Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecCon London 2018: Enabling shift-left for 12k banking developers from scratch and without breaking the bank

301 views

Published on

ERNESTO BETHENCOURT
At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions.

Published in: Technology
  • Be the first to comment

DevSecCon London 2018: Enabling shift-left for 12k banking developers from scratch and without breaking the bank

  1. 1. LONDON 18-19 OCT 2018 Enabling shift-left for 12k banking developers from scratch and without breaking the bank ERNESTO BETHENCOURT
  2. 2. LONDON 18-19 OCT 2018
  3. 3. LONDON 18-19 OCT 2018 Ernesto Bethencourt Product Owner for Chimera
  4. 4. LONDON 18-19 OCT 2018
  5. 5. LONDON 18-19 OCT 2018 Source: https://www.bbva.com/en/corporate-information/the-transformation-of-bbva/
  6. 6. LONDON 18-19 OCT 2018 *12k Developers
  7. 7. LONDON 18-19 OCT 2018 Key Elements For This Transformation • Internal talent • End-to-end automation • DevOps “philosophy” • API and obsession to reuse • Global communities
  8. 8. Ether is BBVA’s global banking platform, which allows developers to easily build, deploy and operate banking services of any kind by leveraging cloud Global Cloud Services Automation Open Source & Vendor decoupling Developer centric Hybrid cloud Reliability /Operability
  9. 9. LONDON 18-19 OCT 2018
  10. 10. LONDON 18-19 OCT 2018
  11. 11. LONDON 18-19 OCT 2018
  12. 12. LONDON 18-19 OCT 2018
  13. 13. LONDON 18-19 OCT 2018 What are we doing? • SECaaS, part of the New Platform • BBVA Labs Advance Security • ACS (for Legacy Platform) • Cultural Change (Tribes/Clans)
  14. 14. LONDON 18-19 OCT 2018 Security As A Service (SECaaS) BBVA’s SECaaS is one of the main Cloud components composing Ether. SECaaS builds on the concept that Security can be provided on demand to the user SECaaS provides a security embedded by default.
  15. 15. LONDON 18-19 OCT 2018 SECaaS Objectives 4 SDLC • Early Security Feedback for Developers (Shifting Left) • Security Feedback also must be “aaS” • Automate Security Checks & Enforcement
  16. 16. TOOLS! TOOLS EVERYWHERE! DEVELOP A PRODUCT
  17. 17. CHIMERA
  18. 18. LONDON 18-19 OCT 2018 Since 2016! Slides: https://www.rsaconference.com/writable/presentations/file_upload/asd-f01-security-as-a-service-in-a-financial-institution-reality-or-chimera.pdf
  19. 19. SELF-SERVICE 4 DEV TEAMS SERVICES 4 SECURITY TEAMS
  20. 20. LONDON 18-19 OCT 2018 Our Vision • Abstraction of Security “Solutions” • Orchestration • Added Value CHIMERA disclaimer: vendors logo used as an example only that we want our developers to know Chimera and not Vendors
  21. 21. LONDON 18-19 OCT 2018 In-take Triage Test Deliver DevSecOps “Foundations” Static Black-box “Manual” DevSecOps Analytics Blue Team Services Security Provision DevSecOps Threat Model Auto-Enrollment Continuous Monitoring Governance Added Value Services Continuous Feedback & Optimization Our long term “Services” proposal
  22. 22. LONDON 18-19 OCT 2018 SECURITY TOOLS CI Pipelines (i.e: Ether Pipelines) CHIMERA Security Code Review Docker Images Review Secrets Review Current Status BANDIT GECRETS In-take Analytics
  23. 23. LONDON 18-19 OCT 2018 4 Devs Teams CI Pipelines (i.e: Ether Pipelines) Docker Images Review CHIMERA Orchestrations + Added Value
  24. 24. LONDON 18-19 OCT 2018 Developers can access and use this information on their pipelines and in Ether’s Console
  25. 25. LONDON 18-19 OCT 2018 4 Sec Teams CI Pipelines (i.e: Ether Pipelines) Docker Images Review CHIMERA “Security Seal”Orchestrations AUTOMATIC!
  26. 26. LONDON 18-19 OCT 2018
  27. 27. LONDON 18-19 OCT 2018 BBVA Labs - Advanced Security Labs • “Working how to adapt security processes from the risk analysis to the security operation in the Cloud and DevOps worlds, researching and developing concept tests that can be converted into open source tools” • Example Public Research: • https://www.bbva.com/en/vulnerability-management-in-dependencies-in-ci-cd- environments-with-open-source-tools/
  28. 28. LONDON 18-19 OCT 2018 Example of our Public Work https://github.com/BBVA/gitsechttps://github.com/BBVA/deeptracy https://patton-server.readthedocs.io/en/latest/
  29. 29. LONDON 18-19 OCT 2018 Deep Tracy + Patton
  30. 30. LONDON 18-19 OCT 2018
  31. 31. LONDON 18-19 OCT 2018 ACS – (Continuous Security Analysis) • Blue Team’s Service • BBVA’s Worldwide Service • Free for all BBVA’s projects • Manual, APIs and Jenkins library options for integrations • Compliance compatible for some projects • Manual results processing by blue team member
  32. 32. LONDON 18-19 OCT 2018 Current Process Secure SDLC Source Repository Build Management Code Analysis Result Triage Publish Results Developer Feedback
  33. 33. LONDON 18-19 OCT 2018 Culture Tribes and Clans
  34. 34. LONDON 18-19 OCT 2018
  35. 35. LONDON 18-19 OCT 2018 Next Steps (2019) • Chimera Triage and DAST MVPs • Chimera – ACS Integrations • BBVA Labs Tools in Chimera • DevSecOps Ninja and TechU Tracks • Security Champions Pilot Programs
  36. 36. LONDON 18-19 OCT 2018
  37. 37. LONDON 18-19 OCT 2018 [https://www.bbvanexttechnologies.com/]

×