SlideShare a Scribd company logo

Better Governance Banking on Continuous Delivery

Tapabrata Pal
Tapabrata Pal

DOES 2017 slide.

Technology
1 of 39
Download to read offline
Better Governance Banking on Continuous Delivery
Tapabrata “Topo” Pal Sr. Director & Sr. Engineering Fellow tapabrata.pal@capitalone.com @TopoPal Jennifer Brady Director, Technology Governance jennifer.brady@capitalone.com ! Former Audit Director ! Current IT Governance Director ! Responsible for both a control automation and data analytics team ! Work with Data Scientists, Data Engineers, and Developers ! Developer ! DevOps Evangelist ! Product Manager of Shared Continuous Delivery Tools Platform ! Creator and core contributor of Hygieia DevOps Dashboard
Capital One ! Millions of accounts ! One of the largest Digital Banks ! #1 Information Week’s Elite 100 ! ~ 20 years old
Different DNA ! Build our own software ! Build on public cloud ! MicroServices ! Open Source ! Continuous Delivery
https://github.com/capitalone 25 Projects 109 developers 12 teams
• Waterfall • Manual Build • Manual Deployment • Manual Test • Data Center • Closed Source First • Agile • Automated Build • Automated Deployment • Automated Test • Public Cloud • Open Source First 5 Year Journey
Mostly Out-Sourced Mostly In-Sourced Vertical Silos Product Team Dev, Ops, QA, RM Engineers 5 Year Journey
! DOES 2014 Building out Automation steps ! DOES 2015 Scaling DevOps, Open Source, Cloud, Innovation ! DOES 2016 Measure, Improve, Mature
2017 and beyond ! #SlayTheMonolith ! #NoFearRelease ! #YouBuildItYouOwnIt
#YouBuildItYouOwnIt ! YOU Coded It, YOU Build It ! YOU Built It, YOU Test It ! YOU Tested It, You Deploy It ! YOU Deployed It, YOU Own It
#NoFearRelease ! Fear of speed ! Fear of breakdown ! Fear of being out of control ! Fear of being non-compliant
We want this…
And not this…
Safety in Continuous Delivery
Former Auditor’s Perspective Welcome to the Wild West Image Credit http://www.freepik.com Designed by Freepik
And at Capital One… Image Credit: http://dkcoin8.com
Compliance
Compliance Governance
Compliance vs Governance Compliance = Checking the box Governance = Awareness of and active management of risk
Three Lines of Defense ! 1st Line : Who Owns the Risk ! 2nd Line: Sets Policy, Monitors the Risk ! 3rd Line: Independent Assurance
What is the Developer’s Role in Governance? ! Awareness ! Risk mitigation ! Follow control best practices
Why Controls? ! Controls are there to protect you and the company ! Provide assurance around financial reporting ! Provide comfort to investors
"Uncontrolled variation is the enemy of quality”
Minimum Set of Controls ! Two Sets of Eyes ! Least Privilege ! Unauthorized Change Monitoring
Automation is easy, almost, such as… ! Build on every commit ! Static code analysis on every build ! Scanning for open source vulnerability ! Static security scan ! Automated tests ! ….
Biggest hurdle Ensure that a single developer can not make changes to production bypassing all controls
Options ! Separate team managing pipeline ! Separate team just to perform production deployment ! Hire professional “button pushers”
Assumptions ! Enough “button pushers” available ! They cannot code ! Cannot train them to do anything else ! But, they should know if it is okay to push the button
“the secrets of change is to focus all your energy not on fighting the old but on building the new”
Clean Room A clean room or cleanroom is an environment, typically used in manufacturing, including of pharmaceutical products or scientific research, as well as semiconductor engineering applications with a lower level of environmental pollution such as dusts, airborne microbes, aerosol particles and chemical vapors. https://en.wikipedia.org/wiki/Cleanroom
Software Delivery Clean Room ! All product pipelines are identified and registered ! Everything is under source control ! Every change is peer-reviewed ! Production Changes occur only via code changes ! Nobody has access to production servers ! Every code change goes through various levels of testing and scanning ! Pipeline stops or alerts if things fail ! Evidences captured and evaluated at near real time ! Evidences are analyzed for discrepancies
DEVELOPMENT TEST MONITORINGIMPLEMENTATION App Code source controlled enforcing peer review and disallowing direct commits 1.1 1.2 2.1 No direct Access to the Binary Artifact 3.1 Static Code Analysis 4.1 Static Code Analysis Config reviewed 4.2 Functional Tests (Traceable to Story) 4.8 4.3 Test Automation jobs configuration peer reviewed and source controlled 4.4 Critical Business Transaction (Regression) Testing 4.5 Static Application Security Testing Infrastructure Code Security Scan Open Source Security Testing Secret Key Management Must not use production raw data for testing Prod/Non-Prod Deployments Scripts Tested 6.1 Prod Deployment and Test Results (UAT & Exploratory) approved by PO 6.3 6.2 Automated rollback process Tested in Prod/Non-prod No Connectivity b/w PROD and Non-PROD Environments 6.4 Separation between Dev/Test/Prod environments must be managed with access controls Developers will not have write access in Prod 7.1 RELEASE All Changes to pipeline code (build /deploy job scripts) must be recorded and peer reviewed Infrastructure Code source controlled enforcing peer review and disallowing direct commits Test Code source controlled enforcing peer review and disallowing direct commits Performance testing 5.1 5.2 5.45.3 4.7 4.1 Build will be successful only if it passes static code analysis 4.2 Static Code analysis configuration is reviewed by the team and approved by PO 3.1 No direct access to the binary artifact 4.3 Every testable story must have corresponding test case/scenario/ step 4.4 Test Code source controlled enforcing peer review and disallowing direct commits 4.5 Test Automation jobs configuration peer reviewed and source controlled 4.6 A core set of test cases that are considered critical (e.g regression testing) must meet the passing threshold defined by the team lead 4.8 Must not use production raw data for testing 4.7 Performance test results must meet the passing threshold defined by the team lead 5.4 Secret key Management 5.1 Static Security scan/testing results are reviewed and approved by the PO or Tech lead for App Code 6.1 Prod/Non-prod Deployment scripts/configurations tested by the team 7.1 Developers will not have write access in PROD 5.2 Security scan/testing results are reviewed and approved by the PO or Test lead for Infrastructure code 5.3 Open Source Security Testing (Build Artifact has ONLY approved libraries) 6.2 Prod Deployments and Test Results (UAT/Exploratory) must be approved by PO/Tech lead 6.3 Automated roll back process for production deployment must be tested in Prod and Non-prod 6.4 Must not have any connectivity or access between Prod and Non-Prod Environment 7.2 Separation between dev/test and prod environments enforced with access controls Source Control 1 Binary Repository and Application versioning 3 Security Checks 5 Quality Checks 4 Build 2 Deployment 6 Support 7 1.1 Application Code source controlled enforcing no direct commits to master/release without peer review 1.1 Infrastructure Code Source Controlled enforcing no direct commits to master/release without peer review 2.1 All Changes to pipeline code (build /deploy job scripts) must be recorded and peer reviewed 5.5 App Dynamic Security Scan/testing results are reviewed and approved by the PO/Tech lead 5.5 4.6 App Dynamic Security Testing 7.2 Software Delivery Clean Room
@TopoPal Result 2016 2017 # Products deploying multiple times a day ~20 ~300 Average #deployments per day ~1 ~4 Max #deployments for a product in a single day ~30 ~50
Automating Clean Room Monitoring Audit API https://github.com/capitalone/Hygieia/tree/master/api-audit
Are you well managed if you are doing Continuous Delivery?
Are you well managed if you are not doing Continuous Delivery?
Thank You!

Recommended

OAuthのHolder of Key Token
OAuthのHolder of Key TokenOAuthのHolder of Key Token
OAuthのHolder of Key TokenYuichi Nakamura
 
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020OpenID Foundation Japan
 
あじゃいる時代の品質保証 ~DevSQAの提案~
あじゃいる時代の品質保証 ~DevSQAの提案~あじゃいる時代の品質保証 ~DevSQAの提案~
あじゃいる時代の品質保証 ~DevSQAの提案~Hiroaki Matsunaga
 
Docker と ECS と WebSocket で最強のマルチプレイ・ゲームサーバを構築
Docker と ECS と WebSocket で最強のマルチプレイ・ゲームサーバを構築Docker と ECS と WebSocket で最強のマルチプレイ・ゲームサーバを構築
Docker と ECS と WebSocket で最強のマルチプレイ・ゲームサーバを構築gree_tech
 
App013 ここはあえて紙と
App013 ここはあえて紙とApp013 ここはあえて紙と
App013 ここはあえて紙とTech Summit 2016
 
第17回Lucene/Solr勉強会 #SolrJP – Apache Lucene Solrによる形態素解析の課題とN-bestの提案
第17回Lucene/Solr勉強会 #SolrJP – Apache Lucene Solrによる形態素解析の課題とN-bestの提案第17回Lucene/Solr勉強会 #SolrJP – Apache Lucene Solrによる形態素解析の課題とN-bestの提案
第17回Lucene/Solr勉強会 #SolrJP – Apache Lucene Solrによる形態素解析の課題とN-bestの提案Yahoo!デベロッパーネットワーク
 
Kotlin vs TypeScript
Kotlin vs TypeScriptKotlin vs TypeScript
Kotlin vs TypeScriptSaiki Iijima
 
元OracleMasterPlatinumがCloudSpanner触ってみた
元OracleMasterPlatinumがCloudSpanner触ってみた元OracleMasterPlatinumがCloudSpanner触ってみた
元OracleMasterPlatinumがCloudSpanner触ってみたKumano Ryo
 

Recommended

OAuthのHolder of Key Token
OAuthのHolder of Key TokenOAuthのHolder of Key Token
OAuthのHolder of Key TokenYuichi Nakamura
 
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020
韓国における FIDO/ eKYC /DID の現状と今後の取り組み - OpenID Summit 2020OpenID Foundation Japan
 
あじゃいる時代の品質保証 ~DevSQAの提案~
あじゃいる時代の品質保証 ~DevSQAの提案~あじゃいる時代の品質保証 ~DevSQAの提案~
あじゃいる時代の品質保証 ~DevSQAの提案~Hiroaki Matsunaga
 
Docker と ECS と WebSocket で最強のマルチプレイ・ゲームサーバを構築
Docker と ECS と WebSocket で最強のマルチプレイ・ゲームサーバを構築Docker と ECS と WebSocket で最強のマルチプレイ・ゲームサーバを構築
Docker と ECS と WebSocket で最強のマルチプレイ・ゲームサーバを構築gree_tech
 
App013 ここはあえて紙と
App013 ここはあえて紙とApp013 ここはあえて紙と
App013 ここはあえて紙とTech Summit 2016
 
第17回Lucene/Solr勉強会 #SolrJP – Apache Lucene Solrによる形態素解析の課題とN-bestの提案
第17回Lucene/Solr勉強会 #SolrJP – Apache Lucene Solrによる形態素解析の課題とN-bestの提案第17回Lucene/Solr勉強会 #SolrJP – Apache Lucene Solrによる形態素解析の課題とN-bestの提案
第17回Lucene/Solr勉強会 #SolrJP – Apache Lucene Solrによる形態素解析の課題とN-bestの提案Yahoo!デベロッパーネットワーク
 
Kotlin vs TypeScript
Kotlin vs TypeScriptKotlin vs TypeScript
Kotlin vs TypeScriptSaiki Iijima
 
元OracleMasterPlatinumがCloudSpanner触ってみた
元OracleMasterPlatinumがCloudSpanner触ってみた元OracleMasterPlatinumがCloudSpanner触ってみた
元OracleMasterPlatinumがCloudSpanner触ってみたKumano Ryo
 
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8Kohei Hoshi
 
噛み砕いてKafka Streams #kafkajp
噛み砕いてKafka Streams #kafkajp噛み砕いてKafka Streams #kafkajp
噛み砕いてKafka Streams #kafkajpYahoo!デベロッパーネットワーク
 
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話Hitachi, Ltd. OSS Solution Center.
 
Lambda Layerの権限制御を試してみた
Lambda Layerの権限制御を試してみたLambda Layerの権限制御を試してみた
Lambda Layerの権限制御を試してみたKazukiNabasama
 
20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信
20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信
20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信Amazon Web Services Japan
 
JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)
JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)
JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)NTT DATA Technology & Innovation
 
数々の実績:迅速なFIDO認証の展開をサポート
数々の実績:迅速なFIDO認証の展開をサポート数々の実績:迅速なFIDO認証の展開をサポート
数々の実績:迅速なFIDO認証の展開をサポートFIDO Alliance
 
[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送
[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送
[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送Google Cloud Platform - Japan
 
実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjug実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjugYahoo!デベロッパーネットワーク
 
FizzBuzzで学ぶJavaの進化
FizzBuzzで学ぶJavaの進化FizzBuzzで学ぶJavaの進化
FizzBuzzで学ぶJavaの進化虎の穴 開発室
 
ストリーム処理を支えるキューイングシステムの選び方
ストリーム処理を支えるキューイングシステムの選び方ストリーム処理を支えるキューイングシステムの選び方
ストリーム処理を支えるキューイングシステムの選び方Yoshiyasu SAEKI
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 
pixivのインフラを支える技術
pixivのインフラを支える技術pixivのインフラを支える技術
pixivのインフラを支える技術Ryuta Kamizono
 
認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜Masaru Kurahayashi
 
Argo CD Deep Dive
Argo CD Deep DiveArgo CD Deep Dive
Argo CD Deep Diveshunki fujiwara
 
iOS 11からのDeviceCheck #とは
iOS 11からのDeviceCheck #とはiOS 11からのDeviceCheck #とは
iOS 11からのDeviceCheck #とはKenji Tanaka
 
FIDO認証によるパスワードレスログイン実装入門
FIDO認証によるパスワードレスログイン実装入門FIDO認証によるパスワードレスログイン実装入門
FIDO認証によるパスワードレスログイン実装入門Yahoo!デベロッパーネットワーク
 
リクルートのWebサービスを支える共通インフラ「RAFTEL」
リクルートのWebサービスを支える共通インフラ「RAFTEL」リクルートのWebサービスを支える共通インフラ「RAFTEL」
リクルートのWebサービスを支える共通インフラ「RAFTEL」Recruit Technologies
 
アジャイルな見積りと計画づくり2
アジャイルな見積りと計画づくり2アジャイルな見積りと計画づくり2
アジャイルな見積りと計画づくり2Arata Fujimura
 
ライブストリーミングの基礎知識
ライブストリーミングの基礎知識ライブストリーミングの基礎知識
ライブストリーミングの基礎知識kumaryu
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Adopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSecAdopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSecTapabrata Pal
 

More Related Content

What's hot

組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8Kohei Hoshi
 
Lambda Layerの権限制御を試してみた
Lambda Layerの権限制御を試してみたLambda Layerの権限制御を試してみた
Lambda Layerの権限制御を試してみたKazukiNabasama
 
20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信
20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信
20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信Amazon Web Services Japan
 
JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)
JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)
JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)NTT DATA Technology & Innovation
 
数々の実績:迅速なFIDO認証の展開をサポート
数々の実績:迅速なFIDO認証の展開をサポート数々の実績:迅速なFIDO認証の展開をサポート
数々の実績:迅速なFIDO認証の展開をサポートFIDO Alliance
 
[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送
[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送
[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送Google Cloud Platform - Japan
 
実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjug実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjugYahoo!デベロッパーネットワーク
 
ストリーム処理を支えるキューイングシステムの選び方
ストリーム処理を支えるキューイングシステムの選び方ストリーム処理を支えるキューイングシステムの選び方
ストリーム処理を支えるキューイングシステムの選び方Yoshiyasu SAEKI
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 
pixivのインフラを支える技術
pixivのインフラを支える技術pixivのインフラを支える技術
pixivのインフラを支える技術Ryuta Kamizono
 
認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜Masaru Kurahayashi
 
iOS 11からのDeviceCheck #とは
iOS 11からのDeviceCheck #とはiOS 11からのDeviceCheck #とは
iOS 11からのDeviceCheck #とはKenji Tanaka
 
リクルートのWebサービスを支える共通インフラ「RAFTEL」
リクルートのWebサービスを支える共通インフラ「RAFTEL」リクルートのWebサービスを支える共通インフラ「RAFTEL」
リクルートのWebサービスを支える共通インフラ「RAFTEL」Recruit Technologies
 
アジャイルな見積りと計画づくり2
アジャイルな見積りと計画づくり2アジャイルな見積りと計画づくり2
アジャイルな見積りと計画づくり2Arata Fujimura
 
ライブストリーミングの基礎知識
ライブストリーミングの基礎知識ライブストリーミングの基礎知識
ライブストリーミングの基礎知識kumaryu
 

What's hot (20)

組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
 
噛み砕いてKafka Streams #kafkajp
噛み砕いてKafka Streams #kafkajp噛み砕いてKafka Streams #kafkajp
噛み砕いてKafka Streams #kafkajp
 
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
 
Lambda Layerの権限制御を試してみた
Lambda Layerの権限制御を試してみたLambda Layerの権限制御を試してみた
Lambda Layerの権限制御を試してみた
 
20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信
20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信
20191112 AWS Black Belt Online Seminar AWS Media Services で始めるライブ動画配信
 
JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)
JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)
JAVA_HOME/binにあるコマンド、いくつ使っていますか?[JVM関連ツール編](JJUGナイトセミナー「Java解析ツール特集」 発表資料)
 
数々の実績:迅速なFIDO認証の展開をサポート
数々の実績:迅速なFIDO認証の展開をサポート数々の実績:迅速なFIDO認証の展開をサポート
数々の実績:迅速なFIDO認証の展開をサポート
 
[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送
[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送
[Cloud OnAir] Apigee でかんたん API 管理 2019年12月12日 放送
 
実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjug実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjug
 
FizzBuzzで学ぶJavaの進化
FizzBuzzで学ぶJavaの進化FizzBuzzで学ぶJavaの進化
FizzBuzzで学ぶJavaの進化
 
ストリーム処理を支えるキューイングシステムの選び方
ストリーム処理を支えるキューイングシステムの選び方ストリーム処理を支えるキューイングシステムの選び方
ストリーム処理を支えるキューイングシステムの選び方
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望
 
pixivのインフラを支える技術
pixivのインフラを支える技術pixivのインフラを支える技術
pixivのインフラを支える技術
 
認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜
 
Argo CD Deep Dive
Argo CD Deep DiveArgo CD Deep Dive
Argo CD Deep Dive
 
iOS 11からのDeviceCheck #とは
iOS 11からのDeviceCheck #とはiOS 11からのDeviceCheck #とは
iOS 11からのDeviceCheck #とは
 
FIDO認証によるパスワードレスログイン実装入門
FIDO認証によるパスワードレスログイン実装入門FIDO認証によるパスワードレスログイン実装入門
FIDO認証によるパスワードレスログイン実装入門
 
リクルートのWebサービスを支える共通インフラ「RAFTEL」
リクルートのWebサービスを支える共通インフラ「RAFTEL」リクルートのWebサービスを支える共通インフラ「RAFTEL」
リクルートのWebサービスを支える共通インフラ「RAFTEL」
 
アジャイルな見積りと計画づくり2
アジャイルな見積りと計画づくり2アジャイルな見積りと計画づくり2
アジャイルな見積りと計画づくり2
 
ライブストリーミングの基礎知識
ライブストリーミングの基礎知識ライブストリーミングの基礎知識
ライブストリーミングの基礎知識
 

Similar to Better Governance Banking on Continuous Delivery

Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Adopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSecAdopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSecTapabrata Pal
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev opsAgile Montréal
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Freedom and Responsibility
Freedom and ResponsibilityFreedom and Responsibility
Freedom and ResponsibilityMike Ruangutai
 
Managing Continuous Delivery of Mobile Apps - for the Enterprise
Managing Continuous Delivery of Mobile Apps - for the EnterpriseManaging Continuous Delivery of Mobile Apps - for the Enterprise
Managing Continuous Delivery of Mobile Apps - for the EnterpriseSauce Labs
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPMAMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPMMatt Wright
 
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...FINOS
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAdam Stephensen
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Simon Storm
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptxDedy Hariyadi
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 

Similar to Better Governance Banking on Continuous Delivery (20)

Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Adopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSecAdopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSec
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev ops
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
Freedom and Responsibility
Freedom and ResponsibilityFreedom and Responsibility
Freedom and Responsibility
 
Managing Continuous Delivery of Mobile Apps - for the Enterprise
Managing Continuous Delivery of Mobile Apps - for the EnterpriseManaging Continuous Delivery of Mobile Apps - for the Enterprise
Managing Continuous Delivery of Mobile Apps - for the Enterprise
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPMAMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
 
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project success
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 

More from Tapabrata Pal

From close to open - oscon 2016
From close to open - oscon 2016From close to open - oscon 2016
From close to open - oscon 2016Tapabrata Pal
 
Part of the pipeline-why continuous testing is essential - velocity conf
Part of the pipeline-why continuous testing is essential - velocity confPart of the pipeline-why continuous testing is essential - velocity conf
Part of the pipeline-why continuous testing is essential - velocity confTapabrata Pal
 
DevOps Measurement - DevOpsDays DC
DevOps Measurement - DevOpsDays DCDevOps Measurement - DevOpsDays DC
DevOps Measurement - DevOpsDays DCTapabrata Pal
 
Gartner starting and scaling dev ops
Gartner starting and scaling dev opsGartner starting and scaling dev ops
Gartner starting and scaling dev opsTapabrata Pal
 
Banking on Innovation and DevOps
Banking on Innovation and DevOpsBanking on Innovation and DevOps
Banking on Innovation and DevOpsTapabrata Pal
 
Security with the Speed of Continuous Delivery
Security with the Speed of Continuous DeliverySecurity with the Speed of Continuous Delivery
Security with the Speed of Continuous DeliveryTapabrata Pal
 

More from Tapabrata Pal (7)

From close to open - oscon 2016
From close to open - oscon 2016From close to open - oscon 2016
From close to open - oscon 2016
 
Part of the pipeline-why continuous testing is essential - velocity conf
Part of the pipeline-why continuous testing is essential - velocity confPart of the pipeline-why continuous testing is essential - velocity conf
Part of the pipeline-why continuous testing is essential - velocity conf
 
Topo pal does2016
Topo pal does2016Topo pal does2016
Topo pal does2016
 
DevOps Measurement - DevOpsDays DC
DevOps Measurement - DevOpsDays DCDevOps Measurement - DevOpsDays DC
DevOps Measurement - DevOpsDays DC
 
Gartner starting and scaling dev ops
Gartner starting and scaling dev opsGartner starting and scaling dev ops
Gartner starting and scaling dev ops
 
Banking on Innovation and DevOps
Banking on Innovation and DevOpsBanking on Innovation and DevOps
Banking on Innovation and DevOps
 
Security with the Speed of Continuous Delivery
Security with the Speed of Continuous DeliverySecurity with the Speed of Continuous Delivery
Security with the Speed of Continuous Delivery
 

Recently uploaded

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaWSO2
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 

Better Governance Banking on Continuous Delivery

  • 1. Better Governance Banking on Continuous Delivery
  • 2. Tapabrata “Topo” Pal Sr. Director & Sr. Engineering Fellow tapabrata.pal@capitalone.com @TopoPal Jennifer Brady Director, Technology Governance jennifer.brady@capitalone.com ! Former Audit Director ! Current IT Governance Director ! Responsible for both a control automation and data analytics team ! Work with Data Scientists, Data Engineers, and Developers ! Developer ! DevOps Evangelist ! Product Manager of Shared Continuous Delivery Tools Platform ! Creator and core contributor of Hygieia DevOps Dashboard
  • 3. Capital One ! Millions of accounts ! One of the largest Digital Banks ! #1 Information Week’s Elite 100 ! ~ 20 years old
  • 4. Different DNA ! Build our own software ! Build on public cloud ! MicroServices ! Open Source ! Continuous Delivery
  • 5.
  • 7. • Waterfall • Manual Build • Manual Deployment • Manual Test • Data Center • Closed Source First • Agile • Automated Build • Automated Deployment • Automated Test • Public Cloud • Open Source First 5 Year Journey
  • 8. Mostly Out-Sourced Mostly In-Sourced Vertical Silos Product Team Dev, Ops, QA, RM Engineers 5 Year Journey
  • 9. ! DOES 2014 Building out Automation steps ! DOES 2015 Scaling DevOps, Open Source, Cloud, Innovation ! DOES 2016 Measure, Improve, Mature
  • 10. 2017 and beyond ! #SlayTheMonolith ! #NoFearRelease ! #YouBuildItYouOwnIt
  • 11. #YouBuildItYouOwnIt ! YOU Coded It, YOU Build It ! YOU Built It, YOU Test It ! YOU Tested It, You Deploy It ! YOU Deployed It, YOU Own It
  • 12. #NoFearRelease ! Fear of speed ! Fear of breakdown ! Fear of being out of control ! Fear of being non-compliant
  • 16. Former Auditor’s Perspective Welcome to the Wild West Image Credit http://www.freepik.com Designed by Freepik
  • 17. And at Capital One… Image Credit: http://dkcoin8.com
  • 20. Compliance vs Governance Compliance = Checking the box Governance = Awareness of and active management of risk
  • 21. Three Lines of Defense ! 1st Line : Who Owns the Risk ! 2nd Line: Sets Policy, Monitors the Risk ! 3rd Line: Independent Assurance
  • 22. What is the Developer’s Role in Governance? ! Awareness ! Risk mitigation ! Follow control best practices
  • 23. Why Controls? ! Controls are there to protect you and the company ! Provide assurance around financial reporting ! Provide comfort to investors
  • 24. "Uncontrolled variation is the enemy of quality”
  • 25. Minimum Set of Controls ! Two Sets of Eyes ! Least Privilege ! Unauthorized Change Monitoring
  • 26. Automation is easy, almost, such as… ! Build on every commit ! Static code analysis on every build ! Scanning for open source vulnerability ! Static security scan ! Automated tests ! ….
  • 27. Biggest hurdle Ensure that a single developer can not make changes to production bypassing all controls
  • 28. Options ! Separate team managing pipeline ! Separate team just to perform production deployment ! Hire professional “button pushers”
  • 29. Assumptions ! Enough “button pushers” available ! They cannot code ! Cannot train them to do anything else ! But, they should know if it is okay to push the button
  • 30.
  • 31. “the secrets of change is to focus all your energy not on fighting the old but on building the new”
  • 32. Clean Room A clean room or cleanroom is an environment, typically used in manufacturing, including of pharmaceutical products or scientific research, as well as semiconductor engineering applications with a lower level of environmental pollution such as dusts, airborne microbes, aerosol particles and chemical vapors. https://en.wikipedia.org/wiki/Cleanroom
  • 33. Software Delivery Clean Room ! All product pipelines are identified and registered ! Everything is under source control ! Every change is peer-reviewed ! Production Changes occur only via code changes ! Nobody has access to production servers ! Every code change goes through various levels of testing and scanning ! Pipeline stops or alerts if things fail ! Evidences captured and evaluated at near real time ! Evidences are analyzed for discrepancies
  • 34. DEVELOPMENT TEST MONITORINGIMPLEMENTATION App Code source controlled enforcing peer review and disallowing direct commits 1.1 1.2 2.1 No direct Access to the Binary Artifact 3.1 Static Code Analysis 4.1 Static Code Analysis Config reviewed 4.2 Functional Tests (Traceable to Story) 4.8 4.3 Test Automation jobs configuration peer reviewed and source controlled 4.4 Critical Business Transaction (Regression) Testing 4.5 Static Application Security Testing Infrastructure Code Security Scan Open Source Security Testing Secret Key Management Must not use production raw data for testing Prod/Non-Prod Deployments Scripts Tested 6.1 Prod Deployment and Test Results (UAT & Exploratory) approved by PO 6.3 6.2 Automated rollback process Tested in Prod/Non-prod No Connectivity b/w PROD and Non-PROD Environments 6.4 Separation between Dev/Test/Prod environments must be managed with access controls Developers will not have write access in Prod 7.1 RELEASE All Changes to pipeline code (build /deploy job scripts) must be recorded and peer reviewed Infrastructure Code source controlled enforcing peer review and disallowing direct commits Test Code source controlled enforcing peer review and disallowing direct commits Performance testing 5.1 5.2 5.45.3 4.7 4.1 Build will be successful only if it passes static code analysis 4.2 Static Code analysis configuration is reviewed by the team and approved by PO 3.1 No direct access to the binary artifact 4.3 Every testable story must have corresponding test case/scenario/ step 4.4 Test Code source controlled enforcing peer review and disallowing direct commits 4.5 Test Automation jobs configuration peer reviewed and source controlled 4.6 A core set of test cases that are considered critical (e.g regression testing) must meet the passing threshold defined by the team lead 4.8 Must not use production raw data for testing 4.7 Performance test results must meet the passing threshold defined by the team lead 5.4 Secret key Management 5.1 Static Security scan/testing results are reviewed and approved by the PO or Tech lead for App Code 6.1 Prod/Non-prod Deployment scripts/configurations tested by the team 7.1 Developers will not have write access in PROD 5.2 Security scan/testing results are reviewed and approved by the PO or Test lead for Infrastructure code 5.3 Open Source Security Testing (Build Artifact has ONLY approved libraries) 6.2 Prod Deployments and Test Results (UAT/Exploratory) must be approved by PO/Tech lead 6.3 Automated roll back process for production deployment must be tested in Prod and Non-prod 6.4 Must not have any connectivity or access between Prod and Non-Prod Environment 7.2 Separation between dev/test and prod environments enforced with access controls Source Control 1 Binary Repository and Application versioning 3 Security Checks 5 Quality Checks 4 Build 2 Deployment 6 Support 7 1.1 Application Code source controlled enforcing no direct commits to master/release without peer review 1.1 Infrastructure Code Source Controlled enforcing no direct commits to master/release without peer review 2.1 All Changes to pipeline code (build /deploy job scripts) must be recorded and peer reviewed 5.5 App Dynamic Security Scan/testing results are reviewed and approved by the PO/Tech lead 5.5 4.6 App Dynamic Security Testing 7.2 Software Delivery Clean Room
  • 35. @TopoPal Result 2016 2017 # Products deploying multiple times a day ~20 ~300 Average #deployments per day ~1 ~4 Max #deployments for a product in a single day ~30 ~50
  • 36. Automating Clean Room Monitoring Audit API https://github.com/capitalone/Hygieia/tree/master/api-audit
  • 37. Are you well managed if you are doing Continuous Delivery?
  • 38. Are you well managed if you are not doing Continuous Delivery?