeking Men 9654467111
Call Girls In Yusuf Sarai Women Seeking Men 9654467111Sapana Sha
 
Ch 4 investment Intermediate financial Accounting
Ch 4 investment Intermediate financial AccountingCh 4 investment Intermediate financial Accounting
Ch 4 investment Intermediate financial AccountingAbdi118682
 
Stock Market Brief Deck for "this does not happen often".pdf
Stock Market Brief Deck for "this does not happen often".pdfStock Market Brief Deck for "this does not happen often".pdf
Stock Market Brief Deck for "this does not happen often".pdfMichael Silva
 
《加拿大本地办假证-寻找办理Dalhousie毕业证和达尔豪斯大学毕业证书的中介代理》
《加拿大本地办假证-寻找办理Dalhousie毕业证和达尔豪斯大学毕业证书的中介代理》《加拿大本地办假证-寻找办理Dalhousie毕业证和达尔豪斯大学毕业证书的中介代理》
《加拿大本地办假证-寻找办理Dalhousie毕业证和达尔豪斯大学毕业证书的中介代理》rnrncn29
 
Financial Leverage Definition, Advantages, and Disadvantages
Financial Leverage Definition, Advantages, and DisadvantagesFinancial Leverage Definition, Advantages, and Disadvantages
Financial Leverage Definition, Advantages, and Disadvantagesjayjaymabutot13
 
Quantitative Analysis of Retail Sector Companies
Quantitative Analysis of Retail Sector CompaniesQuantitative Analysis of Retail Sector Companies
Quantitative Analysis of Retail Sector Companiesprashantbhati354
 
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一(办理学位证)加拿大萨省大学毕业证成绩单原版一比一
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一S SDS
 
Bladex Earnings Call Presentation 1Q2024
Bladex Earnings Call Presentation 1Q2024Bladex Earnings Call Presentation 1Q2024
Bladex Earnings Call Presentation 1Q2024Bladex
 
Tenets of Physiocracy History of Economic
Tenets of Physiocracy History of EconomicTenets of Physiocracy History of Economic
Tenets of Physiocracy History of Economiccinemoviesu
 
Lundin Gold April 2024 Corporate Presentation v4.pdf
Lundin Gold April 2024 Corporate Presentation v4.pdfLundin Gold April 2024 Corporate Presentation v4.pdf
Lundin Gold April 2024 Corporate Presentation v4.pdfAdnet Communications
 
Stock Market Brief Deck FOR 4/17 video.pdf
Stock Market Brief Deck FOR 4/17 video.pdfStock Market Brief Deck FOR 4/17 video.pdf
Stock Market Brief Deck FOR 4/17 video.pdfMichael Silva
 
government_intervention_in_business_ownership[1].pdf
government_intervention_in_business_ownership[1].pdfgovernment_intervention_in_business_ownership[1].pdf
government_intervention_in_business_ownership[1].pdfshaunmashale756
 
Classical Theory of Macroeconomics by Adam Smith
Classical Theory of Macroeconomics by Adam SmithClassical Theory of Macroeconomics by Adam Smith
Classical Theory of Macroeconomics by Adam SmithAdamYassin2
 
chapter_2.ppt The labour market definitions and trends
chapter_2.ppt The labour market definitions and trendschapter_2.ppt The labour market definitions and trends
chapter_2.ppt The labour market definitions and trendslemlemtesfaye192
 
magnetic-pensions-a-new-blueprint-for-the-dc-landscape.pdf
magnetic-pensions-a-new-blueprint-for-the-dc-landscape.pdfmagnetic-pensions-a-new-blueprint-for-the-dc-landscape.pdf
magnetic-pensions-a-new-blueprint-for-the-dc-landscape.pdfHenry Tapper
 
The Triple Threat | Article on Global Resession | Harsh Kumar
The Triple Threat | Article on Global Resession | Harsh KumarThe Triple Threat | Article on Global Resession | Harsh Kumar
The Triple Threat | Article on Global Resession | Harsh KumarHarsh Kumar
 
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证rjrjkk
 
Bladex 1Q24 Earning Results Presentation
Bladex 1Q24 Earning Results PresentationBladex 1Q24 Earning Results Presentation
Bladex 1Q24 Earning Results PresentationBladex
 
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...yordanosyohannes2
 

Dernier (20)

Call Girls In Yusuf Sarai Women Seeking Men 9654467111
Call Girls In Yusuf Sarai Women Seeking Men 9654467111Call Girls In Yusuf Sarai Women Seeking Men 9654467111
Call Girls In Yusuf Sarai Women Seeking Men 9654467111
 
Ch 4 investment Intermediate financial Accounting
Ch 4 investment Intermediate financial AccountingCh 4 investment Intermediate financial Accounting
Ch 4 investment Intermediate financial Accounting
 
Stock Market Brief Deck for "this does not happen often".pdf
Stock Market Brief Deck for "this does not happen often".pdfStock Market Brief Deck for "this does not happen often".pdf
Stock Market Brief Deck for "this does not happen often".pdf
 
《加拿大本地办假证-寻找办理Dalhousie毕业证和达尔豪斯大学毕业证书的中介代理》
《加拿大本地办假证-寻找办理Dalhousie毕业证和达尔豪斯大学毕业证书的中介代理》《加拿大本地办假证-寻找办理Dalhousie毕业证和达尔豪斯大学毕业证书的中介代理》
《加拿大本地办假证-寻找办理Dalhousie毕业证和达尔豪斯大学毕业证书的中介代理》
 
Financial Leverage Definition, Advantages, and Disadvantages
Financial Leverage Definition, Advantages, and DisadvantagesFinancial Leverage Definition, Advantages, and Disadvantages
Financial Leverage Definition, Advantages, and Disadvantages
 
Quantitative Analysis of Retail Sector Companies
Quantitative Analysis of Retail Sector CompaniesQuantitative Analysis of Retail Sector Companies
Quantitative Analysis of Retail Sector Companies
 
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一(办理学位证)加拿大萨省大学毕业证成绩单原版一比一
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一
 
Bladex Earnings Call Presentation 1Q2024
Bladex Earnings Call Presentation 1Q2024Bladex Earnings Call Presentation 1Q2024
Bladex Earnings Call Presentation 1Q2024
 
Tenets of Physiocracy History of Economic
Tenets of Physiocracy History of EconomicTenets of Physiocracy History of Economic
Tenets of Physiocracy History of Economic
 
Lundin Gold April 2024 Corporate Presentation v4.pdf
Lundin Gold April 2024 Corporate Presentation v4.pdfLundin Gold April 2024 Corporate Presentation v4.pdf
Lundin Gold April 2024 Corporate Presentation v4.pdf
 
Stock Market Brief Deck FOR 4/17 video.pdf
Stock Market Brief Deck FOR 4/17 video.pdfStock Market Brief Deck FOR 4/17 video.pdf
Stock Market Brief Deck FOR 4/17 video.pdf
 
Monthly Economic Monitoring of Ukraine No 231, April 2024
Monthly Economic Monitoring of Ukraine No 231, April 2024Monthly Economic Monitoring of Ukraine No 231, April 2024
Monthly Economic Monitoring of Ukraine No 231, April 2024
 
government_intervention_in_business_ownership[1].pdf
government_intervention_in_business_ownership[1].pdfgovernment_intervention_in_business_ownership[1].pdf
government_intervention_in_business_ownership[1].pdf
 
Classical Theory of Macroeconomics by Adam Smith
Classical Theory of Macroeconomics by Adam SmithClassical Theory of Macroeconomics by Adam Smith
Classical Theory of Macroeconomics by Adam Smith
 
chapter_2.ppt The labour market definitions and trends
chapter_2.ppt The labour market definitions and trendschapter_2.ppt The labour market definitions and trends
chapter_2.ppt The labour market definitions and trends
 
magnetic-pensions-a-new-blueprint-for-the-dc-landscape.pdf
magnetic-pensions-a-new-blueprint-for-the-dc-landscape.pdfmagnetic-pensions-a-new-blueprint-for-the-dc-landscape.pdf
magnetic-pensions-a-new-blueprint-for-the-dc-landscape.pdf
 
The Triple Threat | Article on Global Resession | Harsh Kumar
The Triple Threat | Article on Global Resession | Harsh KumarThe Triple Threat | Article on Global Resession | Harsh Kumar
The Triple Threat | Article on Global Resession | Harsh Kumar
 
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
 
Bladex 1Q24 Earning Results Presentation
Bladex 1Q24 Earning Results PresentationBladex 1Q24 Earning Results Presentation
Bladex 1Q24 Earning Results Presentation
 
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...
 

DOES14 - Simon Storm - Promontory

  • 1. Positioning Agile and Continuous Delivery for Auditors and Examiners
  • 2. Credits Dion Director of IT Architecture Development Team • Fred Senior Java Developer, Senior Architect • Ahmed Senior Continuous Delivery Engineer • Geeta Quality Assurance Engineer • Bonita Business Analyst • Allan Database Developer • Jamil Business Analyst Operations Team • Brad Network Engineer • Karthik Senior Network Engineer • Richard Senior System Engineer • Thomas Senior System Engineer • Reji Senior Application Engineer, Architect • Aditya Application Engineer • Rajesh Senior Application Engineer • Charlie Database Administrator, Senior Architect
  • 3. Where to Start  Have the right mindset • Look at audits and examinations as a challenge, not a burden • Understand that audits are in place for the benefit of consumers  Understand your auditor’s goals • Does this entity have a sound development practice? • Do they have repeatable processes that ensure consistent results? • Do you have the appropriate controls in place? • Does your management team understand the risk they are exposed to?
  • 4. Taking a Step Back…Let’s Start with the Bible During an examination, the examiner explained that he wanted to see our “Bible”, aka our SDLC. He wanted every step to be documented and auditable so he could be sure that every project followed the exact process, every time. Credit: http://www.stpatselkhorn.org/AdultFormation/BibleStudy.aspx
  • 5. Tips and Techniques for Audits and Exams 1 - 6 : Common Sense & Agile Education 7 - 12 : Continuous Delivery Education 13 - 18 : Demonstrating Maturity 19 - 21 : Orchestrate for Improved Quality 22 - 24 : Source Code Control is KEY 25 : Getting Ahead
  • 6. Common Sense & Agile Education Credit: http://flickfacts.com/movie/4925/back-to-school
  • 7. Common Sense & Agile Education #1 Socialize Your Plans! #2 Don’t Risk the Crown Jewels #3 Demonstrate Your Expertise ̶ Training Programs (Secure Coding, etc.) ̶ Meetups & User Groups ̶ Conferences (DevOps Enterprise!) #4 Map Agile to Waterfall #5 Explain Benefits of Shorter Cycle Time #6 Explain How Small Batches Reduces Risk Schedule risk  Feature creep  Gold plating Quality risk  New bugs  Instability Business risk  Wrong functionality  Missed opportunity
  • 8. #4 Map Agile SDLC to Waterfall SDLC Design Waterfall Agile Design The entire application is designed at one time The design evolves as the application is developed The design is created by technical resources working from the requirements The design is created by the developers working with the key stakeholders The design is based on the best estimate of how the application is used The design is based on customer behavior Design Review The design is reviewed by technical resources to ensure completeness and accuracy The design is shown as a working solution to the Product Owner and other stakeholders Changes to the design may have a may have major ripple effect to the rest of the application The design is continually revisited and adjusts to customer need Design Sign Off Specific step where designated parties agree that the design is complete and accurate Implicit to the process when everyone agrees that the work is acceptable to go to production (Sprint Review)
  • 9. Common Sense & Agile Education #1 Socialize Your Plans! #2 Don’t Risk the Crown Jewels #3 Demonstrate Your Expertise ̶ Training Programs (Secure Coding, etc.) ̶ Meetups & User Groups ̶ Conferences (DevOps Enterprise!) #4 Map Agile to Waterfall #5 Explain Benefits of Shorter Cycle Time #6 Explain How Small Batches Reduces Risk Schedule risk  Feature creep  Gold plating Quality risk  New bugs  Instability Business risk  Wrong functionality  Missed opportunity
  • 11. Continuous Delivery Education #7 An Automated Process is far more Auditable! #8 Correct Version of the Application ̶ great tools to mange environment sprawl #9 Infrastructure as Code ̶ Environments stay in sync ̶ Environments can be built on demand ̶ Environments are documented and version controlled #10 Static Code Analysis #11 Automated Testing #12 Repository Management
  • 12. Sonar – Tracking Over Time 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 Number of Issues Issues Issues - Blocker Issues - Critical Issues - Major Issues - Minor Issues - Info
  • 13. Continuous Delivery Education #7 An Automated Process is far more Auditable! #8 Correct Version of the Application ̶ great tools to mange environment sprawl #9 Infrastructure as Code ̶ Environments stay in sync ̶ Environments can be built on demand ̶ Environments are documented and version controlled #10 Static Code Analysis #11 Automated Testing #12 Repository Management
  • 14. #11 Automated Testing – Unexpected Result Automated tests are the answer to MANY questions about reducing risk….but they open the door to a whole new world of questions  Who validated that the automated test worked correctly?  How do you know that the test meets the desired result?  How can you be sure you have sufficient coverage?  Where are the tests for specific user stories?
  • 15. Continuous Delivery Education #7 An Automated Process is far more Auditable! #8 Correct Version of the Application ̶ great tools to mange environment sprawl #9 Infrastructure as Code ̶ Environments stay in sync ̶ Environments can be built on demand ̶ Environments are documented and version controlled #10 Static Code Analysis #11 Automated Testing #12 Repository Management
  • 17. #13 Go Digital Online Agile Boards An Auditor once pulled a sticky off our physical board that was in the Ready for Test queue. He asked “if I don’t put this back, how do you know this was tested?”
  • 18. #14 Automating Sign-Offs Credit: http://www.polscheit.de/plugins/jira/group-sign-off/images/GroupSignOff-Banner.png
  • 19. #15 Automating Documentation Credit: http://jiraxporter.xpand it.com/download/attachments/327684/Banner.png?version=1&modificationDate=1364461203281&api=v2
  • 20. Bank Assetpoint Agile Implementation Retrieved from Jira Retrieved from Jira
  • 22. #17 Capturing Meaningful Metrics 0 10 20 30 40 50 60 70 80 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Positive Sprint Quality Trend 0 2 4 6 8 10 12 14 16 18 1 2 3 4 5 6 7 8 9 10 Sprint 2014-1 Done QA In Progress Backlog
  • 23. #18 Add one more meeting Sprint Planning Review Meeting • Additional demonstration of oversight • Shows that we are willing to adapt to meet company goals • Great catch-all for interested stakeholders
  • 24. Orchestrate for Improved Quality Credit: http://accupackmidwest.com/quality-control
  • 25. #19 Keep QA Firmly in the Process  When new code comes into Test Environment  When new code can be moved to a higher environment  Perform the deployment to the Staging Environment  Perform the deployment to Production Environment
  • 26. #20 Don’t Forget Operations The System Engineering Team to controls when code can enter the Staging Environment Application Engineering Team controls when code can enter the Production Environment
  • 27. #21 When All Else Fails – Email! Email notifications keep parties informed  Security  Compliance  Management  Operations  Product Owner
  • 29. #22 Demonstrate Permissions Making sure that the appropriate controls are in place in GIT are critical. You will need to use a management tool on top of GIT like Stash.
  • 30. #23 Code Reviews with Pull Requests
  • 31. #24 Secure Your Pull Requests Custom GIT Hook
  • 33. #25 Be Aware of Outstanding Audit Risks  Get Ahead of Permission Questions • Jenkins, Puppet, Nexus, Stash, etc.  Using Active Directory to manage permissions is a good start, but who is reviewing Active Directory?  Continuous Improvement means that you are not following the same process over and over • Allowing Agile Teams to change their development process to make themselves more efficient is scary to auditors
  • 34. Here's what I would like help with  How do you ensure (and regularly audit) that the appropriate people have the appropriate access to the appropriate tools?  How to do you empower individuals but still ensure you have management oversight?

Notes de l'éditeur

  1. Turned the corner and have one product running in a CD environment, deployments every two weeks, BLUE GREEN, rebuilding infrastructure with any release if we want 3 deployments in 2012 to 25 in 2013….holding steady at a deployment every two weeks – 18 months to go from manual, waterfall to agile, CD GOOD – Culture was not a problem – Argue whether CD/DevOps was Top Down or Bottom Up BAD – We cannot dedicate resourced to create “A Team” to pave the road…share resources…we have to buy everything…can’t build our own tools 182 slides for last audit 85 slides with a lot of content for Gene Kim - Phoenix Project – Auditor Toolkit 50 slides for various meetups 36 slides for DevOps Conference! ----- Meeting Notes (10/21/14 19:39) ----- .
  2. Great cross section of IT - Truly DevOps Enlightening about the world of Operations
  3. IF IT IS HARD DO IT MORE OFTEN Typically no one likes audits….they don’t feel it is their job….they feel it is getting in the way of the work they need to do PUT Audits and Audit prep in Job Descriptions
  4. RACI charts – MD102 – Department of Homeland Security tractability matrices… meeting invitations to be saved! Review materials needed to be sent out prior to meetings Result: Development came to a grinding halt. – A second SDLC was written which stripped away 90% of the full SDLC rigor Result: Every project became SDLC Lite. Agile – We obviously blamed Waterfall for our shortcomings (it couldn’t be us). We went Agile….sort of. Result: Chaos. Team was not ready for quick sprints, documentation wasn’t done, code wasn’t finished….. Agile & Continuous Delivery – A proper implementation of Agile with the technical craftsmanship that is required. Result: A successful and strong base in which to build
  5. #1 SOCIALIZE PLANS - Don’t surprise your auditor with a major change to your process. Provide Useful Information: Continuous Delivery: Rel by Jez Humble and David Farley Phoenix Project by Gene Kim #3 – ALSO HELPS GET A TRAINING BUDGET #4 – NEW SLIDE
  6. Some auditors and examiners are very familiar with Agile. Many even have CSM and CPO certifications. However, some are entrenched in Waterfall. Also, keep in mind that many guidelines that examiners are required to follow are based on the Waterfall methodology. Shows that the check points still exist, just a little in a different order or a little more often
  7. #5 - When a vulnerability is found, how quickly can you address it? When a new OS patch is released, how long until it is on all of your servers? Infrastructure as Code enabled us to reduce our OS patching frequency from quarterly to every two weeks A finding from our penetration testing exercise is added to the next sprint which means it is in production in just over two weeks A change in our process is added and adopted by the feature team by redefining the definition of “done” #6 WHAT IT ALL COMES DOWN TO IS MANAGING RISK A quarterly release cycle contains months and months of code. This is harder to test, harder to perform a proper code review, and significant amount of change to the application is introduced at one time. Changes performed in small batches reduces the risk of any one release. Even if the entire release needs to be backed out, only two weeks of work is lost which reduces the company’s financial risk Schedule risk can also be mitigated by reducing feature creep, gold-plating and by keeping stakeholders aware of progress
  8. At this point, you may have shown some good insights about Agile, but chances are, your auditor already knew about it. CD is a different story. There are LOTS of levels of maturity
  9. 37- Going back to the Bible – I can tell you the millisecond that a feature was regression tested #8 – SNOWFLAKE #9 - Environments stay in sync – STILL NEED TRIPWIRE On demand = RECOVERY TIME OBJECTIVE Environments are documented and version controlled #10 – Some Security Tests, WhiteHat Sentinal --- KEEP AN EYE ON CHANGE LOG FIND VULNERABILITIES IN EVERY CHECK IN – Don’t wait for them in Production
  10. The change in about a year – KNOWLEDGE IS POWER – MANAGEMENT OVERSIGHT GIVE THE TEAM THE INFORMATION THEY NEED
  11. #10 – Some Security Tests, WhiteHat Sentinal --- KEEP AN EYE ON CHANGE LOG #12 - Single source for software, binaries & libraries demonstrates: -- We use NEXUS
  12. RESULTED IN A SURPRISE WE ARE BACK TO SPREADSHEETS TRACKING THAT OUR UAT TESTS WERE VALIDATED It is important to show that your pipeline will STOP until any failed automated test is corrected. – SAVE FAILED TEST RUNS
  13. 37- Going back to the Bible – I can tell you the millisecond that a feature was regression tested #8 – SNOWFLAKE #9 - Environments stay in sync – STILL NEED TRIPWIRE On demand = RECOVERY TIME OBJECTIVE Environments are documented and version controlled #10 – Some Security Tests, WhiteHat Sentinal --- KEEP AN EYE ON CHANGE LOG #12 - Single source for software, binaries & libraries demonstrates – CONSISTENCY - NEXUS
  14. Probably one of the more unpopular changes is to switch to an electronic board like Jira. Many teams are very fond of have note cards and post-its on walls, but digital boards are more auditable. Once you make the switch, you will have lots of unexpected benefits….here are some more!
  15. We use a Jira plugin called Group Sign-Off for Jira. It allows a story to capture key sign-offs from management, security, and compliance. We include a sign-off story in every sprint and now no longer need to print and get manual signatures. Using permissions in Jira, I can only sign-off as myself.
  16. This was one of those dreams that I never thought would come true, but with the Xporter Plugin for Jira we are able to perform a mail merge into our SDLC template. We capture the stories and sign-offs for every release to fulfill auditor and examiners requests for documentation. We do still have the manual step of maintaining master requirements documents for major pieces of functionality.
  17. Using the logs captured by Jenkins, we created a report to show when each step in the pipeline occurred and who initiated it. The report is the last step in our Pipeline. It emails a copy of the report to all interested parties and places a copy in Nexus for archival purposes.
  18. All of the activity logging is beneficial as it shows that all the steps were performed and who performed them. However, they are also rich with information about your own processes. Graphing the metrics from various points in your development process will again show that management is involved in the process and providing proper oversight.
  19. With a self managing team that is making small changes every two weeks, it is easy for management to not know exactly what is going on. We added a Sprint Planning Review Meeting after every sprint planning session. This was facilitated by our ScrumMaster and was found to be very helpful to bring Security, Compliance and anyone else into the process. Not only was this meeting helpful, but it also demonstrated to auditors and examiners that we were thoughtful about the process and made improvements when needed.
  20. ACTIVE DIRECTORY - NEED TO HAVE A PERIODIC REVIEW OF WHO IS IN GROUPS Our QA Team performs and important check to ensure that a quality product is deployed. They are also a critical team to maintaining separation of duties. They don’t write the code and they also have the best understanding of how the applications should work. We found they were best suited to facilitate the deployment. They control:
  21. QUESTION WAS MADE ABOUT SEPARTION OF DUTIES RESPONSE THAT GUIDELINES DO NOT SPECIFY THAT IT IS NEEDED COMPENSATING CONTROLS
  22. The rapid deployments still resulted in the occasional incident where someone was caught off guard. We addressed this by adding an email step before Staging and before Production to notify all interested parties that a deployment was coming through.
  23. Only a select number of senior developers and architects have the ability to merge code into the development branch
  24. Users ended up with Local Admin and Regular User Local Admin users are only allowed to MERGE - by policy Wrote custom code to only allow ACTIVE DIRECTORY USERS to check in and approve PULL REQUESTS
  25. POWER OF A JENKINS USER POWER OF A PUPPET USER – STILL A GAP – -- Ansible Tower has done some nice work that will hopefully push all the vendors forward AGILE TEAMS NEED TO POST THEIR DEFINITIONS OF DONE IN CONFLUENCE (WIKI) REGULARLY AUDIT USER LISTS - ACTIVE DIRECTORY - In a recent exam, I was very impressed how quickly the examiner recognized the power of some of the tools like GIT, Stash, Jenkins and Puppet. He immediately wanted to know how we ensure that the appropriate permissions are in place. Also, think through how you will manage the environment of CD tools. Typically, one doesn’t have a migration path for making changes to Jenkins, Sonar, etc.