At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions. Link: https://www.sonatype.com/uk/2019-devsecops-leadership-forum-london

1. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Enabling shift-left for 12k banking
developers from scratch and
without breaking the bank
(the remix)
ERNESTO BETHENCOURT

2. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Ernesto Bethencourt
Product Owner for Chimera

3. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum

4. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Source: https://www.bbva.com/en/corporate-information/the-transformation-of-bbva/
*12k+ Developers

5. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum

6. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Key Elements For This
Transformation
• Internal Development Talent
• Global communities
• DevOps “philosophy”
• API and obsession to reuse
• End-to-end automation

7. Ether is BBVA’s global banking platform, which allows developers to easily build, deploy and
operate banking services of any kind by leveraging cloud
Global Cloud Services
Automation
Open Source &
Vendor decoupling
Developer centric
Hybrid cloud
Reliability /Operability

8. DevSecOps Leadership Forum LONDON – MARCH 20th, 2019

9. DevSecOps Leadership Forum LONDON – MARCH 20th, 2019

10. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum

11. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
What are we doing?
• ACS (for Legacy Platform)
• BBVA Labs Advance Security
• SECaaS, part of the New Platform
• Cultural Change (Tribes/Clans)

12. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum

13. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
ACS – (Continuous Security Analysis)
• Blue Team’s Service
• BBVA’s Worldwide Service
• Free for all BBVA’s projects
• Manual, APIs and Jenkins library options for
integrations
• Regulation Compliance compatible for some projects
• Manual results processing/triage by blue team
member

14. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Current Process
Secure
SDLC
Source
Repository
Build
Management
Code
Analysis
Result
Triage
Publish
Results
Developer
Feedback

15. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum

16. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
BBVA Labs - Advanced Security Labs
• “Working how to adapt security processes from the risk analysis to the
security operation in the Cloud and DevOps worlds, researching and
developing concept tests that can be converted into open source tools”
• Example Public Research:
• https://www.bbva.com/en/vulnerability-management-in-dependencies-in-ci-cd-
environments-with-open-source-tools/

17. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Example or our Public Work
https://github.com/BBVA/gitsechttps://github.com/BBVA/deeptracy https://patton-server.readthedocs.io/en/latest/

18. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum

19. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Security As A Service (SECaaS)
BBVA’s SECaaS is one of the main Cloud
components composing Ether.
SECaaS builds on the concept that Security
can be provided on demand to the user
SECaaS provides a security embedded by
default.

20. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
SECaaS Objectives 4 SDLC
• Early Security Feedback for Developers
(Shifting Left)
• Security Feedback also must be “aaS”
• Automate Security Checks & Enforcement

21. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum

22. TOOLS! TOOLS EVERYWHERE! DEVELOP A PRODUCT

23. CHIMERA

24. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Our Vision
• Abstraction of Security “Solutions”
• Orchestration
• Added Value
CHIMERA

25. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
In-take Triage Test Deliver
DevSecOps “Foundations”
Static Black-box “Manual”
DevSecOps
Analytics
Blue Team
Services
Security
Provision
DevSecOps
Threat Model
Auto-Enrollment
Continuous
Monitoring
Governance
Added Value
Services
Continuous Feedback
& Optimization
Our long term “Services” proposal

26. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Current Status
Available
Services
Chimera API & Front End
SecretsReview
Secure Code
Review
Docker Image
Review
Analytics
Available
“Clients”
Chimera CLI
(Linux, OSX, Windows)
Chimera Global DevTools Jenkins
SDK/lib
BBVA Ether
Global DevTool
Ecosystem

27. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Chimera DevSecOps Flow
Security
Feedback
Services
Project Creation Project
Monitoring
Project
Development
Security
Testing
Orchestration
Project
Deployment
Continuous
Monitoring
- Docker Images
- Repositories
- Review for Sensitive information in code (i.e Secrets,
Keys, etc)
- Static Code Security Review
- Docker Image Security Review
- Dependency Vulnerabilities Reviews (In development
Q1/Q2)
- Chimera Project ID
- Organization
- Description
- Name
- Country
- Users (admin+devs)
Configurations:
- CR: Scan Profile
- IR: Enforcement Policies
- IR: Seal Images + Key
- General: Samuel Notification

28. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Feedback Services General Usage Example
(Frontend)
2
3
- Get Code/Image
- Scan
- Check Results
(CLI)
1 - Request Feedback:
Project ID + info (Code/Image) + options

29. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Example 4 Devs Teams
CI Pipelines (i.e: Ether Pipelines)
Docker Images
Review
CHIMERA
Orchestrations +
Added Value

30. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Developers can access and use this
information on their pipelines and in
Ether’s Console

31. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Example 4 Sec Teams
CI Pipelines (i.e: Ether Pipelines)
Docker Images
Review
CHIMERA
“Security Seal”Orchestrations
AUTOMATIC!

32. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Culture
Tribes and Clans

33. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum

34. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Some Learnings
• Usability, specially on feedback is a must
• Different needs depending on user “maturity” or profile
• Start small, test, adapt, train, measure, increase feedback output
• Allows you to start small on licenses numbers, test your service and
increase on actual need
• Partnership with Vendors
• Work on APIs maturity, new integration models, new license models, etc
• Flexibility but with “boundaries”
• Take advantage of standardization where you can but allow or adapt for
special use cases
• Different maturity = different use case
• Automatic Security Enforcement only when you’re sure or mature
enough (or risk is to high)
• Better to detect and act later than stop Dev Teams
• Metrics and KPIs are important but be careful with using them the
wrong way

35. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum
Next Steps (during 2019)
• “Massification” and optimizations
• UX/UI improvements
• New feedback services (i.e. Open Source
Analysis)
• “Moon-shot”: Chimera Triage and DAST
Feedback MVPs
• Culture Transformation:
• DevSecOps Ninja and TechU Tracks
• Security Champions Pilot Programs

36. LONDON – MARCH 20th, 2019DevSecOps Leadership Forum