Financial institutions, medical groups, governmental organizations, automotive companies… these types of entities all have unique and sometimes difficult-to-meet regulations. You may be required to have fine-grained auditability of your SDLC or maintain specific third-party integrations. Security models may be heightened, or certain types of compliance processes maintained. So how are we supposed to “do the DevOps” when we have so many things to worry about? In this webinar, we’ll explore some ways that you can adopt DevOps best practices and even (gasp!) thrive when building your DevOps and DevSecOps pipelines in highly-regulated industries.
2. Who am I..
William Manning
Senior Solutions Engineer @JFrog
Twitter: @williammanning
3. What we will discuss
❖ What is a “highly regulated”
environment
❖ Industry Examples
❖ Why Binary Management Matters
❖ Air Gapping
❖ DevSecOps
❖ How to meet regulation standards
❖
❖
4. 130%
Net Expansion
5,000+
Customers
5 years
FCF Positive
$13B+
Market
FY'16 FY'17 FY'18
($M)
67%
YoY ARR
growth
65%
Significant Growth Momentum
Technology Leadership
Deloitte 2018
Technology
Fast 500
Winners
Forbes
CLOUD 100
LIST
2008
Founded
500+
Employees
Clients include
>70%
$230M
Raised to date The 2018
SD Times 100
Award
JFROG IN A NUTSHELL
6. ARTIFACTORY EDGE
ARTIFACTORY EDGE
ARTIFACTORY EDGE
Continuously Integrate &
Deliver
PIPELINES
Clear Security &
Compliance Issues
XRAY
Code & Build
DeployToProduction
VCS & CI
Store & Manage
Your Binaries
Globally
ARTIFACTORY
Distribute To
Production Site
DISTRIBUTION
Manage Authentication &
Authorization Globally
ACCESS
Analyze & Measure The
Flow
MISSION CONTROL & INSIGHT
THE JFROG PLATFORM - ENTERPRISE+
7. THE ECOSYSTEM STRENGTHENING UNIVERSALITY
By partnering with other companies within the
DevOps ecosystem, we are improving the way our
customers can use JFrog products in their workflow.
+
CHEF
10. Highly Regulated Environments
Definition: “A physical or digital environment
characterized by: air-gapped physical spaces,
air-gapped computer systems, heighten
access control, segregation of duties, inability
to discuss certain topics outside of specific
physical spaces, and an inability to transport
certain artifacts off premise.”
11. What does that mean?
❖ Either Government or Industry regulation
❖ Role based access control (RBAC)
❖ Authorization To Operate (ATO)
❖ Content protection
❖ Encryption / Digital Signatures
❖ Process and Policies
❖ Auditing / Tracking
❖ Metadata Management
❖ Record Management
❖ Validation
12. Typical Problems
❖ Air-Gapped Environments
❖ Tedious change management process
❖ Slow approval process
❖ Limited communication between teams
❖ Gated SDLC processes
❖ Lack of centralized software management
❖ Varying stages of acceptance criteria
❖ Limited to no flexibility for developers
❖ Lifecycle / Archival requirements
❖ Long audit processes
13. Ideal Goals
❖ Identify roadblocks / process
❖ Look for ways to improve velocity through automation
❖ Make DevSecOps a requirement internally
❖ Build plans for all process gaps in DevOps
❖ Comply to regulations through scalable process
❖ Design with regulation when building SDLC
❖ Use tools that help the regulated SDLC process
❖ Automate, automate, automate…
15. Software Development Responsibility
“A major vulnerability of many companies comes from
Electronic Data Interchanges (EDI) and vendor system
integration,” says Farris. “A 2017 report by Soha Systems
indicated that as many as 63 percent of all reported data
breaches originated directly or indirectly from third-party
vendors.”
16. Financial / Banking
Securities and Exchange Commission (SEC)
European Central Bank (ECB)
US Consumer Financial Protection Bureau (CFPB)
General Data Protection Regulation (GDPR)
Sarbanes-Oxley (SOX)
Basel II
Dodd-Franks
FATCA
17. Financial / Banking
Traceability
Security and Privacy
Data Portability and Interoperability
License Governance
Software Update and Patching Practices
Segregation of duties
Network Isolation
18. “Just as practicing professionals such as doctors,
accountants, and nurses are licensed, so should software
engineers,” Thornton says. “The public needs to be able to
rely on some sort of credential when choosing a contractor
to write software.”
- Mitch Thornton, Vice Chair of the IEEE Licensure and
Registration
Medical / Healthcare
19. Medical / Healthcare
E-health
Apps that connect to a medical device to control the
device or display, store, analyse, or transmit patient-specific
medical device data.
M-health
Apps that transform a mobile platform into a regulated
medical device.
Genomics
Apps that perform patient-specific analysis and provide
patient-specific diagnosis, or treatment recommendations.
20. Medical / Healthcare
US and EU regulations are very strict in dealing with medical
data
API data has to have extensive ACL and Protection
3rd Party libraries have to be scanned for possible breach
causing issues and approved
There are regulations for every aspect of building software
for medical or healthcare
21. Recently software became
the narrative to a disaster that
cost 157 people their lives
The responsibility of the
developer is to ensure safety
and security
Aerospace / Aviation
22. Aerospace / Aviation
National Airspace
System (NAS) has a
scale for software
issues
There are regulations
for every component
of aeronautics
Focus on redundancy
23. Government
Government Furnishes Software (GFS)
Software Co-Developed by the Government
Intellectual Property (IP)
Data Rights Requirements Analysis (DRRA)
Commercial-Off-The-Shelf (COTS) vs Open Source Software
(OSS)
Federal Risk and Authorization Management Program
(FedRAMP)
24. What’s our options?
❖ How do you retain velocity
without sacrificing
security?
❖ What tools can help
address regulations
without impeding
innovation?
❖ How do we …..?
❖ There are many questions
but there also many
solutions
25. Binary Management
Control 3rd Party Dependencies
FOSS management
Release Storage
Metadata information
Automated Controls
Air Gap
Access Level Controls
Replication to Multiple Sites
DevSecOps
26. Most software is composed of
90% open source
components
Code base
Java, C, NPM, etc.
Operating System
VM, Docker, Iron, etc
API
Libraries
Base
OS
Your Code
Open Source & Compliance
27. Open Source & Compliance
Need for assessment of licenses associated with open
source components
Traceability of open source components
Automating security / compliance tasks
End to end coverage > Developer to Deployment
28. Application
Containers
Microservices
Int/ext Packages
Int/ext
Depen.
Can I deploy a new version?
What does this application contain?
Is this application license compatible?
Is this container safe?
Who is using this microservice?
Can I deploy a new version?
Who is using this package?
Is this package safe?
Is it license compatible?
Is this package outdated?
Components
31. DevSecOps..
Providing safety and security for your business & customers
More reliance on 3rd party software / libraries
It’s not easy to implement
Equifax, Marriott, Facebook, Google, etc. > Breaches
Discovery of security / vulnerabilities before it become a
business liability
Philosophical change in SDLC
No longer an afterthought but an imperative
35. Security / Compliance was always “Someone else’s... “
Discovery security issues / threats are expensive.. Especially
if found later on in your SDLC
The pace of software development has increased and is
increasing
Increasing government regulations around customer data
Exploits increases
Vulnerabilities are increasing
36. “Organizations that had not deployed security
automation experienced breach costs that were 95
percent higher than breaches at organizations with
fully-deployed automation ($5.16 million average
total cost of a breach without automation vs. $2.65
million for fully-deployed automation).”
37. Recap
Binany Management
Security and Vulnerability
Scanning
License Compliance and
Governance
Release Management
Air Gap
Developer Education
Automation