¿Cómo logras que un grupo de desarrolladores trabajando con tecnologías modernas y filosofía DevOps permitan incluir la seguridad en su día a día sin sentirse “interrumpidos” o frenados y adopten una cultura de “DevSecOps”? ¿Cómo se logra escalar la seguridad en un modelo DevOps sin multiplicar por 100 tu equipo de seguridad? ¿Cómo hacerlo de forma transparente y “auto-mágica” para los desarrolladores, y aprovechando las soluciones existentes tanto Open como comerciales?
En i4s (Grupo BBVA) estamos construyendo Chimera para cubrir estos retos tan ambiciosos, entregando una serie de servicios de auto-consumo que los desarrolladores incluyen en sus pipelines al mismo tiempo que las áreas de seguridad usan esa información para gobernar la seguridad de los desarrollos. Todo esto abstrayendo soluciones especializadas que podemos intercambiar, complementar o combinar para ofrecer los mejores resultados. Chimera está desarrollado haciendo uso de las mismas tecnologías y arquitecturas punteras que usan los desarrolladores a los que tratamos de proteger, garantizando que pueda escalar al mismo ritmo que el crecimiento de la nueva plataforma Ether que estamos construyendo junto con BBVA.
Similar to Ernesto Bethencourt & Javier Sanz - Ofreciendo seguridad de auto-consumo a los desarrolladores para escalar a una cultura DevSecOps [rooted2018]
Similar to Ernesto Bethencourt & Javier Sanz - Ofreciendo seguridad de auto-consumo a los desarrolladores para escalar a una cultura DevSecOps [rooted2018] (20)
4. Exponential increase of compute, data and storage demand will severely challenge
our “production model” ...
Source: BBVA
More and more
interaction with customers
Source: EFMA: “World Retail Banking Report 2015”
But many will not generate
additional revenues
5. Digital Players operational paradigms show the way forward though our current
rate of adoption is way too slow
(*)
(*) Illustrative proxy of productivity
6. BBVA´s ability to produce what we need with our current technology narrows by
the day and will become unattainable and unaffordable ...
THE GENERAL LANDSCAPE @BBVA (and in banking) ...
Data
Algorithm based solutions
Channels
Branch, mobile, web
& contact center
Productivity
Low cost processing &
automation
7.
8.
9. KEY ELEMENTS FOR THIS
TRANSFORMATION
• Internal talent (few good people …)
• End-to-end automation
• DevOps “philosophy” (NoOps …)
• API and obsession to reuse
• Global communities
10. WE ARE BUILDING ETHER
Ether is BBVA’s global banking platform, which allows developers to easily build,
deploy and operate banking services of any kind by leveraging cloud
Global Cloud Services
Automation
Open Source & Vendor
decoupling
Developer centric
Hybrid cloud
Reliability /Operability
13. SECURITY AS A SERVICE (SECaaS)
BBVA’s SECaaS is one of the main Cloud components
composing Ether.
SECaaS builds on the concept that Security can be
provided on demand to the user, regardless of the
geographic or organizational separation between
provider and consumer.
SECaaS provides a security embedded by default.
powered by
14. SECaaS OBJECTIVES 4 SDLC
• Early Security Feedback for Developers
• Shifting Left
• Add Value to selected tools
• Security also must be “aaS”
17. Great Developer
Ecosystem...
…in a “Continuously
integrated” Global Cloud
Platform
12k developers (?)
working on a
common “Cloud
Age” development
ecosystem: Ether
20. SHIFT LEFT, DEVSECOPS, SECDEVOPS, RUGGED, ETC
OWASP AppSec Pipeline Project
OWASP project is a place to gather together information, techniques and tools
to create your own AppSec Pipeline. AppSec Pipelines takes the principles of
DevOps and Lean and applies that to an application security program
DevSecOps.org
Initiative funded by security that propose that security should be delivered as
code
Grafeas.io
A Google Project, Grafeas is an open artifact metadata API to audit and govern
your software supply chain
30. 4 DEVELOPMENT TEAMS
Developers can access and use
this information on their pipelines
and in the near future on Ether’s
Console
31. 4 SECURITY TEAMS
CI Pipelines (i.e: Ether Pipelines)
Docker Images
Review
CHIMERA
“Security Seal”
Orquestation +
Added Value
AUTOMATIC!
32. 4 SECURITY TEAMS
“Security Seal”
● “Distributed” model (Chimera doesn’t need to be online/reachable)
○ We also have the “centralized” model (API - PIP)
● The security seal is a JWT ← standardization
● We use a Artifactory’s “property” fields
● The Docker Image ID is used for JWT sub claim
● Know JWT “insecurities” are mitigated correctly