SlideShare une entreprise Scribd logo
1  sur  25
Télécharger pour lire hors ligne
DevSecOps journey
ABN AMRO
Stefan Simenon / Dominik de Smit
Sonatype DevSecOps Leadership Forum
25th May 2018, Amsterdam
About
2
Stefan Simenon
 Head of COE Software Development
 Focussing on: CICD, Tooling, Pipelines,
Software Quality & Security, Database
Automation, Cloud Native
 stefan.simenon@nl.abnamro.com
 +31 6 51478665
Dominik de Smit
 Teamlead Secure Coding
 Software engineer with specialization in Software
Security
 Focussing on: DevSecOps, AppSec, Cloud security,
Security awareness
 dominik.de.smit@nl.abnamro.com
 +31 6 43888985
 @dominikdesmit
CASE FOR CICD
3
Produce automated
builds and detect
errors as soon as
possible, by
integrating and
testing all changes
on a regular (daily)
basis.
High frequency
delivery of a
tested functional
piece of software
that can be
deployed to
production rapidly.
Fully automated
process including
deployment to
production without
human interaction.
Continuous
Integration
Continuous
Deployment
Continuous
Delivery
Many manual handovers
and approvals
Long lead time for
software delivery
Software quality
issues found at a late
stage
Code merging happening
at a late stage
Inefficient
cooperation between
DEV and OPS
Big non-frequent
releases to Production
 It is not only about tooling but mainly mindset & behavior, a
changed Way of Working and process improvements.
• Increase maturity of teams
• Set up the conditions (tooling, pipelines, generic building
blocks) for the teams to get working.
• Train the blocks on applying the right mindset, knowledge
and appropriate tooling
 We know other large companies which need 3 - 8 years, and
changed their approach along the way.
 Therefore we keep the overall stages in mind, but plan for the
coming three months. Focus on learning and improving instead
of long term planning.
Midrange Build & Delivery pipeline: orchestration
4
DWH
ETL
Java
Front End
BPM/
TIBCO
MicroSoft
Docker
Image
Java IIB
Mainframe
CoTS
Mobile
Pipelines within ABN AMRO
Test environment uptime improved
Improved code quality & secure coding
Improved cooperation across stakeholders
Improved time to market
Improved development processes
Source code
mgt
Build
&Unittest
Code quality
review
PackageDevelop
Compo-nent
mgt
Deploy Release tests
(ET)
Deploy
Continuousintegration
Continuousdelivery
Continuousdeployment
ProdchecksDeploy Test(ST)
Zerotouchplatforms
Code pushflow DeploymentflowBuild,QAandpackage flow
x3 deployments to UT x2,5 deployments to ET+20% successful Builds -100% Package creation time -75% Testing time
We never thought it would
be possible to develop, test
and deploy something
completely in one sprint
I-Markets doubled velocity
after 1 sprint containing
CICD improvements only
From 4 Internet
Banking releases to 18
releases per year
Core review times have
been shortened and
violations when
merging are being
prevented
Changes are being
rolled out as soon as
they are available
Increased velocity
Private Banking
Interlnational team reduced
build from 5 hours to 5
minutes
First continuous deployment
realised by identity access
mgmt team
Release times halved for
teams using XL Release
Realised benefits within ABN AMRO
DevSecOps: How to include Security in our DevOps?
7
Open Source Software
Hybrid cloud and Container
Security
Credentials Management
Open Source Software: Risks
8
 “Open source and third-party
components can help organizations
speed development and reduce cost,
but they can also increase risk
exposure when organizations do not
manage them effectively. Evaluating
and approving standard components
helps organizations streamline their
software supply chains, improve
quality, and reduce risk and cost.”
 By 2020, 50% to 80% of code in new
applications will come from external
third-party channels.”
 “By 2020, 50% of organizations will
have suffered damage caused by
failing to manage trust in their or
their partners', software development
life cycles — causing revenue loss of
more than 15%.”
 “31% suspect or have verified a
breach related to open source
components in the last 12 months
Standard CI pipelines and build breakers
9
Dependency
scan
Check out
project from
SCM
Developer
triggers build
Build project and
execute unit
tests
Code quality
scan
Secure coding
scan
Publish
Deployable
artifact
N
Y
ABN AMRO has introduced a set of quality gates and build breakers. The principle is
that the Jenkins build is broken once the required quality or security is not met and
the developer needs to fix the defect in order to proceed. The developer has access to
software quality in his IDE so defects can be detected and fixed in an early stage
DevSecOps Maturity Model
10
CULTURE
Surprising with a lots
of push back
Full awareness but
feeling helpless
Integrated and talked
about by Execs
Measured by Execs
Context driven
decisions
SKILLS
Skills developed
outside job function
Skills lining up with
job functions
Skill development
paired with the job
Proactive skill
development to meet
roadmap needs
Knowledge evolves
inline / Lessons
savored
PROGRAMS /
OUTCOMES
Just getting by
Orderly processes &
faster reactions
Reduced number of
incidents
Measurable
difference in attacks
Predictive &
Proactive
SECURITY
PRIORITIES
P0/critical waiting for
attackers
P0 and P1s some
hygiene, getting fixed
P0 and P1
compliance
Attack surface driven
& measured
Staying ahead of bad
guys
1
2
3
4
5
Burp Crawl Walk Run Fly
Insanity
Reactive
Proactive
Measurable
ContinuousCurrent state ABN AMRO
Nexus Life Cycle status and way forward
11
Status
 Updated open source policy
 Nexus LifeCycle choosen and implemented
 Automated onboarding pipeline, security scans included in standard Java,Front End,
Mobile and MicroSoft pipelines.
 Application security training conducted
 Awareness sessions about OSS and Nexus Lifecycle conducted
Way forward
 CICD metrics dashboard to visualize security issues per grid/domain, both for security
issues in Development and Production environment.
 Track progress via senior management meetings
 Additional application security training
 Guiding dev teams to fix security issues coming
 Increase security awareness via senior management
 Reward teams who have the right focus on security
An hybrid cloud strategy has been defined to support our
digital transformation
12
Private Cloud (IBM CMS)
 Consists of hardware deployed
within ABN AMRO data centres
 ABN AMRO controls the underlying
infrastructure, IBM manages CMS
 IaaS solution, provisioning of
Virtual Machines (VM)
 Limited PaaS and lacks SaaS
capability
 Currently majority of
application run on CMS
Public Cloud (AWS, Azure)
 Offers advanced SaaS, PaaS, IaaS
 Increased developer productivity due to large
suite of out of the box technologies and
services (e.g.,150+ services in AWS)
 Delivers an automated and native platform for
Agile and DevOps
 Pay as you go: pay only for the used services
 50-100 applications will land on Public Cloud
in 2018, further increase foreseen in 2019
7 work streams have been defined to prepare further scaling
13
Cloud Native
14
Define a microservice architecture structures an
application as a collection of loosely coupled
services, which implement business capabilities.
The microservice architecture enables the
continuous delivery/deployment of large, complex
applications.Define a Serverless architecture allowing
developers to build and run applications and
services without thinking about servers.
Select, implement and maintain a PaaS that
provides a platform allowing developers to
develop, run, and manage applications without the
complexity of building and maintaining the
infrastructure typically associated with
developing and launching an app. .
Define container security on multiple levels.
Define and implement standard dockerized
pipelines to land on public cloud.
Cloud Native: Design
and develop cloud
native applications
that can take
advantage of the
technologies and
services offered by
our preferred cloud
platforms.
Container security – Lifecycle
15
BUILDCODE SHIP RUN
Security is needed in each step of
the lifecycle
Container security – Tools …
16
Anchore Navigator
AppArmor
AquaSec
BlackDuck Docker security
Cavirin
Cilium
CoreOS Clair
Docker-bench security
Dockscan
Falco
HashiCorp Vault
NeuVector
Notary
OpenSCAP
REMnux
SELinux
Seccomp
StackRox
Sysdig Secure
Sysdig
Tenable Flawcheck
Twistlock
Container security – Preventing the bad
17
Container security – Pipeline
18
Smoke test
Jenkinsfile +
Dockerfile from
SCM
Developer
triggers Docker
image build
Build docker
image
Docker lint
syntax check
Docker container
dependencies
check
Sign + Publish
Docker image in
trusted registry
N
Y
Docker container
OS check
Apply security
profiles
(AppArmor)
Container security – Focus area’s
19
• Docker host and kernel security (prevent
container breakout)
• Container image authenticity (signing)
• Container resource abuse
• Docker security vulnerabilities present in the
static image
• Docker credentials and secrets management
• Docker runtime security monitoring
• Secure container orchestrator
• and many more…
Credentials management – What?
20
Credentials Management are all
processes and techniques to securely
access secrets. A secret is anything
that you want to tightly control access
to, such as API keys, passwords, or
certificates.
Credentials management – Risks
21
• A hacker accessed a docker registry that contained the
entire Vine source code, API keys and secrets
• An insider stored a secret key in a public repository. This
key was used to compromise a database containing
personal information about drivers
• Developers stored privileged credentials and keys in
source code
Credentials management – Secrets
22
Credentials management – Secrets
23
• 75% organizations do not have
a privileged account security
strategy for DevOps
• Fewer than half report that
DevOps and security teams
consistently work together
• Nearly all (99%) of security
pros and DevOps respondents
failed to identify all places
where privileged accounts or
secrets exist
Source: CYBERARK GLOBAL ADVANCED THREAT LANDSCAPE REPORT 2018: FOCUS ON DEVOPS
Credentials management – Focus area’s
24
• Key rolling
• Granular access permissions
• Secure storage
• Detailed audit logs
• Monitoring
• Must fit seamlessly in the DevOps environment
Questions?
25

Contenu connexe

Tendances

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsMarc Hornbeek
 
Leveraging Cloud Transformation to Build a DevOps Culture | AWS Public Sector...
Leveraging Cloud Transformation to Build a DevOps Culture | AWS Public Sector...Leveraging Cloud Transformation to Build a DevOps Culture | AWS Public Sector...
Leveraging Cloud Transformation to Build a DevOps Culture | AWS Public Sector...Amazon Web Services
 

Tendances (20)

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOps
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Leveraging Cloud Transformation to Build a DevOps Culture | AWS Public Sector...
Leveraging Cloud Transformation to Build a DevOps Culture | AWS Public Sector...Leveraging Cloud Transformation to Build a DevOps Culture | AWS Public Sector...
Leveraging Cloud Transformation to Build a DevOps Culture | AWS Public Sector...
 

Similaire à ABN AMRO DevSecOps Journey

Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
KCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
KCD Munich - Cloud Native Platform Dilemma - Turning it into an OpportunityKCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
KCD Munich - Cloud Native Platform Dilemma - Turning it into an OpportunityAndreas Grabner
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Applying lean, dev ops, and cloud for better business outcomes
Applying lean, dev ops, and cloud for better business outcomesApplying lean, dev ops, and cloud for better business outcomes
Applying lean, dev ops, and cloud for better business outcomesKartik Kanakasabesan
 
SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileAbdel Moneim Emad
 
SCALABLE CI CD DEVOPS
SCALABLE CI CD DEVOPSSCALABLE CI CD DEVOPS
SCALABLE CI CD DEVOPSG R VISHAL
 
Why and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureWhy and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureStefan van Oirschot
 
DockerCon SF 2015: Faster, Cheaper, Safer
DockerCon SF 2015: Faster, Cheaper, SaferDockerCon SF 2015: Faster, Cheaper, Safer
DockerCon SF 2015: Faster, Cheaper, SaferDocker, Inc.
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 
Using Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software ArchitectureUsing Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software ArchitectureEran Stiller
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringWeaveworks
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sQAware GmbH
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 

Similaire à ABN AMRO DevSecOps Journey (20)

Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
KCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
KCD Munich - Cloud Native Platform Dilemma - Turning it into an OpportunityKCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
KCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Applying lean, dev ops, and cloud for better business outcomes
Applying lean, dev ops, and cloud for better business outcomesApplying lean, dev ops, and cloud for better business outcomes
Applying lean, dev ops, and cloud for better business outcomes
 
SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with Agile
 
SCALABLE CI CD DEVOPS
SCALABLE CI CD DEVOPSSCALABLE CI CD DEVOPS
SCALABLE CI CD DEVOPS
 
Why and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureWhy and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud future
 
DockerCon SF 2015: Faster, Cheaper, Safer
DockerCon SF 2015: Faster, Cheaper, SaferDockerCon SF 2015: Faster, Cheaper, Safer
DockerCon SF 2015: Faster, Cheaper, Safer
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
DevOps: Age Of CI/CD
DevOps: Age Of CI/CDDevOps: Age Of CI/CD
DevOps: Age Of CI/CD
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
Using Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software ArchitectureUsing Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software Architecture
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
 
Balaji Resume
Balaji ResumeBalaji Resume
Balaji Resume
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8s
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 

Plus de Derek E. Weeks

Derek Weeks, Keynote, All Day DevOps 830am GMT
Derek Weeks, Keynote, All Day DevOps 830am GMTDerek Weeks, Keynote, All Day DevOps 830am GMT
Derek Weeks, Keynote, All Day DevOps 830am GMTDerek E. Weeks
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
Share Point Business Process Maturity
Share Point Business Process MaturityShare Point Business Process Maturity
Share Point Business Process MaturityDerek E. Weeks
 
Upping the Ante -- ECM Meets BPM
Upping the Ante -- ECM Meets BPMUpping the Ante -- ECM Meets BPM
Upping the Ante -- ECM Meets BPMDerek E. Weeks
 
Share Point Survey Results Fall 2011
Share Point Survey Results Fall 2011Share Point Survey Results Fall 2011
Share Point Survey Results Fall 2011Derek E. Weeks
 
ITXpo Adaptive Case Management, by Derek Weeks
ITXpo Adaptive Case Management, by Derek WeeksITXpo Adaptive Case Management, by Derek Weeks
ITXpo Adaptive Case Management, by Derek WeeksDerek E. Weeks
 
SharePoint Survey Results 2011
SharePoint Survey Results 2011SharePoint Survey Results 2011
SharePoint Survey Results 2011Derek E. Weeks
 

Plus de Derek E. Weeks (7)

Derek Weeks, Keynote, All Day DevOps 830am GMT
Derek Weeks, Keynote, All Day DevOps 830am GMTDerek Weeks, Keynote, All Day DevOps 830am GMT
Derek Weeks, Keynote, All Day DevOps 830am GMT
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
Share Point Business Process Maturity
Share Point Business Process MaturityShare Point Business Process Maturity
Share Point Business Process Maturity
 
Upping the Ante -- ECM Meets BPM
Upping the Ante -- ECM Meets BPMUpping the Ante -- ECM Meets BPM
Upping the Ante -- ECM Meets BPM
 
Share Point Survey Results Fall 2011
Share Point Survey Results Fall 2011Share Point Survey Results Fall 2011
Share Point Survey Results Fall 2011
 
ITXpo Adaptive Case Management, by Derek Weeks
ITXpo Adaptive Case Management, by Derek WeeksITXpo Adaptive Case Management, by Derek Weeks
ITXpo Adaptive Case Management, by Derek Weeks
 
SharePoint Survey Results 2011
SharePoint Survey Results 2011SharePoint Survey Results 2011
SharePoint Survey Results 2011
 

Dernier

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 

Dernier (20)

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 

ABN AMRO DevSecOps Journey

  • 1. DevSecOps journey ABN AMRO Stefan Simenon / Dominik de Smit Sonatype DevSecOps Leadership Forum 25th May 2018, Amsterdam
  • 2. About 2 Stefan Simenon  Head of COE Software Development  Focussing on: CICD, Tooling, Pipelines, Software Quality & Security, Database Automation, Cloud Native  stefan.simenon@nl.abnamro.com  +31 6 51478665 Dominik de Smit  Teamlead Secure Coding  Software engineer with specialization in Software Security  Focussing on: DevSecOps, AppSec, Cloud security, Security awareness  dominik.de.smit@nl.abnamro.com  +31 6 43888985  @dominikdesmit
  • 3. CASE FOR CICD 3 Produce automated builds and detect errors as soon as possible, by integrating and testing all changes on a regular (daily) basis. High frequency delivery of a tested functional piece of software that can be deployed to production rapidly. Fully automated process including deployment to production without human interaction. Continuous Integration Continuous Deployment Continuous Delivery Many manual handovers and approvals Long lead time for software delivery Software quality issues found at a late stage Code merging happening at a late stage Inefficient cooperation between DEV and OPS Big non-frequent releases to Production  It is not only about tooling but mainly mindset & behavior, a changed Way of Working and process improvements. • Increase maturity of teams • Set up the conditions (tooling, pipelines, generic building blocks) for the teams to get working. • Train the blocks on applying the right mindset, knowledge and appropriate tooling  We know other large companies which need 3 - 8 years, and changed their approach along the way.  Therefore we keep the overall stages in mind, but plan for the coming three months. Focus on learning and improving instead of long term planning.
  • 4. Midrange Build & Delivery pipeline: orchestration 4
  • 6. Test environment uptime improved Improved code quality & secure coding Improved cooperation across stakeholders Improved time to market Improved development processes Source code mgt Build &Unittest Code quality review PackageDevelop Compo-nent mgt Deploy Release tests (ET) Deploy Continuousintegration Continuousdelivery Continuousdeployment ProdchecksDeploy Test(ST) Zerotouchplatforms Code pushflow DeploymentflowBuild,QAandpackage flow x3 deployments to UT x2,5 deployments to ET+20% successful Builds -100% Package creation time -75% Testing time We never thought it would be possible to develop, test and deploy something completely in one sprint I-Markets doubled velocity after 1 sprint containing CICD improvements only From 4 Internet Banking releases to 18 releases per year Core review times have been shortened and violations when merging are being prevented Changes are being rolled out as soon as they are available Increased velocity Private Banking Interlnational team reduced build from 5 hours to 5 minutes First continuous deployment realised by identity access mgmt team Release times halved for teams using XL Release Realised benefits within ABN AMRO
  • 7. DevSecOps: How to include Security in our DevOps? 7 Open Source Software Hybrid cloud and Container Security Credentials Management
  • 8. Open Source Software: Risks 8  “Open source and third-party components can help organizations speed development and reduce cost, but they can also increase risk exposure when organizations do not manage them effectively. Evaluating and approving standard components helps organizations streamline their software supply chains, improve quality, and reduce risk and cost.”  By 2020, 50% to 80% of code in new applications will come from external third-party channels.”  “By 2020, 50% of organizations will have suffered damage caused by failing to manage trust in their or their partners', software development life cycles — causing revenue loss of more than 15%.”  “31% suspect or have verified a breach related to open source components in the last 12 months
  • 9. Standard CI pipelines and build breakers 9 Dependency scan Check out project from SCM Developer triggers build Build project and execute unit tests Code quality scan Secure coding scan Publish Deployable artifact N Y ABN AMRO has introduced a set of quality gates and build breakers. The principle is that the Jenkins build is broken once the required quality or security is not met and the developer needs to fix the defect in order to proceed. The developer has access to software quality in his IDE so defects can be detected and fixed in an early stage
  • 10. DevSecOps Maturity Model 10 CULTURE Surprising with a lots of push back Full awareness but feeling helpless Integrated and talked about by Execs Measured by Execs Context driven decisions SKILLS Skills developed outside job function Skills lining up with job functions Skill development paired with the job Proactive skill development to meet roadmap needs Knowledge evolves inline / Lessons savored PROGRAMS / OUTCOMES Just getting by Orderly processes & faster reactions Reduced number of incidents Measurable difference in attacks Predictive & Proactive SECURITY PRIORITIES P0/critical waiting for attackers P0 and P1s some hygiene, getting fixed P0 and P1 compliance Attack surface driven & measured Staying ahead of bad guys 1 2 3 4 5 Burp Crawl Walk Run Fly Insanity Reactive Proactive Measurable ContinuousCurrent state ABN AMRO
  • 11. Nexus Life Cycle status and way forward 11 Status  Updated open source policy  Nexus LifeCycle choosen and implemented  Automated onboarding pipeline, security scans included in standard Java,Front End, Mobile and MicroSoft pipelines.  Application security training conducted  Awareness sessions about OSS and Nexus Lifecycle conducted Way forward  CICD metrics dashboard to visualize security issues per grid/domain, both for security issues in Development and Production environment.  Track progress via senior management meetings  Additional application security training  Guiding dev teams to fix security issues coming  Increase security awareness via senior management  Reward teams who have the right focus on security
  • 12. An hybrid cloud strategy has been defined to support our digital transformation 12 Private Cloud (IBM CMS)  Consists of hardware deployed within ABN AMRO data centres  ABN AMRO controls the underlying infrastructure, IBM manages CMS  IaaS solution, provisioning of Virtual Machines (VM)  Limited PaaS and lacks SaaS capability  Currently majority of application run on CMS Public Cloud (AWS, Azure)  Offers advanced SaaS, PaaS, IaaS  Increased developer productivity due to large suite of out of the box technologies and services (e.g.,150+ services in AWS)  Delivers an automated and native platform for Agile and DevOps  Pay as you go: pay only for the used services  50-100 applications will land on Public Cloud in 2018, further increase foreseen in 2019
  • 13. 7 work streams have been defined to prepare further scaling 13
  • 14. Cloud Native 14 Define a microservice architecture structures an application as a collection of loosely coupled services, which implement business capabilities. The microservice architecture enables the continuous delivery/deployment of large, complex applications.Define a Serverless architecture allowing developers to build and run applications and services without thinking about servers. Select, implement and maintain a PaaS that provides a platform allowing developers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app. . Define container security on multiple levels. Define and implement standard dockerized pipelines to land on public cloud. Cloud Native: Design and develop cloud native applications that can take advantage of the technologies and services offered by our preferred cloud platforms.
  • 15. Container security – Lifecycle 15 BUILDCODE SHIP RUN Security is needed in each step of the lifecycle
  • 16. Container security – Tools … 16 Anchore Navigator AppArmor AquaSec BlackDuck Docker security Cavirin Cilium CoreOS Clair Docker-bench security Dockscan Falco HashiCorp Vault NeuVector Notary OpenSCAP REMnux SELinux Seccomp StackRox Sysdig Secure Sysdig Tenable Flawcheck Twistlock
  • 17. Container security – Preventing the bad 17
  • 18. Container security – Pipeline 18 Smoke test Jenkinsfile + Dockerfile from SCM Developer triggers Docker image build Build docker image Docker lint syntax check Docker container dependencies check Sign + Publish Docker image in trusted registry N Y Docker container OS check Apply security profiles (AppArmor)
  • 19. Container security – Focus area’s 19 • Docker host and kernel security (prevent container breakout) • Container image authenticity (signing) • Container resource abuse • Docker security vulnerabilities present in the static image • Docker credentials and secrets management • Docker runtime security monitoring • Secure container orchestrator • and many more…
  • 20. Credentials management – What? 20 Credentials Management are all processes and techniques to securely access secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates.
  • 21. Credentials management – Risks 21 • A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets • An insider stored a secret key in a public repository. This key was used to compromise a database containing personal information about drivers • Developers stored privileged credentials and keys in source code
  • 23. Credentials management – Secrets 23 • 75% organizations do not have a privileged account security strategy for DevOps • Fewer than half report that DevOps and security teams consistently work together • Nearly all (99%) of security pros and DevOps respondents failed to identify all places where privileged accounts or secrets exist Source: CYBERARK GLOBAL ADVANCED THREAT LANDSCAPE REPORT 2018: FOCUS ON DEVOPS
  • 24. Credentials management – Focus area’s 24 • Key rolling • Granular access permissions • Secure storage • Detailed audit logs • Monitoring • Must fit seamlessly in the DevOps environment

Notes de l'éditeur

  1. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  2. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  3. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  4. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  5. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  6. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  7. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  8. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  9. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  10. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  11. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  12. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  13. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  14. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  15. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  16. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  17. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  18. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  19. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  20. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  21. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie
  22. December niet meegerekend – een “buffer” om aan te zetten! Maart – April + 2 teams ALM/QRM MeiJun + 2 teams Tikkie