This talk will describe how to design a secure SDLC for regulated organizations. By applying techniques from DevOps and security disciplines, you will learn how to design in compliance needs into your process, to provide a provable process and audit trail.

1. @meekrosoft
Designing a Secure SDLC
with DevOps
Mike Long @meekrosoft

2. @meekrosoft
Agenda

3. @meekrosoft
Agenda
● SDLC BINGO
● What can we learn from history?
● Why define a SDLC?
● The role of DevOps
● Establishing security goals for a SDLC
● Implementation compliance controls
● Driving Security Culture with a SDLC

4. @meekrosoft
Spot the cargo cult!
Software Development
Life Cycle BINGO

5. @meekrosoft

6. @meekrosoft
“...the implementation
described above is risky
and invites failure”

7. @meekrosoft

8. @meekrosoft
Prince2 “This strong emphasis on tailoring has led
some users to complain that PRINCE2 is
unfalsifiable, i.e. it is impossible to tell
whether PRINCE2 "works" or constitutes
"best practice" if any problems encountered
with a project can be blamed on
inappropriate application of PRINCE2
rather than on PRINCE2 itself.”

9. @meekrosoft

10. @meekrosoft
Rational Unified Process
“We believe that a branded process like
RUP, or XP, is out -- because such a thing is
just a collection of practices. Instead
practices will become first class citizens”
Ivar Jacobson
https://www.techrepublic.com/article/80-of-software-is-no-brain-work-ivar-jacobson/

11. @meekrosoft

12. @meekrosoft
SCRUM
“I really am coming to think that software
developers of all stripes should have no
adherence to any “Agile” method of any
kind”
Ron Jeffries
https://ronjeffries.com/articles/018-01ff/abandon-1/

13. @meekrosoft

14. @meekrosoft
V-Model

15. @meekrosoft

16. @meekrosoft
ITIL v4

17. @meekrosoft

18. @meekrosoft
DevOps

19. @meekrosoft
What can we learn from
history?

20. @meekrosoft
All have a diagram

21. @meekrosoft
All will eventually be ridiculed
(often by their creators)
“...the implementation
described above is risky and
invites failure”
“This strong emphasis on tailoring has led
some users to complain that PRINCE2 is
unfalsifiable, i.e. it is impossible to tell
whether PRINCE2 "works" or constitutes
"best practice" if any problems encountered
with a project can be blamed on
inappropriate application of PRINCE2
rather than on PRINCE2 itself.”
“We believe that a branded process like RUP, or XP, is
out -- because such a thing is just a collection of
practices. Instead practices will become first class
citizens”
Ivar Jacobson
https://www.techrepublic.com/article/80-of-softwar
e-is-no-brain-work-ivar-jacobson/
“I really am coming to think that software developers of all
stripes should have no adherence to any “Agile” method of
any kind”
Ron Jeffries
https://ronjeffries.com/articles/018-01ff/abandon-1/

22. @meekrosoft
Subject to confirmation bias
http://chainsawsuit.com/comic/2014/09/16/on-research/

23. @meekrosoft
Encourage template thinking

24. @meekrosoft

25. @meekrosoft
Encourage template thinking

26. @meekrosoft
Why define a SDLC in the
first place?

27. @meekrosoft

28. @meekrosoft
Great advice for entrepreneurs,
terrible advice if you make
software that can:
● Control economies
● Drive cars
● Control insulin
● Manage critical infrastructure

29. @meekrosoft
Regulated Industries

30. @meekrosoft
Regulated Industries
§1.1 Regulations

31. @meekrosoft
Regulated Industries
ACME Corp.
Translate into
processes
Continuous
Documentation
Meetings and
Signoffs
§1.1 Regulations

32. @meekrosoft
Regulated Industries
ACME Corp.
Translate into
processes
Continuous
Documentation
Meetings and
Signoffs
§1.1 Regulations

33. @meekrosoft
Compliance with Standards
● Ensure that products and
services are safe, reliable
and of good quality.
● Reduce costs by
minimizing waste and
errors and increasing
productivity.
● Help companies to access
new markets

34. @meekrosoft
Defined Processes Improve Quality
“Checklists seem to provide
protection against such
failures. They remind us of the
minimum necessary steps
and make them explicit. They
not only offer the possibility of
verification but also instill a
kind of discipline of higher
performance.”

35. @meekrosoft
SW Compliance across the value stream
Confidential - Do Not Share
Scope Product
Management
Software
Development
IT Operations

36. @meekrosoft

37. @meekrosoft

38. @meekrosoft

39. @meekrosoft
So how do we get rid of
“silos, batches, queues
and gates” while staying
compliant?

40. @meekrosoft
The role of DevOps
in Compliance
A short introduction

41. @meekrosoft
What is DevOps?

42. @meekrosoft
What is DevOps?

43. @meekrosoft
DevOps

44. @meekrosoft
DevOps is a SocioTechnical System

45. @meekrosoft
DevOps is a SocioTechnical System

46. @meekrosoft

47. @meekrosoft
Compliance ALSO is a SocioTechnical
System

48. @meekrosoft
Compliance ALSO is a SocioTechnical
System
?

49. @meekrosoft
Change Advisory Board

50. @meekrosoft
We found that external approvals were negatively
correlated with lead time, deployment frequency,
and restore time, and had no correlation with
change fail rate. In short, approval by an external
body (such as a manager or CAB) simply doesn’t
work to increase the stability of production systems,
measured by the time to restore service and change
fail rate. However, it certainly slows things down. It is,
in fact, worse than having no change approval
process at all.
Forsgren PhD, Nicole. Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing
Technology Organizations . IT Revolution Press. Kindle Edition.
Change Advisory Board

51. @meekrosoft
The Risk
“The absence of change
approval controls creates
the risk of untested and
unauthorized code being
introduced into
production.”

52. @meekrosoft
The Challenge
“Companies that decide
to move to a DevOps
model find the transition
difficult as manual
processes become
blockers for rapid rates of
change.”

53. @meekrosoft
The Reality
“PCI/DSS requirement is to
use two different
accounts, not necessarily
two different human
beings.”

54. @meekrosoft
“we find that the conflict
[between DevOps and Audit]
is just a perception ...
DevOps in fact can be
considered as a practice
that offers better
Audit/Compliance as
compliance.”

55. @meekrosoft
Compliance As Code
https://www.youtube.com/watch?v=A8Qwu1bYIO8

56. @meekrosoft
A short introduction
Establishing security
goals for a SDLC

57. @meekrosoft

58. @meekrosoft
Insider Threat

59. @meekrosoft
● Code reviews
● Coding Standards
● Verifiable builds
● Test coverage
● Static Analysis
● Vulnerability Scanning
● Verifiable deployments
Conformance to process

60. @meekrosoft
Audit Traceability
ACME Corp.
Translate into
processes
Continuous
Documentation
Meetings and
Signoffs
§1.1 Regulations

61. @meekrosoft
Immutable Infrastructure + Hash == Traceability
“If everything is source code, no-one needs access to production”
@topopal
Immutable infrastructure
Software
package hash

62. @meekrosoft
Standard Tooling
● Lowers attack surface
● Faster to onboard new users
● “Rising tide lifts all boats”

63. @meekrosoft
Software Assurance Maturity Model.
https://owaspsamm.org

64. @meekrosoft

65. @meekrosoft
Implementing
compliance controls
A short introduction

66. @meekrosoft
Step 0: Value Stream Mapping

67. @meekrosoft
Step 1: Define your (automated) process
Process
Scope Product
Management
Software
Development
IT Operations
Nexus
Jenkins
Cucumber
SonarQube
Docker
Crucible
Bitbucket

68. @meekrosoft
Step 2: Locate
the data

69. @meekrosoft
compliancedb.comcompliancedb.com
Step 3: Automate the Audit Trail
System of
Record
Build
Test
Security
Analysis
Deploy to
Staging
Release
Candidate?
Create Artifact
Code Review Data
Unit Test Result
Functional Test Result
Analysis Result
Deployment Result
Compliance State

70. @meekrosoft
Step 4: Enforce compliance in the
pipelines
master

71. @meekrosoft
Step 5: Automate Release
Controls and Audit
Documentation
compliancedb.com
master
Release2?Release1

72. @meekrosoft
Step 6: Use the
time you used to
spend on
meetings and
paperwork to
catch up on the
latest devops
cr*p

73. @meekrosoft
Driving Security Culture
with a SDLC
A short introduction

74. @meekrosoft
740Over 740 applications going through one delivery pipeline
Aim for one pipeline

75. @meekrosoft

76. @meekrosoft
Google Binary Authentication for Borg
BAB
Product
Management
Software
Development
Release Control Production

77. @meekrosoft

78. @meekrosoftWith DevOps you CAN comply!

79. @meekrosoft
compliancedb.com