SlideShare a Scribd company logo

Continuous Delivery in a Legacy Shop - One Step at a Time

Coveros, Inc.
Coveros, Inc.

Not every continuous delivery (CD) initiative starts with someone saying “Drop everything. We’re going to do DevOps.” Sometimes, you have to grow your process incrementally. And sometimes you don’t set out to grow at all—you are just fixing problems with your process, trying to make things better. Gene Gotimer discusses techniques and the chain of tools he has used to bring a DevOps mindset and CD practices into a legacy environment. Gene discusses how his team started fixing problems and making process improvements in development. From there, they tackled one problem after another, each time making the release a little better and a little less risky. They incrementally brought their practices through other environments until the project was confidently delivering working and tested releases every two weeks. Gene shares their journey and the tools they used to build quality into the product, the releases, and the release process.

Software
1 of 39
Download to read offline
© Copyright 2015 Coveros, Inc. All rights reserved. Continuous Delivery in a Legacy Shop - One Step at a Time Gene Gotimer gene.gotimer@coveros.com Senior Architect @CoverosGene
2© Copyright 2015 Coveros, Inc. All rights reserved.  Coveros builds security-critical applications using agile methods.  Coveros Services – Agile transformations – Agile development and testing – DevOps and continuous integration – Application security analysis  Agile & Security training  Government qualifications – DCAA approved rates and accounting – TS facility clearance About Coveros Areas of Expertise
3© Copyright 2015 Coveros, Inc. All rights reserved. Selected Clients
4© Copyright 2015 Coveros, Inc. All rights reserved. The Problem
5© Copyright 2015 Coveros, Inc. All rights reserved. The Project  COTS product integration for DoD – custom Python glue  Barely starting Agile – Daily Stand-ups (really daily status calls) – 2-week Sprints – Good, pruned backlog – No automated testing – No unit tests – No continuous integration  Releases every 6 months or so – Freeze 2-4 weeks in advance – Deploy Friday evening to Sunday afternoon – Repair broken functionality Monday and Tuesday (and on)
6© Copyright 2015 Coveros, Inc. All rights reserved. The Delivery Team  Development – Local – 2 Developers – 1 Business Analyst – 1 Project Manager  Test and Integration – Remote – 4-6 Testers – 4-6 Integrators (including security experts) – 1 Information Assurance  Off-team – Systems Administrators, hardware and software
7© Copyright 2015 Coveros, Inc. All rights reserved. The Problem “But it works on my machine!”
8© Copyright 2015 Coveros, Inc. All rights reserved. The Problem “But it works on my machine!” = High risk deploys
9© Copyright 2015 Coveros, Inc. All rights reserved. DevOps is…
10© Copyright 2015 Coveros, Inc. All rights reserved. One Single Line of Code “How long would it take your organization to deploy a change that involves just one single line of code? Do you do this on a repeatable, reliable basis?” -- Mary and Tom Poppendieck Implementing Lean Software Development: From Concept to Cash
11© Copyright 2015 Coveros, Inc. All rights reserved. Everybody is Responsible for Delivery “The goal of DevOps is not just to increase the rate of change, but to successfully deploy features into production without causing chaos and disrupting other services, while quickly detecting and correcting incidents when they occur.” -- Gene Kim, Author of The Phoenix Project
12© Copyright 2015 Coveros, Inc. All rights reserved. Continuous Delivery  Make releasing a business decision, not a technical decision  High-confidence releases – Small releases – Fully tested – No expectation of problems  Hotfix releases – Possible – No more than moderate risk – No more than moderate coordination  Continuous Deployment was not a goal
13© Copyright 2015 Coveros, Inc. All rights reserved. The Approach
14© Copyright 2015 Coveros, Inc. All rights reserved. The Approach  Started with things that were in our control – Dev and Test environments – Development process  Make changes behind the scenes – Free/open source tools – Easy to integrate into our CI system – Small changes  Disclose the changes when there was a win – Highlight ease of use – Use as justification for higher environments
15© Copyright 2015 Coveros, Inc. All rights reserved. The Journey
16© Copyright 2015 Coveros, Inc. All rights reserved. 1: Continuous Integration  Trouble explaining “integration” – between two or more developers – not between systems  Just brought in SecureCI and wired to the ALM tool we had – Jenkins (Hudson at the time) – Nexus – SonarQube (Sonar at the time) – Automated builds  Ant, Maven  PMD, FindBugs, Checkstyle  Cobertura  Later added Python tools  Explained the advantages later
17© Copyright 2015 Coveros, Inc. All rights reserved. 2: Functional Testing  Functional testing was done manually – from a script written in Microsoft Word  We waited a year before staging a coup – we didn’t want to encroach on their domain  Demo of Selenium – demonstrated record-and-playback through the Selenium IDE – we recorded the first set of tests – turned it back over to the test team  They argued later that automated testing was ineffective – the automated script (singular) only worked one time, then needed to be re-recorded when any changes got made to the app
18© Copyright 2015 Coveros, Inc. All rights reserved. 2: Functional Testing  We took it back  Rewrote existing tests in Java  Showed our business analyst how to clone-and-mutate the Java tests  Started with JUnit, but went to TestNG – better tagging and parameterization – pre-test run initialization  Since it was COTS, focused on testing system interfaces, not application functionality  Also began testing user roles – Security testing = what can this type of user NOT do
19© Copyright 2015 Coveros, Inc. All rights reserved. Continuous Delivery  Project Manager came across the book in a book store  Everything made so much sense  Logical extension of what we were trying to do  Addressed a lot of the issues we were running into  No money or time for an effort, so we adopted it as our long-term goal
20© Copyright 2015 Coveros, Inc. All rights reserved. 3: Automated Deploys  Started with automating a Drupal web server install – new system, not yet in production – database server was easy, so we skipped it for now  Then automated the manual COTS install  Then started reverse engineering the broken COTS installer  Down the road, realized we could “Automate Everything”  No Puppet Enterprise Server – just manually ran puppet apply from the command line – every system (DB, Web server, SVN server, ALM tool) used the same puppet apply command
21© Copyright 2015 Coveros, Inc. All rights reserved. 4: Security Testing  Tested Security Blanket (now by Raytheon) – couldn’t get it purchased  We knew it couldn’t replace the “official” testing – plus, didn’t want to encroach on their domain  Knew we had some good basis in our CI, static analysis, and user role testing  Wanted a security scanner – at the time, none worked with client certificates out of the box  Found w3af – Python – customizable – client certificate support was there, but not exposed – handed it over to the “experts” on the integration team
22© Copyright 2015 Coveros, Inc. All rights reserved. 4: Security Testing Found 0 vulnerabilities! Perfectly secure! Yeah!
23© Copyright 2015 Coveros, Inc. All rights reserved. 4: Security Testing  Never got past the login screen  But didn’t start at the beginning, so they even missed a XSS bug on the home page  Never read the output or log  So we took it back – Eventually had problems getting customized w3af to work properly – Switched to OWASP ZAP, run manually  Security team focused on STIG and SELinux – that was their expertise anyway
24© Copyright 2015 Coveros, Inc. All rights reserved. 4+: Security Testing  Over a few days, implemented OpenSCAP in Jenkins for STIG checks – immediately found issues – started adding Puppet manifests for remediation  Started using Nikto2 for web server scanning – immediately found issues  Started running weekly scans of dev and test using OpenVAS (Nessus fork) – no immediate issues, but started seeing package security updates before they became IAVMs  Discovered SELinux was in permissive mode – had never been in enforcing
25© Copyright 2015 Coveros, Inc. All rights reserved. 5: Performance  Reconfiguring database server – we thought it was getting slower  Added JMeter to measure a baseline  Took rough breakdown of most common queries  Repeated as a 15-minute test  Monitored trend  Added similar testing to functional tests, another 15 mins  Also, number of functional tests was growing slowly  Watched functional test elapsed time as rough guide
26© Copyright 2015 Coveros, Inc. All rights reserved. 6: Culture Clash  Continuous Delivery was being openly discussed – PMO had just started thinking of it as a clear plan – Kept asking when “continuous delivery” would be delivered, and how it would be packaged  Test and Integration started complaining – 3½ of us were pushing the 12+ of them too hard – moving too fast – not a risk or control complaint, merely effort  People on test and integration team started leaving – including “Burt”
27© Copyright 2015 Coveros, Inc. All rights reserved. The Results
28© Copyright 2015 Coveros, Inc. All rights reserved. Contract Renewal Time  Test and Integration decided not to renew – all remaining personnel ended project with a month  Security issue found the following week – deployed 3 days later  Went back to 2-week deploy cycles, sometimes faster  Left 3 people on development team – One went back to take over for the test and integration team as hands-on-keyboard – BA left project and another came in ½ time for testing  Dropped into maintenance mode
29© Copyright 2015 Coveros, Inc. All rights reserved. The Delivery Team  Development – Local – 1 Developer – 1 Release Manager – ½ time Tester  Test and Integration – Remote – 1 Information Assurance  Off-team – Systems Administrators, hardware and software
30© Copyright 2015 Coveros, Inc. All rights reserved. The Project  Barely Agile – Maintenance only – Kanban-ish, tracking WIP – Daily Stand-ups (really daily status calls) – 2-week Sprints  Releases prepared every 2 weeks – Soft freeze Thursday for Friday release – Deploy Friday evening – 100% working functionality Friday evening – Non-event  Configuration parameters – from 200+ untracked values – to ~30 Hiera-controlled values  Biggest coordination issue: 72 hours for user messaging  Biggest time consumer: 3-6 hours for VM clones
31© Copyright 2015 Coveros, Inc. All rights reserved. My Advice
32© Copyright 2015 Coveros, Inc. All rights reserved. My Advice  DO NOT DO DEVOPS or CD! – At least, don’t set out with a goal to do DevOps or Continuous Delivery  Set out to – remove road blocks and bottlenecks – fix quality issues – be more responsive to change – etc.  Incremental adoption – less culture shock – more visible and concrete benefits sooner  As you get closer to having a repeatable, reliable process for delivering software, CD will “magically” happen
33© Copyright 2015 Coveros, Inc. All rights reserved. My Advice  Read Continuous Delivery and The Phoenix Project
34© Copyright 2015 Coveros, Inc. All rights reserved. Missed Opportunities
35© Copyright 2015 Coveros, Inc. All rights reserved. Missed Opportunities  Automated deploys – more valuable than just reducing risk  Vagrant  Some security scanning earlier – can’t assume someone else is doing it  Some performance testing earlier  We relied on client-side certificates for authentication – EJBCA should have been set up immediately  Upgrades are a huge time sink – components, libraries, applications, system software – add tools to track it as early as possible
36© Copyright 2015 Coveros, Inc. All rights reserved. The Tool Chain
37© Copyright 2015 Coveros, Inc. All rights reserved. The Tool Chain  Jenkins  Puppet (no Puppet Enterprise) – 2 puppet apply commands per server  one --noop for system audit  one for deploy  Security – OpenSCAP (every deploy, minutes) – OpenVAS (every weekend, hours)  included Nikto2  used Kali Linux – OWASP Dependency Check (on-demand, many minutes) – OWASP Zed Attack Proxy (on-demand, few days) – Full role-based Selenium test coverage (every deploy, overnight)  10k+ Selenium tests, TestNG parameterized
38© Copyright 2015 Coveros, Inc. All rights reserved. The Tool Chain  Testing – TestNG for Java unit tests – Nose for Python unit tests – Mockito/Mockito for Python  JMeter – for some representative performance tests  Static Analysis – Java  PMD  FindBugs  Checkstyle  Cobertura  SonarQube – Python  Pylint  coverage.py
39© Copyright 2015 Coveros, Inc. All rights reserved. Questions? Gene Gotimer gene.gotimer@coveros.com @CoverosGene

Recommended

DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missing
Gene Gotimer
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Sauce Labs
 
Building Security in Using CI
Building Security in Using CIBuilding Security in Using CI
Building Security in Using CI
Coveros, Inc.
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
Gene Gotimer
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and Puppet
Gene Gotimer
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOps
Coveros, Inc.
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 

Recommended

DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missing
Gene Gotimer
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Sauce Labs
 
Building Security in Using CI
Building Security in Using CIBuilding Security in Using CI
Building Security in Using CI
Coveros, Inc.
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
Gene Gotimer
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and Puppet
Gene Gotimer
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOps
Coveros, Inc.
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Continuous Testing and New Tools for Automation - Presentation from StarWest ...Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Sauce Labs
 
10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration
Coveros, Inc.
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
Gene Kim
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
Knoldus Inc.
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
Deborah Schalm
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Test parallelization using Jenkins
Test parallelization using JenkinsTest parallelization using Jenkins
Test parallelization using Jenkins
Rogue Wave Software
 
Jenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryJenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous Delivery
Virendra Bhalothia
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
Amazon Web Services
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
Continuous Delivery in a Legacy Shop—One Step at a Time
Continuous Delivery in a Legacy Shop—One Step at a TimeContinuous Delivery in a Legacy Shop—One Step at a Time
Continuous Delivery in a Legacy Shop—One Step at a Time
TechWell
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD Project
Gene Gotimer
 
DevOps and Build Automation
DevOps and Build AutomationDevOps and Build Automation
DevOps and Build Automation
Heiswayi Nrird
 

More Related Content

What's hot

Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
Deborah Schalm
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 

What's hot (19)

Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Continuous Testing and New Tools for Automation - Presentation from StarWest ...Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Continuous Testing and New Tools for Automation - Presentation from StarWest ...
 
10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Test parallelization using Jenkins
Test parallelization using JenkinsTest parallelization using Jenkins
Test parallelization using Jenkins
 
Jenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryJenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous Delivery
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 

Similar to Continuous Delivery in a Legacy Shop - One Step at a Time

Continuous Delivery in a Legacy Shop—One Step at a Time
Continuous Delivery in a Legacy Shop—One Step at a TimeContinuous Delivery in a Legacy Shop—One Step at a Time
Continuous Delivery in a Legacy Shop—One Step at a Time
TechWell
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD Project
Gene Gotimer
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]
Dynatrace
 
Bringing CD to the DoD
Bringing CD to the DoDBringing CD to the DoD
Bringing CD to the DoD
Gene Gotimer
 
Improving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNetImproving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNet
Venkat Janardhanam, MS, MBA
 
Continuous delivery @ hi q
Continuous delivery @ hi qContinuous delivery @ hi q
Continuous delivery @ hi q
Tomas Riha
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Coveros, Inc.
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
Amazon Web Services
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
Helen Bravo
 
Agile Engineering Best Practices by Richard Cheng
Agile Engineering Best Practices by Richard ChengAgile Engineering Best Practices by Richard Cheng
Agile Engineering Best Practices by Richard Cheng
Excella
 

Similar to Continuous Delivery in a Legacy Shop - One Step at a Time (20)

Continuous Delivery in a Legacy Shop—One Step at a Time
Continuous Delivery in a Legacy Shop—One Step at a TimeContinuous Delivery in a Legacy Shop—One Step at a Time
Continuous Delivery in a Legacy Shop—One Step at a Time
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD Project
 
DevOps and Build Automation
DevOps and Build AutomationDevOps and Build Automation
DevOps and Build Automation
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]
 
Hyd virtual meetupslides11jul
Hyd virtual meetupslides11julHyd virtual meetupslides11jul
Hyd virtual meetupslides11jul
 
DevOps Transformations
DevOps TransformationsDevOps Transformations
DevOps Transformations
 
Bringing CD to the DoD
Bringing CD to the DoDBringing CD to the DoD
Bringing CD to the DoD
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformation
 
Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015
 
Improving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNetImproving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNet
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
Continuous delivery @ hi q
Continuous delivery @ hi qContinuous delivery @ hi q
Continuous delivery @ hi q
 
(Agile) engineering best practices - What every project manager should know
(Agile) engineering best practices - What every project manager should know(Agile) engineering best practices - What every project manager should know
(Agile) engineering best practices - What every project manager should know
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
DevOps Continuous Integration & Delivery - A Whitepaper by RapidValue
DevOps Continuous Integration & Delivery - A Whitepaper by RapidValueDevOps Continuous Integration & Delivery - A Whitepaper by RapidValue
DevOps Continuous Integration & Delivery - A Whitepaper by RapidValue
 
Agile Engineering Best Practices by Richard Cheng
Agile Engineering Best Practices by Richard ChengAgile Engineering Best Practices by Richard Cheng
Agile Engineering Best Practices by Richard Cheng
 

More from Coveros, Inc.

Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?
Coveros, Inc.
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and Puppet Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and Puppet
Coveros, Inc.
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC) DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Coveros, Inc.
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Coveros, Inc.
 
Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing
Coveros, Inc.
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Coveros, Inc.
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
Coveros, Inc.
 

More from Coveros, Inc. (8)

Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?
 
System Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationSystem Event Monitoring for Active Authentication
System Event Monitoring for Active Authentication
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and Puppet Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and Puppet
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC) DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
 
Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
 

Recently uploaded

SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
Alluxio, Inc.
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
Alluxio, Inc.
 

Recently uploaded (20)

Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 

Continuous Delivery in a Legacy Shop - One Step at a Time

  • 1. © Copyright 2015 Coveros, Inc. All rights reserved. Continuous Delivery in a Legacy Shop - One Step at a Time Gene Gotimer gene.gotimer@coveros.com Senior Architect @CoverosGene
  • 2. 2© Copyright 2015 Coveros, Inc. All rights reserved.  Coveros builds security-critical applications using agile methods.  Coveros Services – Agile transformations – Agile development and testing – DevOps and continuous integration – Application security analysis  Agile & Security training  Government qualifications – DCAA approved rates and accounting – TS facility clearance About Coveros Areas of Expertise
  • 3. 3© Copyright 2015 Coveros, Inc. All rights reserved. Selected Clients
  • 4. 4© Copyright 2015 Coveros, Inc. All rights reserved. The Problem
  • 5. 5© Copyright 2015 Coveros, Inc. All rights reserved. The Project  COTS product integration for DoD – custom Python glue  Barely starting Agile – Daily Stand-ups (really daily status calls) – 2-week Sprints – Good, pruned backlog – No automated testing – No unit tests – No continuous integration  Releases every 6 months or so – Freeze 2-4 weeks in advance – Deploy Friday evening to Sunday afternoon – Repair broken functionality Monday and Tuesday (and on)
  • 6. 6© Copyright 2015 Coveros, Inc. All rights reserved. The Delivery Team  Development – Local – 2 Developers – 1 Business Analyst – 1 Project Manager  Test and Integration – Remote – 4-6 Testers – 4-6 Integrators (including security experts) – 1 Information Assurance  Off-team – Systems Administrators, hardware and software
  • 7. 7© Copyright 2015 Coveros, Inc. All rights reserved. The Problem “But it works on my machine!”
  • 8. 8© Copyright 2015 Coveros, Inc. All rights reserved. The Problem “But it works on my machine!” = High risk deploys
  • 9. 9© Copyright 2015 Coveros, Inc. All rights reserved. DevOps is…
  • 10. 10© Copyright 2015 Coveros, Inc. All rights reserved. One Single Line of Code “How long would it take your organization to deploy a change that involves just one single line of code? Do you do this on a repeatable, reliable basis?” -- Mary and Tom Poppendieck Implementing Lean Software Development: From Concept to Cash
  • 11. 11© Copyright 2015 Coveros, Inc. All rights reserved. Everybody is Responsible for Delivery “The goal of DevOps is not just to increase the rate of change, but to successfully deploy features into production without causing chaos and disrupting other services, while quickly detecting and correcting incidents when they occur.” -- Gene Kim, Author of The Phoenix Project
  • 12. 12© Copyright 2015 Coveros, Inc. All rights reserved. Continuous Delivery  Make releasing a business decision, not a technical decision  High-confidence releases – Small releases – Fully tested – No expectation of problems  Hotfix releases – Possible – No more than moderate risk – No more than moderate coordination  Continuous Deployment was not a goal
  • 13. 13© Copyright 2015 Coveros, Inc. All rights reserved. The Approach
  • 14. 14© Copyright 2015 Coveros, Inc. All rights reserved. The Approach  Started with things that were in our control – Dev and Test environments – Development process  Make changes behind the scenes – Free/open source tools – Easy to integrate into our CI system – Small changes  Disclose the changes when there was a win – Highlight ease of use – Use as justification for higher environments
  • 15. 15© Copyright 2015 Coveros, Inc. All rights reserved. The Journey
  • 16. 16© Copyright 2015 Coveros, Inc. All rights reserved. 1: Continuous Integration  Trouble explaining “integration” – between two or more developers – not between systems  Just brought in SecureCI and wired to the ALM tool we had – Jenkins (Hudson at the time) – Nexus – SonarQube (Sonar at the time) – Automated builds  Ant, Maven  PMD, FindBugs, Checkstyle  Cobertura  Later added Python tools  Explained the advantages later
  • 17. 17© Copyright 2015 Coveros, Inc. All rights reserved. 2: Functional Testing  Functional testing was done manually – from a script written in Microsoft Word  We waited a year before staging a coup – we didn’t want to encroach on their domain  Demo of Selenium – demonstrated record-and-playback through the Selenium IDE – we recorded the first set of tests – turned it back over to the test team  They argued later that automated testing was ineffective – the automated script (singular) only worked one time, then needed to be re-recorded when any changes got made to the app
  • 18. 18© Copyright 2015 Coveros, Inc. All rights reserved. 2: Functional Testing  We took it back  Rewrote existing tests in Java  Showed our business analyst how to clone-and-mutate the Java tests  Started with JUnit, but went to TestNG – better tagging and parameterization – pre-test run initialization  Since it was COTS, focused on testing system interfaces, not application functionality  Also began testing user roles – Security testing = what can this type of user NOT do
  • 19. 19© Copyright 2015 Coveros, Inc. All rights reserved. Continuous Delivery  Project Manager came across the book in a book store  Everything made so much sense  Logical extension of what we were trying to do  Addressed a lot of the issues we were running into  No money or time for an effort, so we adopted it as our long-term goal
  • 20. 20© Copyright 2015 Coveros, Inc. All rights reserved. 3: Automated Deploys  Started with automating a Drupal web server install – new system, not yet in production – database server was easy, so we skipped it for now  Then automated the manual COTS install  Then started reverse engineering the broken COTS installer  Down the road, realized we could “Automate Everything”  No Puppet Enterprise Server – just manually ran puppet apply from the command line – every system (DB, Web server, SVN server, ALM tool) used the same puppet apply command
  • 21. 21© Copyright 2015 Coveros, Inc. All rights reserved. 4: Security Testing  Tested Security Blanket (now by Raytheon) – couldn’t get it purchased  We knew it couldn’t replace the “official” testing – plus, didn’t want to encroach on their domain  Knew we had some good basis in our CI, static analysis, and user role testing  Wanted a security scanner – at the time, none worked with client certificates out of the box  Found w3af – Python – customizable – client certificate support was there, but not exposed – handed it over to the “experts” on the integration team
  • 22. 22© Copyright 2015 Coveros, Inc. All rights reserved. 4: Security Testing Found 0 vulnerabilities! Perfectly secure! Yeah!
  • 23. 23© Copyright 2015 Coveros, Inc. All rights reserved. 4: Security Testing  Never got past the login screen  But didn’t start at the beginning, so they even missed a XSS bug on the home page  Never read the output or log  So we took it back – Eventually had problems getting customized w3af to work properly – Switched to OWASP ZAP, run manually  Security team focused on STIG and SELinux – that was their expertise anyway
  • 24. 24© Copyright 2015 Coveros, Inc. All rights reserved. 4+: Security Testing  Over a few days, implemented OpenSCAP in Jenkins for STIG checks – immediately found issues – started adding Puppet manifests for remediation  Started using Nikto2 for web server scanning – immediately found issues  Started running weekly scans of dev and test using OpenVAS (Nessus fork) – no immediate issues, but started seeing package security updates before they became IAVMs  Discovered SELinux was in permissive mode – had never been in enforcing
  • 25. 25© Copyright 2015 Coveros, Inc. All rights reserved. 5: Performance  Reconfiguring database server – we thought it was getting slower  Added JMeter to measure a baseline  Took rough breakdown of most common queries  Repeated as a 15-minute test  Monitored trend  Added similar testing to functional tests, another 15 mins  Also, number of functional tests was growing slowly  Watched functional test elapsed time as rough guide
  • 26. 26© Copyright 2015 Coveros, Inc. All rights reserved. 6: Culture Clash  Continuous Delivery was being openly discussed – PMO had just started thinking of it as a clear plan – Kept asking when “continuous delivery” would be delivered, and how it would be packaged  Test and Integration started complaining – 3½ of us were pushing the 12+ of them too hard – moving too fast – not a risk or control complaint, merely effort  People on test and integration team started leaving – including “Burt”
  • 27. 27© Copyright 2015 Coveros, Inc. All rights reserved. The Results
  • 28. 28© Copyright 2015 Coveros, Inc. All rights reserved. Contract Renewal Time  Test and Integration decided not to renew – all remaining personnel ended project with a month  Security issue found the following week – deployed 3 days later  Went back to 2-week deploy cycles, sometimes faster  Left 3 people on development team – One went back to take over for the test and integration team as hands-on-keyboard – BA left project and another came in ½ time for testing  Dropped into maintenance mode
  • 29. 29© Copyright 2015 Coveros, Inc. All rights reserved. The Delivery Team  Development – Local – 1 Developer – 1 Release Manager – ½ time Tester  Test and Integration – Remote – 1 Information Assurance  Off-team – Systems Administrators, hardware and software
  • 30. 30© Copyright 2015 Coveros, Inc. All rights reserved. The Project  Barely Agile – Maintenance only – Kanban-ish, tracking WIP – Daily Stand-ups (really daily status calls) – 2-week Sprints  Releases prepared every 2 weeks – Soft freeze Thursday for Friday release – Deploy Friday evening – 100% working functionality Friday evening – Non-event  Configuration parameters – from 200+ untracked values – to ~30 Hiera-controlled values  Biggest coordination issue: 72 hours for user messaging  Biggest time consumer: 3-6 hours for VM clones
  • 31. 31© Copyright 2015 Coveros, Inc. All rights reserved. My Advice
  • 32. 32© Copyright 2015 Coveros, Inc. All rights reserved. My Advice  DO NOT DO DEVOPS or CD! – At least, don’t set out with a goal to do DevOps or Continuous Delivery  Set out to – remove road blocks and bottlenecks – fix quality issues – be more responsive to change – etc.  Incremental adoption – less culture shock – more visible and concrete benefits sooner  As you get closer to having a repeatable, reliable process for delivering software, CD will “magically” happen
  • 33. 33© Copyright 2015 Coveros, Inc. All rights reserved. My Advice  Read Continuous Delivery and The Phoenix Project
  • 34. 34© Copyright 2015 Coveros, Inc. All rights reserved. Missed Opportunities
  • 35. 35© Copyright 2015 Coveros, Inc. All rights reserved. Missed Opportunities  Automated deploys – more valuable than just reducing risk  Vagrant  Some security scanning earlier – can’t assume someone else is doing it  Some performance testing earlier  We relied on client-side certificates for authentication – EJBCA should have been set up immediately  Upgrades are a huge time sink – components, libraries, applications, system software – add tools to track it as early as possible
  • 36. 36© Copyright 2015 Coveros, Inc. All rights reserved. The Tool Chain
  • 37. 37© Copyright 2015 Coveros, Inc. All rights reserved. The Tool Chain  Jenkins  Puppet (no Puppet Enterprise) – 2 puppet apply commands per server  one --noop for system audit  one for deploy  Security – OpenSCAP (every deploy, minutes) – OpenVAS (every weekend, hours)  included Nikto2  used Kali Linux – OWASP Dependency Check (on-demand, many minutes) – OWASP Zed Attack Proxy (on-demand, few days) – Full role-based Selenium test coverage (every deploy, overnight)  10k+ Selenium tests, TestNG parameterized
  • 38. 38© Copyright 2015 Coveros, Inc. All rights reserved. The Tool Chain  Testing – TestNG for Java unit tests – Nose for Python unit tests – Mockito/Mockito for Python  JMeter – for some representative performance tests  Static Analysis – Java  PMD  FindBugs  Checkstyle  Cobertura  SonarQube – Python  Pylint  coverage.py
  • 39. 39© Copyright 2015 Coveros, Inc. All rights reserved. Questions? Gene Gotimer gene.gotimer@coveros.com @CoverosGene