???????We DevOps’d – Experience and Lessons Learned Securing the SDLC
Sherly Abraham, PhD., Excelsior College
Din Cox, PhD., CISSP, ISSAP, ISSMP, CSSLP, CISA, CISM, CRISC, CEH, etc.,
Medical Science and Computing, LLC
???Sherly Abraham, Ph.D.
? Excelsior College
? Program Director for Cybersecurity
? Research Interests
? Software Security
? Information Security Training ? Corporate Governance
?????? Software Security
Presentation Objectives
? Challenges in enterprise software security
? What is DevOps
? DevOps Foundations
? Relevance of DevOps to Secuirty
?Lessonslearned fromapplicationof DevOps
? Recommendations and Resources
???2014-2015 Software Bugs
? Heart Bleed ? Shellshock ? Poodle
? Gotofail
??Growth Software Vulnerabilities
Number of Vulnerabilities caused by Software Flaws
Source: National Vulnerability Database
???Software Security Issues
? Defects ? Bugs
? Eg. Buffer overflow ? Design Flaws
? Inconsistent error handling ? Maintenance Hooks
? Backdoors
???????Software Development Security
? Requires a “holistic” and “proactive” approach
Educating Developers and users
Software Security
Build Secure
Design Secure
Testing for Security
????Software Development Life Cycle
Reference: WikiCommons, commons.wikimedia.org/wiki/File:SDLC_-_Software_Development_Life_Cycle.jpg
???Software Development Models
? Linear Sequential ? Waterfall model
? Incremental ? Prototyping
? RAD
? Iterative
? Spiral ? Agile
? Teamwork, Iterative and Incremental
???Challenges: Enterprise Software Security
? Security not built-in
? Disconnect between developers, business
owners, end users and quality assurance
? Configuration Management
? No established metrics and continuous improvement
? Complexity and diversity of development tools, programming languages, and platforms
???What is DevOps
? Lean and Agile methods
? Narrow the disconnect between
development and business drivers
? Strong collaboration between developers, operations, business, security, and quality assurance teams
? Continuously incorporate feedback from customers and business owners
???Foundations of DevOps
? Shift Left Concept
? Address operational issues earlier
? Test with systems that behave like production
? Agile and Iterative Approach
? Continuous, automated deployment and testing
? Metrics and evaluation of quality
? Measure and test effectiveness earlier in the
development cycle
? Facilitate feedback from all stakeholders
? Enable all stakeholders to communicate and provide feedback
???DevOps Focus
? Rapid incorporation of customer feedback ? Faster Delivery Process
? Collaboration between disparate teams
? Continuous release and deployment
? Continuous testing ? Ongoing evaluation
???????????????DevOps Architecture
Development
Testing
Production
• Ongoing integration
• Ongoing testing
• Ongoing monitoring
Shift Left- Operational, Security and End user input
???What DevOps is not
? Another Software development model
? Everything runs and tested in production
? Blurs the line between developers, system administrators, security
? Tool specific
? A specific job title for DevOps
???Relevance of DevOps to Security
? Integration of security in the early stages of development
? Security testing in early stages of development
? Strong Cross functional integration
? Configuration management
???Din Cox, Ph.D
? Medical Science and Computing, LLC ? Application Security Focus
? Research Interests
? Mobile and Application Security ? Biometrics
? Machine Learning
? SynAck Red Team Security Researcher ? Bug hunter
?????State of Affairs
https ://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf
??puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf
??
???Results
Key Findings
? Companies with high-performing IT organizations are twice as likely to exceed their profitability, market share and productivity goals.
? IT performance improves with DevOps maturity, and strongly correlates with well-known DevOps practices.
? Culture matters. The cultural practices of DevOps are predictive of organizational performance.
? Job satisfaction is the No. 1 predictor of performance against organizational goals.
puppetlabs.com/2014-devops-report
???www.s-sa.co.uk
???Organizational Context
? Current Project – Rugged DevOps
? Integrate and promote secure coding practices in SDLC across the organization – Agile, Waterfall.
? 700+ developers – Geographically dispersed
? Multiple languages and frameworks (Java, PHP, Django, Python, Angular, ColdFusion, Ruby, etc.) + Mobile (iOS, Android)
? Training and Education
???Success Factors
? Cultural change – i.e. view of software security
? Clear repeatable processes
? Software must be scanned before going to
production
? Policy alignment – remediation timeframe
? Fault detection automation
? Continuous integration – automating unit testing and deployment of software
???Success Factors
? Security standard adoption for software development
? Ability to balance security risks with software development agility.
? Improve effectiveness of public facing applications
? Usage patterns, break/fix
????????????DevOps Tools
???
????Secure SDLC
? Security requirements need to be defined as early as possible during the SDLC
???Accomplishments
? Agile Testing (security)
? Secure Coding + Operations + Collaboration
? Developer training and education
? Rapid communication on vulnerability intelligence
? Quicker patch cycles/remediation of vulnerabilities
? Collaboration between Development and Operation
???Security Automation
? SAST (Static Application Security Testing)
? Source code, byte code or application binaries for conditions
indicative of a security vulnerability
? Leverage tools – statics analysis, etc.
? DAST (Dynamic Application Security Testing)
? Black-box (Functional and non-functional), White-box, and
Defect-based tests.
? Examine application at runtime to identify vulnerabilities
? Robustness testing (i.e. fuzz testing) or fault-injection
? Integrate with build and code repositories ? GIT, Bamboo, Jenkins, etc.
???Realized Benefits
? Identify problems early
? Continuous integration
? Infrastructure automation
? System stability and uptime ? Monitoring
? Deployment
? Continuous delivery – testing
???Challenges
? Misaligned tools and processes
? Competing interests (development vs
operation)
? Infighting – who’s at fault when something happens
? Documentation
? Varying views of security and roles
???Lessons Learned
? Require resources – People
? Cannot be done in a vacuum, dynamic
? Align IT with the business
? Leverage internal talent
? Visibility of applications – Customer experience, including components (server, DB, etc.)
? Training and education
???Recommendations
? Start at the Top
? Organization buy-in and support
? Measure Success – metrics ? Deployment frequency
? Mean time to recover (MTTR)
? Identify system failures / waste
? Automate where possible (puppet, etc.)
? Decompose system components into modules
???? Identify a champion in each department ? Establish a center of excellence
???????????Resources
? www.rackspace.com/blog/enterprise-cloud-forum- recap-prepare-for-devops-success/
? www.isaca.org/knowledge- center/research/researchdeliverables/pages/devops- overview.aspx
? puppetlabs.com/2013-state-of-devops-infographic
? puppetlabs.com/sites/default/files/2014-state-of- devops-report.pdf

???DEVOPS IN PRACTICE JOSH SALMANSON
March 5, 2015
Confidential and Proprietary www.cvpcorp.com
???
AGENDA
??? What is DevOps?
? What does DevOps look like?
? How CVP does DevOps
? Why is DevOps important?
? DevOps is fundamentally changing IT delivery models ? How can DevOps help your organization?
? How can DevOps benefit you?
?????FedCASIC 2015
Confidential and Proprietary
Page 2
March 5, 2015
www.cvpcorp.com
???????
WHAT IS DEVOPS?
??? Next step in the evolution of IT delivery and the integration of multiple operating concepts, including Agile Development, Continuous Integration and Continuous Delivery, Lean, and ITIL
? Involvement of shared services delivery chain organizations early and often throughout the development project, to include
? Configuration Management (CM)
? To enable continuous delivery of tested software solutions into controlled
baselines, to maximize validation and integration efforts
? Independent Verification and Validation (IV&V)
? To enable repeated quality verification and validation within development
iterations, minimizing the time and effort for formal IV&V post-development
? Operations
? To incorporate operational requirements into software designs, minimizing
deployment and sustaining operations risk
?????FedCASIC 2015
Confidential and Proprietary
Page 3
March 5, 2015
www.cvpcorp.com
???????
WHAT DOES DEVOPS LOOK LIKE?
??????FedCASIC 2015
in relation to the application lifecycle management view of the world
??Confidential and Proprietary
Page 4
March 5, 2015
www.cvpcorp.com
???????
WHAT DOES DEVOPS LOOK LIKE – ACROSS THE SDLC?
????????FedCASIC 2015
Confidential and Proprietary
Page 5
March 5, 2015
www.cvpcorp.com
???????
HOW CVP DOES DEVOPS
????????FedCASIC 2015
Confidential and Proprietary
Page 6
March 5, 2015
www.cvpcorp.com
???????
WHY IS DEVOPS IMPORTANT?
??? It is an effective response to the reality that nearly every IT organization and provider is under tremendous pressure to respond more quickly to business needs AND provide stable, secure, predictable IT services…in spite of the fact that the different functional delivery teams are typically not organized for, or focused on same success criteria
??????FedCASIC 2015
Confidential and Proprietary
Page 7
March 5, 2015
www.cvpcorp.com
???????
DEVOPS IS CHANGING FACE & PACE OF BUSINESS
??? DevOps is showing significant business effects for early adopters and is making the attentive large businesses of the world change their strategies before they become irrelevant.
? Organizations applying DevOps principles deploy code 30x more frequently with 50% fewer failures, which experience a12x faster MTTR.
? Amazon has dramatically improved its capacity for simultaneous deployments in its hosted and production environments from 1,079 max deploys in a single hour, to an average number of 10,000 hosts and a max of 30,000 hosts receiving deploys simultaneously as of Oct ‘14.
? Companies of all sizes are seeing similar improvements
? “what once required 6-14 hours and an army of resources, now takes 15 min
and 1 person”.
? We have gone from 30+ deploys per day in 2013 to 50 deploys/day in March 2014 to 80-90 deploys/day in April 2014.
?????FedCASIC 2015
Confidential and Proprietary
Page 8
March 5, 2015
www.cvpcorp.com
???????
HOW CAN DEVOPS HELP YOUR ORGANIZATION?
??? Start small and expand from there
? Meet delivery expectations – quicker delivery time, shorter time to
market
? Meet objectives of IOE (Improving Operation Efficiency) – doing more with less
? More secure environment (network, infrastructure, systems) – data security
? Engage user community early on and keep their interest/focus ? Enterprise architecture
?????FedCASIC 2015
Confidential and Proprietary
Page 9
March 5, 2015
www.cvpcorp.com
???????
HOW CAN DEVOPS HELP YOU?
??? Closer relationships with end users, sponsors, and all IT parties/groups involved
? Better understanding of all of the requirements
? More manageable scope and activities
? Quicker time to find out if something needs to be abandoned
?????FedCASIC 2015
Confidential and Proprietary
Page 10
March 5, 2015
www.cvpcorp.com
???????
CONTACT INFORMATION
??? We appreciate the opportunity to present our capabilities ? Please contact us with any additional questions
?Diem Huynh, Senior Manager Customer Value Partners, Inc. E-mail: diemhuynh@cvpcorp.com Office: 202.365.7321
??????FedCASIC 2015
Confidential and Proprietary
Page 11
March 5, 2015
www.cvpcorp.com
???????

?DevOps ! Technical Agility Dominic Delmolino
?????11 March 2015 1
?????????
?What is DevOps?
????DevOps is the term for the practical technical, cultural and organizational techniques used to facilitate the practices of Agile Software Development
from Requirements thru Release.
??????11 March 2015
2
??
?Agile Development = Rapid Feedback Cycles
?How quickly can I test this so I can get feedback on what I need to do next?
???????11 March 2015
3
??
?What is Agile Development?
• Value individuals and interactions over processes and tools
• Working software over comprehensive documentation
• Customer collaboration over contract negotiation
• Repsonding to change over following a plan
• •
• •
• •
Highest priority is to satisfy customer through early and continuous delivery of valuable software
Welcome changing requirements;
harness change for improvement
Deliver working software frequently, from weeks to months, preferring the shortest possible timescale
At regular intervals, teams reflect on how to become more effective, then tunes and adjusts accordingly
Working software is the primary measure of progress
Simplicity – the art of maximizing the amount of work not done – is essential
Constantly measure whether or not software is delivering value, correct and adjust
as often as necessary
??????11 March 2015
4
??
?What does DevOps look like?
??On Demand, Preconfigured Development and Testing Environments
??Business
CONSISTENT VIRTUAL ENVIRONMENTS ARE MORE RELIABLE
Agile Development Best Practices
Test Environments On Demand (Automated Subsets of Baseline)
Continuous Automated Continuous
Stable And Useful
RELEASE
?Integration
Testing Delivery
?????Knowledge Maintained!
Change Added.
Reduce Time from Idea to Solution & Verification
???Customer
??????????Same Configuration
??“Consistent and Repeatable”
?11 March 2015
5
??
?DevOps Capabilities for Agile Development
???cloud based resources
workstation and server configuration management
platform and tool repository
directory and notification services
automated testing and continuous integration
distributed version control
online code review services
authorization and access control
agile lifecycle management
collaboration support
????????????11 March 2015
6
??
?DevOps Workflow
???????????1
• Amazon Web Services
• VMWare 4
• JIRA / Greenhopper • Rally
• VersionOne
• Confluence • XWiki
• Maven / Gradle
• JUnit / DBUnit • Selenium / Geb / Spock
• Amazon Web Services • VMWare
• Docker
• Review Board • Barkeep
• Confluence
• XWiki
7
• Git (GitLab, Git Enterprise) • Subversion
• Jenkins / Hudson • Bamboo
• Maven / Gradle • JUnit / DBUnit
• Selenium / Geb / Spock • Git (GitLab, Git Enterprise) • Subversion
• Amazon Web Services
• VMWare
• Nexus (project tools) • Artifactory (project tools)
??????• DeveloperOnboarding
• IssuedPhysicalorVirtualWorkstation • ImagesbuiltbyOperations&Security
• Developerwritestestsandcode
• GetsstoriesfromALM,Addscontenttowiki
• Afterreview,Developercommitsandpushescodeto central source code repository for project
• Developerupdatestasksandstories
????????????2
• Active Directory 5 • Atlassian Crowd
• OpenLDAP / OpenDJ
8
??????????• ProjectadminaddsDevelopertoProject
• AuthorizesaccesstoProjectrepositories,wiki
spaces and build server
• Developerbuildscodeandtestsinprivatelocal environment (on workstation or in cloud)
• Localenvironmentmatchesproduction environment as much as possible
• Chef
• Puppet
• Email Notification
??????????• BuildServerpollsforandretrievescodechanges • Buildsexecutables/warfilesanddisplaysstatus • Notifiesdevelopersoffailuresandneedtorevert • Performsbuildsandtestsinsuccession
• Examplebuildflow:
• Development build (check for coding errors)
• Integration build (may include mock services)
• Functional test build (creation of cloud test VMs)
• Security test build (i.e. Foritfy scans)
• Deployment build (results in deployment artifact in
binary repository, i.e., Nexus / Artifactory)
?3
• Nexus (project tools) • Artifactory (project tools) • Chef
• Puppet
• Git (GitLab, Git Enterprise) • Subversion
6
????????????• DeveloperdownloadsProject-specific workstation configuration from binary repository
• Developerrunsworkstationconfiguration
• Auto-installstoolsandsourcecoderepo
• Developerpostscodeforonlinereviewand commentary by peers and supervisors
????????11 March 2015
7
??
?Application to Survey Channels and Surveys
???????
?Deployment
• IncrementalDeploymentandVerification
• Deploy“ComingSoon”staticpage • Deploy“Countdownclock”
• Deploy“Registertogetnotified”
• Deploy“Loginandcreateaprofile” • Deploy“Surveycapability1”
• Deploy“Surveycapability2”
• Processactsasa“pipecleaner”toclearpotentialissues
??????11 March 2015
9
??
?Testing
• ValidateSurveySequencingandBranching
• Automatetestsforallquestionsandanswers
• Automatebranchtesting
• Automateaccessibiltytesting
• Testshighlightchangestosurveythatbreaksequences or make answer options inaccesible
• Testwitheverychange,maintaingreensurvey
??????11 March 2015
10
??
?Production Scenarios
• Scalability
Auto-scale using image deployments
• Zero-downtimeFixes
Spin up v2, re-direct traffic, spin down v1
• A/BTesting&Sampling Multiple versions
• GeoIPtrafficsampling
Like A/B but with directed routing
??????11 March 2015
11
??
?Overall Benefits to the DevOps Approach
• Rapid,ConsistentDeployments
• ContinuousTesting,ValidationandVerification
• ScalableDeployments
• Zero-downtimefixes
• Traffic-routedtesting
• Morewaystoverifyandmeasuresurveyoptions
??????11 March 2015
12
??
?Thank You
Dominic Delmolino
email: dominic.delmolino@agilex.com office: 703.889.3800
???????

IBM Integrated Solution for System z Development (ISDz)
Henk van der Wijk
23 Januari 2014
A lack of effective software delivery impacts the entire business
New era systems integrate operational systems
Systems of Interaction challenges Speed mismatch between faster moving Systems of Engagement and slower moving Systems of Record, delaying time to customer feedback
Four things that are different about developing applications for the mainframe environment
DevOps: A blueprint for continuous delivery of software innovation
IBM DevOps: An improved software delivery lifecycle
Cost is a significant driver
Testing and Delivery -where are customers today?
Stage One -Increase availability of z/OS testing environment and resources
Testing and Delivery -moving one step forward
IBM Integrated Solution for System z Development Leveraging the principles of DevOps to deliver high quality applications

Top technology trends are impacting how organizations compete, yet approximately 75 percent of companies are underprepared
Business innovation is increasingly being delivered via software Rapid pace of change and the digitization of business drives the need for agility
Organizations that effectively leverage software innovation outperform their competitors… yet few are able to deliver it effectively

Think LEAN about their software delivery process
Market shifts require a fundamental change to the way businesses approach the development lifecycle
An approach for continuous delivery of software-driven innovation
By adopting a DevOps approach, organizations can seize new opportunities and gain competitive advantage
IBM provides expertise across the DevOps lifecycle
New capabilities to enable a DevOps approach  Enterprise capability for continuous software delivery that enables clients to seize market opportunities and reduce time to customer feedback
Focus on Develop and Test Collaborative Development practice
Grand slam tennis events
Collaborative Development Single, integrated platform for agile, mobile, cloud & traditional development
How?
Unify across a diverse environment; disciplines, platforms and tools, while freeing up the team by automating manual, time-consuming and error-prone tasks.
Featuring
Integrated software design for broader collaboration and traceability, and lifecycle adapters for connecting with third-party tools.
Optimized support for mobile, SAP and IBM WebSphere Application Server
Integration with the IBM Mobile Platform (Worklight).
Extend the value of existing tools with capabilities and compilers optimized for IBM middleware and hardware platforms.
What is required to deliver end-to-end visibility across teams, tools and projects?
Focus on Develop and Test Continuous Testing practice
Major U.S. insurer
Improving software quality by making integration testing more Agile

Demonstrating measureable results and business value
Focus on Release and Deploy Continuous Release and Deployment practice
IBM acquires UrbanCode
UrbanCode delivers Continuous Release and Deployment:
Drive down cost by automating manual tasks, eliminating wait-time and rework
Speed time to market by increasing the frequency of software delivery
Reduce risk through increased compliance of application deployments.
Enabling clients to more rapidly deliver mobile, cloud,
big data analytics and traditional applications
DevOps Capabilities :: Product Capability Portfolio
IBM DevOps Approach :: Quality Quality Proven Solution
Key take-aways
Two major challenges:
Removing waste/friction to drive project velocity
Infrastructure complexity -dealing with existing systems of interaction
Adopting DevOps
Accelerates delivery
Balances cost, quality and risk
Reduces time to feedback
Start with the business and IT initiatives
Find the bottleneck, the waste and friction in processes
DevOps is a journey to win/win success -incremental adoption

New capabilities to enable a DevOps approach  Products