DevOpsDays Baltimore 2018: A Definition of Done for DevSecOps - Gene Gotimer

•

2 likes•132 views

DevOps cannot be achieved without considering many different aspects of software quality, including security. The term DevSecOps was developed to highlight that security was being focused on as part of the pipeline, not a second-class citizen. Fortunately, DevOps and continuous delivery practices give us opportunities to add different types of security testing to our pipeline so that security can be part of our definition of done. Continuous integration can invoke static analysis tools to test for simple security errors and check if components with known vulnerabilities are being used. Automated deployments and virtualization make dynamic environments available for testing in a production-like setting. Regression test suites can be used to drive traffic through proxies for security analysis. From the code to the systems where the software is being deployed, the process can make sure that security best practices are followed and insecure software is not being produced. Gene will talk about how to construct a definition of done that focuses on security along with other types of quality in a DevOps pipeline. He will discuss how to define security practices and criteria that are appropriate for our teams and our projects to be confident that we are doing DevSecOps, and how those practices and criteria might mature over time.

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 1@CoverosGene #DevOpsDaysBmore © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore
• Checklist
• Explicit and unambiguous
• Minimum amount of work to
consider a story done
• Periodically reevaluated
A Definition of Done for
DevSecOps
Gene Gotimer

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 2@CoverosGene #DevOpsDaysBmore
Traditional Definition of Done
 Code is committed
 Builds without error
 Unit tests pass
 No static analysis issues
 Code is reviewed
 Merged to trunk
 Functional tests pass
 Accepted by Product Owner
@CoverosGene #DevOpsDaysBmore © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 3@CoverosGene #DevOpsDaysBmore
In a DevOps world
 Code is committed
 Builds without error
 Unit tests pass
 No static analysis issues
 Code is reviewed
 Merged to trunk
 Functional tests pass
 Automated deploy tested
 Roll-back defined
 Automated acceptance tests
 Scalability planned
 Accepted by Product Owner
… we have automation
@CoverosGene #DevOpsDaysBmore © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 4@CoverosGene #DevOpsDaysBmore
Do we have a viable
candidate for production?
@CoverosGene #DevOpsDaysBmore © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 5@CoverosGene #DevOpsDaysBmore
I hate DevSecOps! (the term)

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 6@CoverosGene #DevOpsDaysBmore © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 7@CoverosGene #DevOpsDaysBmore
Mutation testing

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 8@CoverosGene #DevOpsDaysBmore
Let static analysis help
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 9@CoverosGene #DevOpsDaysBmore
Peer review the code
Architecture
Encryption
Authentication
and
authorization
Input
validation
Output
encoding
Error
conditions
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 10@CoverosGene #DevOpsDaysBmore
User role testing
Test that each kind of user
can do what they are supposed to, and
can’t do what they aren’t supposed to

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 11@CoverosGene #DevOpsDaysBmore
Security scanning
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 12@CoverosGene #DevOpsDaysBmore
Repeatable, reliable deployments
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 13@CoverosGene #DevOpsDaysBmore
Bill of Materials
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 14@CoverosGene #DevOpsDaysBmore
Update your system
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 15@CoverosGene #DevOpsDaysBmore
Lock down the system
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 16@CoverosGene #DevOpsDaysBmore
Monitor your logs
and the app and server
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 17@CoverosGene #DevOpsDaysBmore
Assess the risk
STRIDE
Spoofing Identity
Tampering with Data
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
DREAD
Damage Potential
Reproducibility
Exploitability
Affected Users
Discoverability
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 18@CoverosGene #DevOpsDaysBmore
 Code is committed
 Builds without error
 Unit tests pass
 Mutation coverage goal met
 No static analysis issues
 No vulnerable components
 Code is reviewed
 Merged to trunk
 Functional tests pass
 Automated deploy tested
 Roll-back defined
 System packages updated
 Servers hardened
 User roles regression tested
 No security issues found
 Automated acceptance tests
 Scalability planned
 Logs and app monitored
 Risks assessed
 Accepted by Product Owner
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore
DevSecOps Definition of Done

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 19@CoverosGene #DevOpsDaysBmore
 Code is committed
 Builds without error
 Unit tests pass
 Mutation coverage goal met
 No static analysis issues
 No vulnerable components
 Code is reviewed
 Merged to trunk
 Functional tests pass
 Automated deploy tested
 Roll-back defined
 System packages updated
 Servers hardened
 User roles regression tested
 No security issues found
 Automated acceptance tests
 Scalability planned
 Logs and app monitored
 Risks assessed
 Accepted by Product Owner
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore
DevSecOps Definition of Done

© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 20@CoverosGene #DevOpsDaysBmore
Reflect.
Consider your
situation.
Keep improving.
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #DevOpsDaysBmore

Breaking contracts have a major impact on API clients. Despite this fact, recent studies show that libraries are often backward incompatible and that the rate of breaking changes increase over time. However, the specific reasons that motivate library developers to break contracts with their clients are still unclear. In this paper, we describe a qualitative study with library developers and real instance of API breaking changes. Our goal is to (i) elicit the reasons why developers introduce breaking changes; and (ii) check if they are aware about the risks of such changes. Our survey with the top contributors of popular Java libraries contributes to reveal a list of five reasons why developers break API contracts. Moreover, it also shows that most of developers are aware of these risks and, in some cases, adopt strategies to mitigate them. We conclude by prospecting a future study to strengthen our current findings. With this study, we expect to contribute on delineating tools to better assess the risks and impacts of API breaking changes.

Get to Green: How to Safely Refactor Legacy Code

Gene Gotimer

For many of us, legacy code is a fact of life. Code without tests -- no safe way to make changes, no safety net, no hope of untangling the web of accumulated ugliness, an incomplete understanding (or less) of how it really behaves. And your next set of changes is just going to add to the garbage pile and make it worse. You need tests so you can safely make changes, but you can't add tests without changing the code. It is a chicken-and-egg problem. So how do you turn legacy code into code you can change confidently? Slowly, one step at a time. Join Gene as he shares his experiences working with a monolithic codebase that was so bad it made national news. He'll go over the steps he and his team used to refactor the code safely by using mocking frameworks, mutation testing, and patience to build an understanding of how the code worked so that they could change it confidently. This talk is for anyone that has inherited legacy code that they aren't confident in and wants to make it something they can work on and improve. You'll leave with some tools and techniques that will help you change your legacy code into something maintainable.

A better faster pipeline for software delivery, even in the government

Gene Gotimer

The software delivery pipeline is the process of taking features from developers and getting them delivered to customers. The earliest tests should be the quickest and easiest to run, giving developers the fastest feedback. Successive rounds of testing should increase confidence that the code is a viable candidate for production and that more expensive tests—be it time, effort, cost—are justified. Manual testing should be performed toward the end of the pipeline, leaving computers to do as much work as possible before people get involved. Although it is tempting to arrange the delivery pipeline in phases (e.g., functional tests, then acceptance tests, then load and performance tests, then security tests), this can lead to problems progressing down the pipeline. In this interactive workshop, Gene Gotimer and Ryan Kenney will discuss how to arrange your pipeline, automated or not, and so each round of tests provides just enough testing to give you confidence that the next set of tests is worth the investment. We'll explore how to get the right types of testing into your pipeline at the right points so that you can determine which builds are viable candidates for production. And we’ll explain some of the experiences we’ve had with clients, especially in the federal government, trying to build out delivery pipelines. Attendees should be at least roughly familiar with their current delivery process, automated or not, or they should at least have a process in mind. No prior knowledge of DevOps, continuous delivery, or automation is assumed.

Scale your Experimentation with Full Stack Best Practices

Optimizely

Are you struggling to go from 1 to 10 or from 100 to 1000 experiments? Optimizely Full Stack is a powerful tool, but knowing best practices for implementation is key to 10x-ing your experimentation program. In this workshop, we'll describe best practices like installing and wrapping the SDK, strategies for code footprint, and fitting a product experimentation culture into your team's process. Come learn how to best leverage Full Stack to scale your product experimentation program.

Continuous Testing- A Key Ingredient for Success in Agile & DevOps

SmartBear

INTERFACE, by apidays - Spatially enabling Web APIs through OGC Standards b...

apidays

O futuro das empresas passa pelas constantes transformações digitais e, para isso, é fundamental manter aplicações que atendam às exigências dos clientes e, sobretudo, seguras. Nesse cenário, nasceu o conceito de DevSecOps, descrevendo um conjunto de práticas para integração entre as equipes de desenvolvimento de software. Nesta palestra, entenderemos mais sobre conceitos e como aplicar DevSecOps na prática. Provocaremos discussões “saudáveis” sobre o modelo tradicional de desenvolvimento e este modelo ágil que está trazendo uma grande mudança de paradigma na construção de aplicações.

DevOps: Continous Delivery - Como os feedbacks são importantes

Erik Etsushi Miyashita

Testing in an Agile World: The Current State and Future Possibilities

TechWell

Delivering high quality applications in an agile world is becoming more complex and challenging because of the changes the web and mobile are undergoing. Web testing continues to get much more difficult due to: increasing use of open technologies (HTML, JavaScript, and CSS) and web components in apps; lengthening the approval processes for plugins; and Chrome, Mozilla, and Edge browsers blocking specific APIs. On the mobile front, Apple, Google, and Microsoft are making it easier for developers to build cross-platform apps, resulting in more to test in less time. With releases such as Windows 10, the lines between desktop and mobile continue to blur. Nikhil Kaul presents an overview of recent technological trends and discusses why they necessitate an alteration in existing agile testing practices. He shares how the transition to technologies like React and React Native is causing the worlds of mobile and web testing to collide. Nikhil shows how, by employing reusability practices and following a modular test design, testers can better prepare for these developments.

Extending GitHub to Meet your Open Source Policy

FINOS

Jamie Jones, GitHub: Extending GitHub to Meet your Open Source Policy. GitHub is often described as the home of the Open Source, but that doesn’t mean it comes easy. This talk will go over how you can use the features within GitHub (and that you can extend yourself) to meet many of your policy, security, and workflow needs. It includes looking at features such as Protected Branches, Code Approvals, and building your own integrations with PRobot. This presentation will give attendees the confidence to align Github with their own organizational needs and compliance requirements.

apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...

apidays

DevSecOps: Colocando segurança na esteira

Diego Gabriel Cardoso

Definition Driven API Development: How OAS & Swagger Help Teams Streamline Th...

SmartBear

The OpenAPI Specification (formerly known as the Swagger Specification) has emerged as the world’s standard for defining RESTful interfaces at a time when the API economy is ripe for disruption. In this webinar, we discussed exactly why and how to use the OpenAPI Specification to accelerate your API development in various phases of the API lifecycle including API design, development, documentation, testing and virtualization. We cover trends in the API landscape that have led to the adoption of API definitions, like OpenAPI, and look at real-world examples of how API teams are using definitions to address challenges at each of the different phases of the lifecycle of their APIs. And finally, we walk through a live demo showing tools like Swagger Inspector for generating API definitions, SwaggerHub for designing, documenting, and developing your APIs, and SoapUI and ServiceV for testing and virtualizing your API.

Is BDD Worth It? Considerations for Advanced Test Automation

Perfecto by Perforce

apidays LIVE Paris 2021 - EDI & API on One Integration Platform by Mir Mustha...

apidays

Red Hat JBoss xPaaS Keynote at Devoxx Belgium 2014

Markus Eisele

Scale DevSecOps with your Continuous Integration Pipeline

DevOps.com

Hear from AppSec and Development leaders on how they apply the principles of DevOps to deliver secure products and services to customers. Learn how you can scale your DevSecOps initiatives to reduce time-to-deployment and lower costs as you deliver secure software. During this webinar, you will learn about the latest tools and techniques that will enable your development teams to embed security scanning into your IDE as you are coding, returning most scans in seconds – all while integrating into your CI pipeline. Our speaker will provide: An overview of Veracode Greenlight and its integrations with developer tools; A summary of recent Greenlight use cases and successes; Examples of how Greenlight integrates into your CI pipeline

Serverless Security: A pragmatic primer for builders and defenders

James Wickett

Talk given at O'Reilly's 2017 Velocity Conference in San Jose. Serverless is the design pattern for writing applications at scale without the necessity of managing infrastructure. This is done across the continuum of the cloud—from storage as a service to database as a service—but the center of serverless is functions as a service (FaaS). (Current FaaS offerings include AWS Lambda, Azure Functions, and Google Cloud Functions.) Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests. Serverless adds simplicity and a new economic model to cloud computing, but it creates some unique security challenges. In serverless architectures, technologies like antivirus and intrusion detection become meaningless. James Wickett explores practical security approaches for serverless in four key areas—the software supply chain, the delivery pipeline, data flow, and attack detection—and examines how traditional approaches need to be adapted to serverless. Even if you don’t have any experience with serverless, don’t worry; this session starts with the basics. You’ll learn what serverless is (hint: it’s still being defined) and practical patterns for serverless adoption.

How LISI Automotive Accelerated Application Delivery with SwaggerHub

SmartBear

Java 8 - Gateway Drug or End of Line?

Garth Gilmour

Moving to Open-Source Tools - How to Increase Performance Test Coverage Throu...

CA Technologies

Have you been wondering about the rise of open-source alternatives to LoadRunner and other legacy performance tools? Why is there such a strong shift to open source performance testing? Here are key concepts that will allow you to make the transition from centralized testing with legacy tools to widely distributed testing with Apache JMeter and other open source tools. You’ll see how a small Center of Excellence (CoE) team can drive a 10x or 100x increase in testing by handing out logins to self-service tools instead of being a finite resource for test preparation and execution. Start Testing for Free. Create your free CA BlazeMeter account today. https://www.blazemeter.com/#signup

Jenkins User Conference - Continuous Delivery on Mobile

Luca Milanesio

Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.

Ashley Wolf

Presentation from Open Source Leadership Summit 2019. This talk will highlight some best practices that your Open Source Program Office (OSPO) can use to manage security vulnerabilities for open source projects using GitHub’s security alerts at scale. We’ll discuss the mechanics and governance around the process we’ve set up at Verizon Media to notify internal employees about CVEs on their projects.

Server-side Swift with Swagger

Chris Bailey

Perforce Innovations Showcase

Perforce

A Definition of Done for DevSecOps

Gene Gotimer

DevOps needs to consider many different aspects of software quality, including security. The term DevSecOps was developed to highlight that security is a focus of the pipeline, not a second-class citizen. Fortunately, we can define done for our pipeline so that it includes security. Continuous integration can invoke static analysis tools to test for security errors and check if we are using components with known vulnerabilities. Automated deployments and virtualization make dynamic environments available for testing in a production-like setting. Regression tests can drive traffic through proxies for security analysis. From the code to the systems where we deploy the software, the process can be designed to make sure that we follow security best practices, and not produce insecure software. Participants will learn how to construct a definition of done that focuses on security in a DevOps pipeline. They will see how to define security practices that build confidence that they are doing DevSecOps, and how those practices and criteria might mature over time.

Enabling Agility Through DevOps

Leland Newsom CSP-SM, SPC5, SDP

Deck used at Keep Austin Agile 2018 with charts from audience pollings. Enterprises want to deliver more value with higher quality at a faster pace. Many development teams have adopted agile frameworks to improve their ability to deliver software. This has led to a local optimization for the development teams and they have become good at delivering potentially shippable increments of their products, but from there, they typically see organizational constraints in moving it to the customer. The development organization is quickly adding features to the queue waiting to be released, but the operations teams are struggling to support fires in production, maintain stability, and provide the environments and infrastructure needed so development teams can move their new functionality forward. The operation team’s focus on stability usually minimizes the number of changes in production thus creating infrequent, large batches being deployed at a planned date. Can Agile and DevOps bring the development and operations teams together to remove the organizational constraints in moving the software to the customer? In this session, we’ll talk about the relationship of Agile and DevOps, not as an intersection, but as a progression of capability with development and operation teams working together to remove those constraints. We’ll discuss how using Agile and DevOps practices together, teams can release value faster, with higher quality, and in more stable environments making it safer to deploy.

What's hot

Choosing the correct test case manager

TestingCR

2020 05-tech saturday-devsecops-#2-v03

Diego Gabriel Cardoso

DevOps: Continous Delivery - Como os feedbacks são importantes

Erik Etsushi Miyashita

Testing in an Agile World: The Current State and Future Possibilities

TechWell

Extending GitHub to Meet your Open Source Policy

FINOS

apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...

apidays

DevSecOps: Colocando segurança na esteira

Diego Gabriel Cardoso

Definition Driven API Development: How OAS & Swagger Help Teams Streamline Th...

SmartBear

Is BDD Worth It? Considerations for Advanced Test Automation

Perfecto by Perforce

apidays LIVE Paris 2021 - EDI & API on One Integration Platform by Mir Mustha...

apidays

Red Hat JBoss xPaaS Keynote at Devoxx Belgium 2014

Markus Eisele

Scale DevSecOps with your Continuous Integration Pipeline

DevOps.com

Serverless Security: A pragmatic primer for builders and defenders

James Wickett

How LISI Automotive Accelerated Application Delivery with SwaggerHub

SmartBear

Java 8 - Gateway Drug or End of Line?

Garth Gilmour

Moving to Open-Source Tools - How to Increase Performance Test Coverage Throu...

CA Technologies

Jenkins User Conference - Continuous Delivery on Mobile

Luca Milanesio

Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.

Ashley Wolf

Server-side Swift with Swagger

Chris Bailey

Perforce Innovations Showcase

Perforce

What's hot (20)

Choosing the correct test case manager

2020 05-tech saturday-devsecops-#2-v03

DevOps: Continous Delivery - Como os feedbacks são importantes

Testing in an Agile World: The Current State and Future Possibilities

Extending GitHub to Meet your Open Source Policy

apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...

DevSecOps: Colocando segurança na esteira

Definition Driven API Development: How OAS & Swagger Help Teams Streamline Th...

Is BDD Worth It? Considerations for Advanced Test Automation

apidays LIVE Paris 2021 - EDI & API on One Integration Platform by Mir Mustha...

Red Hat JBoss xPaaS Keynote at Devoxx Belgium 2014

Scale DevSecOps with your Continuous Integration Pipeline

Serverless Security: A pragmatic primer for builders and defenders

How LISI Automotive Accelerated Application Delivery with SwaggerHub

Java 8 - Gateway Drug or End of Line?

Moving to Open-Source Tools - How to Increase Performance Test Coverage Throu...

Jenkins User Conference - Continuous Delivery on Mobile

Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.

Server-side Swift with Swagger

Perforce Innovations Showcase

Similar to DevOpsDays Baltimore 2018: A Definition of Done for DevSecOps - Gene Gotimer

A Definition of Done for DevSecOps

Gene Gotimer

Enabling Agility Through DevOps

Leland Newsom CSP-SM, SPC5, SDP

DevOps+ to Leverage Software Development

DOCOMO Innovations, Inc.

We all know that the DevOps approach brings developers and operators into closer collaboration. On the other hand, we learned that the requirements of each team member are different to achieve software product development. For example: Product Owner must deliver the high quality product by a deadline and wants to know what is happening in the project because it is necessary to take an action before a minor issue becomes critical. Developers want to focus on implementation by automating code validation and unit tests to keeping code quality. QA team requires to cover wide range of test cases with security check in a timely manner. Operating team is comfortable as long as the system is stable. In order to tie these various requirements together, we propose the entire agile development process as "DevOps+" by visualizing throughout project - issue management, software design, code implementation, quality testing, systems deployment, security check, release management and its operation in-the-Cloud. This session will propose Drupal-as-a-Service for "DevOps+" with the integration of back-end systems including JIRA, Git, Chef, Jenkins, Veracode (for Code Security Validation), Public/Private Clouds, Nagios, Splunk and collectd.

DevOps Culture at Amazon

Amazon Web Services

Webinar-DevOps.pdf

Amazon Web Services

DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. In this presentation we will: - Deepen AWS DevOps services - Understand how to release a serverless apllication - Understand the benefits of technology with AWS Coud9

DevOps Patterns to Enable Success in Microservices

Rich Mills

Migrating to a microservices architecture isn't the easy utopia we hoped for. Success requires a combination of technical architecture, automation, and development methodology that all relate closely to Agile and DevOps. This presentation discusses patterns for team structure, CI/CD pipelines, and test automation that will help you successfully deliver solutions using microservices. Presented at Agile 2019 (DC), Aug 2019

Modernizing Software Development in the US Navy

Amazon Web Services

Today, applications are developed amongst various vendors for use supporting Naval Forces on shore and at sea, with different requirements all having to be managed by infrastructure. The Collaborative Software Factory (CSF) is a US Navy Research and Development project designed to bring modern application development to the Navy. In this session you will learn how the CSF is designed as an opinionated way to develop software destined for the fleet. It is designed to help application teams leverage DevOps methodologies using a polyglot platform in Red Hat OpenShift, modern application frameworks, and integrating security into software pipelines. Of the hundreds of security controls necessary for an application accreditation, the approach taken aims to provide many of them via inheritance. AWS and the underlying Red Hat OpenShift container platform provide control matrixes and mappings to help assurance teams with automating accreditation of software. This, plus security features such as code scanning and OpenSCAP scans built into the pipeline, help to rapidly deliver software to the fleet while still meeting compliance and security requirements. By leveraging containers and a managed container platform to provide a stable, consistent platform for applications to be developed, the Navy was able to standardize deployments at sea, such as the upcoming Compile to Combat 24 effort. This effort takes advantage of the AWS GovCloud (US) services accredited at DoD SRG Impact Level 5, such as Amazon EC2, Amazon Simple Storage Service (S3), AWS Key Management Service (KMS) and others to provide elastic scalability to application consumers to leveraging continuous integration and on-demand testing environments.

Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...

CA Technologies

Amazon CI/CD Practices for Software Development Teams - SRV320 - Anaheim AWS ...

Amazon Web Services

At Amazon, continuous integration and continuous delivery (CI/CD) techniques enable collaboration, increase agility, and deliver a high-quality product faster. In this talk, we walk you through the practices we use for both the CI and the CD of software delivery. For CI, we showcase how we incorporate pull requests to increase team collaboration. We also demonstrate how to optimize CI workflows for speed with caching, code analysis, and integration testing. For CD, we share example safety mechanisms, including canary testing, rollbacks, and Availability Zone redundancy. We use the AWS developer tools that were designed based on the internal Amazon tooling: AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, AWS CodeDeploy, and AWS X-Ray.

DevOps on AWS

Amazon Web Services

by Trevor Sullivan, Solutions Architect, AWS Software release cycles are now measured in days instead of months. Cutting edge companies are continuously delivering high-quality software at a fast pace. In this session, we will cover how you can begin your DevOps journey by sharing best practices and tools used by the engineering teams at Amazon. We will showcase how you can accelerate developer productivity by implementing continuous Integration and delivery workflows. We will also cover an introduction to AWS CodeStar, AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, AWS CodeDeploy, AWS Cloud9, and AWS X-Ray the services inspired by Amazon's internal developer tools and DevOps practice.

Software as Craft

Nicole Forsgren

How do you become a high performing technology team? It all comes down to execution. Over the past five years, the State of DevOps Report has shown how the highest-performing technology teams decisively outperform their lower-performing peers. Dr. Nicole Forsgren shares insights into the key technical, architectural, and product capabilities that drive these outcomes, including new findings from cloud, outsourcing, and open source. She offers highlights and surprises uncovered over the last five years from over 30,000 responses.

Amazon CI-CD Practices for Software Development Teams

Amazon Web Services

At Amazon, continuous integration and continuous delivery (CI/CD) techniques enable collaboration, increase agility, and deliver a high-quality product faster. In this talk, we walk you through the practices we use for both the CI and the CD of software delivery. For CI, we showcase how we incorporate pull requests to increase team collaboration. We also demonstrate how to optimize CI workflows for speed with caching, code analysis, and integration testing. For CD, we share example safety mechanisms, including canary testing, rollbacks, and availability zone redundancy. We use the AWS developer tools that were designed based on the internal Amazon tooling: AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, AWS CodeDeploy, and AWS X-Ray.

DevOps: The Amazon Story

Amazon Web Services

As Public Sector development teams transition to cloud-based architectures and adopt more agile processes, the tools they need to support their development cycles will change. In this session, we'll take you through the transition that Amazon made to a service-oriented architecture over a decade ago. We will share the lessons we learned, the processes we adopted, and the tools we built to increase both our agility and reliability. We will also introduce you to the AWS Code family services which were born out of Amazon's internal DevOps experience and are utilised by many Public Sector customers globally. Mario Vlachakis, Solutions Architect, AWS

Amazon CI/CD Practices for Software Development Teams - SRV320 - Chicago AWS ...

Amazon Web Services

At Amazon, continuous integration and continuous delivery (CI/CD) techniques enable collaboration, increase agility, and deliver a high-quality product faster. In this talk, we walk you through the practices we use for both the CI and CD of software delivery. For CI, we showcase how we incorporate pull requests to increase team collaboration. We also demonstrate how to optimize CI workflows for speed with caching, code analysis, and integration testing. For CD, we share example safety mechanisms, including canary testing, rollbacks, and Availability Zone redundancy. We use the AWS developer tools whose designs were based on the internal Amazon tooling: AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, AWS CodeDeploy, and AWS X-Ray.

Amazon CI/CD Practices for Software Development Teams - SRV320 - Atlanta AWS ...

Amazon Web Services

At Amazon, continuous integration and continuous delivery (CI/CD) techniques enable collaboration, increase agility, and deliver a high-quality product faster. In this talk, we walk through best practices for both the CI and the CD of software delivery. For CI, we showcase how to incorporate pull requests to increase team collaboration, and demonstrate how to optimize CI workflows for speed with caching, code analysis, and integration testing. For CD, we share example safety mechanisms, including canary testing, rollbacks, and Availability Zone redundancy. We use AWS developer tools that were designed based on the internal Amazon tooling: AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, and AWS CodeDeploy.

Improve Productivity with Continuous Integration & Delivery

Amazon Web Services

Improve Productivity with Continuous Integration & Delivery

Amazon Web Services

Moving to DevOps the Amazon Way (DEV210-R1) - AWS re:Invent 2018

Amazon Web Services

DevOps is currently one of the most sought after engineering models. One reason is that it helps enterprise transformations. The Amazon transformation to DevOps was born out of the desire to be even more customer obsessed, more agile, and more innovative. Come and learn from our journey as we share the playbook that helped us successfully implement and adopt DevOps as well as the lessons we learned the hard way.

DevSecOps 的規模化實踐 (Level: 300-400)

Amazon Web Services

CI/CD pipelines on AWS - Builders Day Israel

Amazon Web Services

Similar to DevOpsDays Baltimore 2018: A Definition of Done for DevSecOps - Gene Gotimer (20)

A Definition of Done for DevSecOps

Enabling Agility Through DevOps

DevOps+ to Leverage Software Development

DevOps Culture at Amazon

Webinar-DevOps.pdf

DevOps Patterns to Enable Success in Microservices

Modernizing Software Development in the US Navy

Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...

Amazon CI/CD Practices for Software Development Teams - SRV320 - Anaheim AWS ...

DevOps on AWS

Software as Craft

Amazon CI-CD Practices for Software Development Teams

DevOps: The Amazon Story

Amazon CI/CD Practices for Software Development Teams - SRV320 - Chicago AWS ...

Amazon CI/CD Practices for Software Development Teams - SRV320 - Atlanta AWS ...

Improve Productivity with Continuous Integration & Delivery

Moving to DevOps the Amazon Way (DEV210-R1) - AWS re:Invent 2018

DevSecOps 的規模化實踐 (Level: 300-400)

CI/CD pipelines on AWS - Builders Day Israel

More from DevOpsDays Baltimore

DevOpsDays Baltimore 2018: Black Mirror Season 5: DevOps - Brendan O'Leary

DevOpsDays Baltimore 2018: A Definition of Done for DevSecOps - Gene Gotimer

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to DevOpsDays Baltimore 2018: A Definition of Done for DevSecOps - Gene Gotimer

Similar to DevOpsDays Baltimore 2018: A Definition of Done for DevSecOps - Gene Gotimer (20)

More from DevOpsDays Baltimore

More from DevOpsDays Baltimore (20)

Recently uploaded

Recently uploaded (20)

DevOpsDays Baltimore 2018: A Definition of Done for DevSecOps - Gene Gotimer