This talk will describe how to design a secure SDLC for regulated organizations.
By applying techniques from DevOps and security disciplines, you will learn how to design in compliance needs into your process, to provide a provable process and audit trail.
3. @meekrosoft
Agenda
● SDLC BINGO
● What can we learn from history?
● Why define a SDLC?
● The role of DevOps
● Establishing security goals for a SDLC
● Implementation compliance controls
● Driving Security Culture with a SDLC
8. @meekrosoft
Prince2 “This strong emphasis on tailoring has led
some users to complain that PRINCE2 is
unfalsifiable, i.e. it is impossible to tell
whether PRINCE2 "works" or constitutes
"best practice" if any problems encountered
with a project can be blamed on
inappropriate application of PRINCE2
rather than on PRINCE2 itself.”
10. @meekrosoft
Rational Unified Process
“We believe that a branded process like
RUP, or XP, is out -- because such a thing is
just a collection of practices. Instead
practices will become first class citizens”
Ivar Jacobson
https://www.techrepublic.com/article/80-of-software-is-no-brain-work-ivar-jacobson/
12. @meekrosoft
SCRUM
“I really am coming to think that software
developers of all stripes should have no
adherence to any “Agile” method of any
kind”
Ron Jeffries
https://ronjeffries.com/articles/018-01ff/abandon-1/
21. @meekrosoft
All will eventually be ridiculed
(often by their creators)
“...the implementation
described above is risky and
invites failure”
“This strong emphasis on tailoring has led
some users to complain that PRINCE2 is
unfalsifiable, i.e. it is impossible to tell
whether PRINCE2 "works" or constitutes
"best practice" if any problems encountered
with a project can be blamed on
inappropriate application of PRINCE2
rather than on PRINCE2 itself.”
“We believe that a branded process like RUP, or XP, is
out -- because such a thing is just a collection of
practices. Instead practices will become first class
citizens”
Ivar Jacobson
https://www.techrepublic.com/article/80-of-softwar
e-is-no-brain-work-ivar-jacobson/
“I really am coming to think that software developers of all
stripes should have no adherence to any “Agile” method of
any kind”
Ron Jeffries
https://ronjeffries.com/articles/018-01ff/abandon-1/
28. @meekrosoft
Great advice for entrepreneurs,
terrible advice if you make
software that can:
● Control economies
● Drive cars
● Control insulin
● Manage critical infrastructure
33. @meekrosoft
Compliance with Standards
● Ensure that products and
services are safe, reliable
and of good quality.
● Reduce costs by
minimizing waste and
errors and increasing
productivity.
● Help companies to access
new markets
34. @meekrosoft
Defined Processes Improve Quality
“Checklists seem to provide
protection against such
failures. They remind us of the
minimum necessary steps
and make them explicit. They
not only offer the possibility of
verification but also instill a
kind of discipline of higher
performance.”
35. @meekrosoft
SW Compliance across the value stream
Confidential - Do Not Share
Scope Product
Management
Software
Development
IT Operations
50. @meekrosoft
We found that external approvals were negatively
correlated with lead time, deployment frequency,
and restore time, and had no correlation with
change fail rate. In short, approval by an external
body (such as a manager or CAB) simply doesn’t
work to increase the stability of production systems,
measured by the time to restore service and change
fail rate. However, it certainly slows things down. It is,
in fact, worse than having no change approval
process at all.
Forsgren PhD, Nicole. Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing
Technology Organizations . IT Revolution Press. Kindle Edition.
Change Advisory Board
51. @meekrosoft
The Risk
“The absence of change
approval controls creates
the risk of untested and
unauthorized code being
introduced into
production.”
52. @meekrosoft
The Challenge
“Companies that decide
to move to a DevOps
model find the transition
difficult as manual
processes become
blockers for rapid rates of
change.”
54. @meekrosoft
“we find that the conflict
[between DevOps and Audit]
is just a perception ...
DevOps in fact can be
considered as a practice
that offers better
Audit/Compliance as
compliance.”
67. @meekrosoft
Step 1: Define your (automated) process
Process
Scope Product
Management
Software
Development
IT Operations
Nexus
Jenkins
Cucumber
SonarQube
Docker
Crucible
Bitbucket
69. @meekrosoft
compliancedb.comcompliancedb.com
Step 3: Automate the Audit Trail
System of
Record
Build
Test
Security
Analysis
Deploy to
Staging
Release
Candidate?
Create Artifact
Code Review Data
Unit Test Result
Functional Test Result
Analysis Result
Deployment Result
Compliance State