SlideShare a Scribd company logo

Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS DESARROLLADORES PARA ESCALAR A UNA CULTURA DEVSECOPS [rooted18]

Ernesto Bethencourt
Ernesto Bethencourt

¿Cómo logras que un grupo de desarrolladores trabajando con tecnologías modernas y filosofía DevOps permitan incluir la seguridad en su día a día sin sentirse “interrumpidos” o frenados y adopten una cultura de “DevSecOps”? ¿Cómo se logra escalar la seguridad en un modelo DevOps sin multiplicar por 100 tu equipo de seguridad? ¿Cómo hacerlo de forma transparente y “auto-mágica” para los desarrolladores, y aprovechando las soluciones existentes tanto Open como comerciales? En i4s (Grupo BBVA) estamos construyendo Chimera para cubrir estos retos tan ambiciosos, entregando una serie de servicios de auto-consumo que los desarrolladores incluyen en sus pipelines al mismo tiempo que las áreas de seguridad usan esa información para gobernar la seguridad de los desarrollos. Todo esto abstrayendo soluciones especializadas que podemos intercambiar, complementar o combinar para ofrecer los mejores resultados. Chimera está desarrollado haciendo uso de las mismas tecnologías y arquitecturas punteras que usan los desarrolladores a los que tratamos de proteger, garantizando que pueda escalar al mismo ritmo que el crecimiento de la nueva plataforma Ether que estamos construyendo junto con BBVA. https://www.rootedcon.com/ponentes#275

Technology
1 of 35
OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS DESARROLLADORES PARA ESCALAR A UNA CULTURA DEVSECOPS
Javier Sanz Enjuto Security Architecture @ BBVA javier.sanz.enjuto@bbva.com Ernesto Bethencourt Product Owner Chimera @ i4s ernesto.bethencourt@i4s.com
STOP AND TAKE A LOOK AROUND YOU
Exponential increase of compute, data and storage demand will severely challenge our “production model” ... Source: BBVA More and more interaction with customers Source: EFMA: “World Retail Banking Report 2015” But many will not generate additional revenues
Digital Players operational paradigms show the way forward though our current rate of adoption is way too slow (*) (*) Illustrative proxy of productivity
BBVA´s ability to produce what we need with our current technology narrows by the day and will become unattainable and unaffordable ... THE GENERAL LANDSCAPE @BBVA (and in banking) ... Data Algorithm based solutions Channels Branch, mobile, web & contact center Productivity Low cost processing & automation
KEY ELEMENTS FOR THIS TRANSFORMATION • Internal talent (few good people …) • End-to-end automation • DevOps “philosophy” (NoOps …) • API and obsession to reuse • Global communities
WE ARE BUILDING ETHER Ether is BBVA’s global banking platform, which allows developers to easily build, deploy and operate banking services of any kind by leveraging cloud Global Cloud Services Automation Open Source & Vendor decoupling Developer centric Hybrid cloud Reliability /Operability
CLOUD SECURITY IS ...
SECURITY AS A SERVICE (SECaaS) BBVA’s SECaaS is one of the main Cloud components composing Ether. SECaaS builds on the concept that Security can be provided on demand to the user, regardless of the geographic or organizational separation between provider and consumer. SECaaS provides a security embedded by default. powered by
SECaaS OBJECTIVES 4 SDLC • Early Security Feedback for Developers • Shifting Left • Add Value to selected tools • Security also must be “aaS”
SECURITY IN SDLC
16 GREAT SOFTWARE DEVELOPMENT MEANS 2 THINGS: VELOCITY QUALITY
Great Developer Ecosystem... …in a “Continuously integrated” Global Cloud Platform 12k developers (?) working on a common “Cloud Age” development ecosystem: Ether
Developers Speed Plan “(A)hhhh” Plan “(B)e Speed”
HOW ARE WE DOING IT?
SHIFT LEFT, DEVSECOPS, SECDEVOPS, RUGGED, ETC OWASP AppSec Pipeline Project OWASP project is a place to gather together information, techniques and tools to create your own AppSec Pipeline. AppSec Pipelines takes the principles of DevOps and Lean and applies that to an application security program DevSecOps.org Initiative funded by security that propose that security should be delivered as code Grafeas.io A Google Project, Grafeas is an open artifact metadata API to audit and govern your software supply chain
TOOLS! TOOLS EVERYWHERE! DEVELOP A PRODUCT
CHIMERA
In-take Triage Test Deliver DevSecOps Foundations Rugged DevOps Pipeline Static Black-box Manual DevSecOps Analytics Blue Team Services Security Provision DevSecOps Threat Model Auto-Enrollment Continuous Monitoring Governance Added Value Services Continuous Feedback & Optimization MAIN GOALS
CHIMERA OUR PROPOSAL ● Abstraction of Security “Solutions” ● Added Value ● Orchestration
SECURITY TOOLS CI Pipelines (i.e: Ether Pipelines) CHIMERA Sec. Code Review Docker Images Review “Analytics” WHAT WE HAVE BANDIT GECRETS
SELF-SERVICE 4 DEV TEAMS SERVICES 4 SECURITY TEAMS
4 DEVELOPMENT TEAMS CI Pipelines (i.e: Ether Pipelines) Docker Images Review CHIMERA Orquestation + Added Value
4 DEVELOPMENT TEAMS
4 DEVELOPMENT TEAMS Developers can access and use this information on their pipelines and in the near future on Ether’s Console
4 SECURITY TEAMS CI Pipelines (i.e: Ether Pipelines) Docker Images Review CHIMERA “Security Seal” Orquestation + Added Value AUTOMATIC!
4 SECURITY TEAMS “Security Seal” ● “Distributed” model (Chimera doesn’t need to be online/reachable) ○ We also have the “centralized” model (API - PIP) ● The security seal is a JWT ← standardization ● We use a Artifactory’s “property” fields ● The Docker Image ID is used for JWT sub claim ● Know JWT “insecurities” are mitigated correctly
DEMO
BARACK OBAMA–FAREWELL ADDRESS, JANUARY 10 2017 “I’M ASKING YOU TO BELIEVE. NOT IN MY ABILITY TO BRING ABOUT CHANGE – BUT IN YOURS.”
@

Recommended

Digital transformation buzzword or reality - Alon Fliess
Digital transformation buzzword or reality - Alon FliessDigital transformation buzzword or reality - Alon Fliess
Digital transformation buzzword or reality - Alon FliessCodeValue
 
Technology trends 2015
Technology trends 2015Technology trends 2015
Technology trends 2015Henry Jacob
 
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...Trivadis
 
Pivotal Digital Transformation Forum: Journey to Become a Data-Driven Enterprise
Pivotal Digital Transformation Forum: Journey to Become a Data-Driven EnterprisePivotal Digital Transformation Forum: Journey to Become a Data-Driven Enterprise
Pivotal Digital Transformation Forum: Journey to Become a Data-Driven EnterpriseVMware Tanzu
 
Pivotal Digital Transformation Forum: Data Science Technical Overview
Pivotal Digital Transformation Forum: Data Science Technical OverviewPivotal Digital Transformation Forum: Data Science Technical Overview
Pivotal Digital Transformation Forum: Data Science Technical OverviewVMware Tanzu
 
PaaS to the Future
PaaS to the FuturePaaS to the Future
PaaS to the FutureCarlos Mendible
 
Dynatrace: Davis - Hololens - AI update - Cloud announcements - Self driving IT
Dynatrace: Davis - Hololens - AI update - Cloud announcements - Self driving ITDynatrace: Davis - Hololens - AI update - Cloud announcements - Self driving IT
Dynatrace: Davis - Hololens - AI update - Cloud announcements - Self driving ITDynatrace
 
CWIN17 Toulouse / Automated security for the real time enterprise-trend micro...
CWIN17 Toulouse / Automated security for the real time enterprise-trend micro...CWIN17 Toulouse / Automated security for the real time enterprise-trend micro...
CWIN17 Toulouse / Automated security for the real time enterprise-trend micro...Capgemini
 

Recommended

Digital transformation buzzword or reality - Alon Fliess
Digital transformation buzzword or reality - Alon FliessDigital transformation buzzword or reality - Alon Fliess
Digital transformation buzzword or reality - Alon FliessCodeValue
 
Technology trends 2015
Technology trends 2015Technology trends 2015
Technology trends 2015Henry Jacob
 
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...Trivadis
 
Pivotal Digital Transformation Forum: Journey to Become a Data-Driven Enterprise
Pivotal Digital Transformation Forum: Journey to Become a Data-Driven EnterprisePivotal Digital Transformation Forum: Journey to Become a Data-Driven Enterprise
Pivotal Digital Transformation Forum: Journey to Become a Data-Driven EnterpriseVMware Tanzu
 
Pivotal Digital Transformation Forum: Data Science Technical Overview
Pivotal Digital Transformation Forum: Data Science Technical OverviewPivotal Digital Transformation Forum: Data Science Technical Overview
Pivotal Digital Transformation Forum: Data Science Technical OverviewVMware Tanzu
 
PaaS to the Future
PaaS to the FuturePaaS to the Future
PaaS to the FutureCarlos Mendible
 
Dynatrace: Davis - Hololens - AI update - Cloud announcements - Self driving IT
Dynatrace: Davis - Hololens - AI update - Cloud announcements - Self driving ITDynatrace: Davis - Hololens - AI update - Cloud announcements - Self driving IT
Dynatrace: Davis - Hololens - AI update - Cloud announcements - Self driving ITDynatrace
 
CWIN17 Toulouse / Automated security for the real time enterprise-trend micro...
CWIN17 Toulouse / Automated security for the real time enterprise-trend micro...CWIN17 Toulouse / Automated security for the real time enterprise-trend micro...
CWIN17 Toulouse / Automated security for the real time enterprise-trend micro...Capgemini
 
AIOps Is How We Will Survive DevOps
AIOps Is How We Will Survive DevOpsAIOps Is How We Will Survive DevOps
AIOps Is How We Will Survive DevOpsDEVOPS LIVE Meetup
 
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital EcosystemWSO2
 
SAP: How SAP fully automates the provisioning and operations of its dynatrace...
SAP: How SAP fully automates the provisioning and operations of its dynatrace...SAP: How SAP fully automates the provisioning and operations of its dynatrace...
SAP: How SAP fully automates the provisioning and operations of its dynatrace...Dynatrace
 
Dynatrace: Going beyond APM and soaring to the future
Dynatrace: Going beyond APM and soaring to the futureDynatrace: Going beyond APM and soaring to the future
Dynatrace: Going beyond APM and soaring to the futureDynatrace
 
Mendix-7-Keynote
Mendix-7-KeynoteMendix-7-Keynote
Mendix-7-KeynoteMichael Swarte
 
APIDays SF 2019: Managing multiple api stacks on serverless
APIDays SF 2019: Managing multiple api stacks on serverlessAPIDays SF 2019: Managing multiple api stacks on serverless
APIDays SF 2019: Managing multiple api stacks on serverlessAlexander Graebe
 
[WSO2Con USA 2018] How to Build an Agile Enterprise
[WSO2Con USA 2018] How to Build an Agile Enterprise[WSO2Con USA 2018] How to Build an Agile Enterprise
[WSO2Con USA 2018] How to Build an Agile EnterpriseWSO2
 
AIOps Roundtable Munich 2018
AIOps Roundtable Munich 2018AIOps Roundtable Munich 2018
AIOps Roundtable Munich 2018Splunk
 
Preparing your organization for microservices
Preparing your organization for microservicesPreparing your organization for microservices
Preparing your organization for microservicesJudy Breedlove
 
Humana digitally transforming health and well-being with Pivotal cloud foundr...
Humana digitally transforming health and well-being with Pivotal cloud foundr...Humana digitally transforming health and well-being with Pivotal cloud foundr...
Humana digitally transforming health and well-being with Pivotal cloud foundr...Dynatrace
 
Developer Marketing: Building Experiences
Developer Marketing: Building ExperiencesDeveloper Marketing: Building Experiences
Developer Marketing: Building ExperiencesPredix
 
Microsoft ignite 2017 event report
Microsoft ignite 2017 event reportMicrosoft ignite 2017 event report
Microsoft ignite 2017 event reportHolger Mueller
 
Azure - The Best Cloud for Developers
Azure - The Best Cloud for DevelopersAzure - The Best Cloud for Developers
Azure - The Best Cloud for DevelopersInovar Tech
 
RightScale Roadtrip - Accelerate To Cloud
RightScale Roadtrip - Accelerate To CloudRightScale Roadtrip - Accelerate To Cloud
RightScale Roadtrip - Accelerate To CloudRightScale
 
Becoming Product-Centric
Becoming Product-Centric Becoming Product-Centric
Becoming Product-CentricVMware Tanzu
 
JavaOne 2016 - 10 Key Lessons you should know
JavaOne 2016 - 10 Key Lessons you should knowJavaOne 2016 - 10 Key Lessons you should know
JavaOne 2016 - 10 Key Lessons you should knowACA IT-Solutions
 
When your release plan is concluded at the HR office - Hanan Zakai
When your release plan is concluded at the HR office - Hanan ZakaiWhen your release plan is concluded at the HR office - Hanan Zakai
When your release plan is concluded at the HR office - Hanan ZakaiCodeValue
 
Agile Integration with APIs and Containers Workshop
Agile Integration with APIs and Containers Workshop Agile Integration with APIs and Containers Workshop
Agile Integration with APIs and Containers Workshop Nicole Maselli
 
Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...
Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...
Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...Holger Mueller
 
[WSO2Con USA 2018] Unravelling Todays Disruptive Tech Landscape
[WSO2Con USA 2018] Unravelling Todays Disruptive Tech Landscape[WSO2Con USA 2018] Unravelling Todays Disruptive Tech Landscape
[WSO2Con USA 2018] Unravelling Todays Disruptive Tech LandscapeWSO2
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Ken Owens
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 

More Related Content

What's hot

AIOps Is How We Will Survive DevOps
AIOps Is How We Will Survive DevOpsAIOps Is How We Will Survive DevOps
AIOps Is How We Will Survive DevOpsDEVOPS LIVE Meetup
 
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital EcosystemWSO2
 
SAP: How SAP fully automates the provisioning and operations of its dynatrace...
SAP: How SAP fully automates the provisioning and operations of its dynatrace...SAP: How SAP fully automates the provisioning and operations of its dynatrace...
SAP: How SAP fully automates the provisioning and operations of its dynatrace...Dynatrace
 
Dynatrace: Going beyond APM and soaring to the future
Dynatrace: Going beyond APM and soaring to the futureDynatrace: Going beyond APM and soaring to the future
Dynatrace: Going beyond APM and soaring to the futureDynatrace
 
APIDays SF 2019: Managing multiple api stacks on serverless
APIDays SF 2019: Managing multiple api stacks on serverlessAPIDays SF 2019: Managing multiple api stacks on serverless
APIDays SF 2019: Managing multiple api stacks on serverlessAlexander Graebe
 
[WSO2Con USA 2018] How to Build an Agile Enterprise
[WSO2Con USA 2018] How to Build an Agile Enterprise[WSO2Con USA 2018] How to Build an Agile Enterprise
[WSO2Con USA 2018] How to Build an Agile EnterpriseWSO2
 
AIOps Roundtable Munich 2018
AIOps Roundtable Munich 2018AIOps Roundtable Munich 2018
AIOps Roundtable Munich 2018Splunk
 
Preparing your organization for microservices
Preparing your organization for microservicesPreparing your organization for microservices
Preparing your organization for microservicesJudy Breedlove
 
Humana digitally transforming health and well-being with Pivotal cloud foundr...
Humana digitally transforming health and well-being with Pivotal cloud foundr...Humana digitally transforming health and well-being with Pivotal cloud foundr...
Humana digitally transforming health and well-being with Pivotal cloud foundr...Dynatrace
 
Developer Marketing: Building Experiences
Developer Marketing: Building ExperiencesDeveloper Marketing: Building Experiences
Developer Marketing: Building ExperiencesPredix
 
Microsoft ignite 2017 event report
Microsoft ignite 2017 event reportMicrosoft ignite 2017 event report
Microsoft ignite 2017 event reportHolger Mueller
 
Azure - The Best Cloud for Developers
Azure - The Best Cloud for DevelopersAzure - The Best Cloud for Developers
Azure - The Best Cloud for DevelopersInovar Tech
 
RightScale Roadtrip - Accelerate To Cloud
RightScale Roadtrip - Accelerate To CloudRightScale Roadtrip - Accelerate To Cloud
RightScale Roadtrip - Accelerate To CloudRightScale
 
Becoming Product-Centric
Becoming Product-Centric Becoming Product-Centric
Becoming Product-CentricVMware Tanzu
 
JavaOne 2016 - 10 Key Lessons you should know
JavaOne 2016 - 10 Key Lessons you should knowJavaOne 2016 - 10 Key Lessons you should know
JavaOne 2016 - 10 Key Lessons you should knowACA IT-Solutions
 
When your release plan is concluded at the HR office - Hanan Zakai
When your release plan is concluded at the HR office - Hanan ZakaiWhen your release plan is concluded at the HR office - Hanan Zakai
When your release plan is concluded at the HR office - Hanan ZakaiCodeValue
 
Agile Integration with APIs and Containers Workshop
Agile Integration with APIs and Containers Workshop Agile Integration with APIs and Containers Workshop
Agile Integration with APIs and Containers Workshop Nicole Maselli
 
Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...
Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...
Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...Holger Mueller
 
[WSO2Con USA 2018] Unravelling Todays Disruptive Tech Landscape
[WSO2Con USA 2018] Unravelling Todays Disruptive Tech Landscape[WSO2Con USA 2018] Unravelling Todays Disruptive Tech Landscape
[WSO2Con USA 2018] Unravelling Todays Disruptive Tech LandscapeWSO2
 

What's hot (20)

AIOps Is How We Will Survive DevOps
AIOps Is How We Will Survive DevOpsAIOps Is How We Will Survive DevOps
AIOps Is How We Will Survive DevOps
 
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
 
SAP: How SAP fully automates the provisioning and operations of its dynatrace...
SAP: How SAP fully automates the provisioning and operations of its dynatrace...SAP: How SAP fully automates the provisioning and operations of its dynatrace...
SAP: How SAP fully automates the provisioning and operations of its dynatrace...
 
Dynatrace: Going beyond APM and soaring to the future
Dynatrace: Going beyond APM and soaring to the futureDynatrace: Going beyond APM and soaring to the future
Dynatrace: Going beyond APM and soaring to the future
 
Mendix-7-Keynote
Mendix-7-KeynoteMendix-7-Keynote
Mendix-7-Keynote
 
APIDays SF 2019: Managing multiple api stacks on serverless
APIDays SF 2019: Managing multiple api stacks on serverlessAPIDays SF 2019: Managing multiple api stacks on serverless
APIDays SF 2019: Managing multiple api stacks on serverless
 
[WSO2Con USA 2018] How to Build an Agile Enterprise
[WSO2Con USA 2018] How to Build an Agile Enterprise[WSO2Con USA 2018] How to Build an Agile Enterprise
[WSO2Con USA 2018] How to Build an Agile Enterprise
 
AIOps Roundtable Munich 2018
AIOps Roundtable Munich 2018AIOps Roundtable Munich 2018
AIOps Roundtable Munich 2018
 
Preparing your organization for microservices
Preparing your organization for microservicesPreparing your organization for microservices
Preparing your organization for microservices
 
Humana digitally transforming health and well-being with Pivotal cloud foundr...
Humana digitally transforming health and well-being with Pivotal cloud foundr...Humana digitally transforming health and well-being with Pivotal cloud foundr...
Humana digitally transforming health and well-being with Pivotal cloud foundr...
 
Developer Marketing: Building Experiences
Developer Marketing: Building ExperiencesDeveloper Marketing: Building Experiences
Developer Marketing: Building Experiences
 
Microsoft ignite 2017 event report
Microsoft ignite 2017 event reportMicrosoft ignite 2017 event report
Microsoft ignite 2017 event report
 
Azure - The Best Cloud for Developers
Azure - The Best Cloud for DevelopersAzure - The Best Cloud for Developers
Azure - The Best Cloud for Developers
 
RightScale Roadtrip - Accelerate To Cloud
RightScale Roadtrip - Accelerate To CloudRightScale Roadtrip - Accelerate To Cloud
RightScale Roadtrip - Accelerate To Cloud
 
Becoming Product-Centric
Becoming Product-Centric Becoming Product-Centric
Becoming Product-Centric
 
JavaOne 2016 - 10 Key Lessons you should know
JavaOne 2016 - 10 Key Lessons you should knowJavaOne 2016 - 10 Key Lessons you should know
JavaOne 2016 - 10 Key Lessons you should know
 
When your release plan is concluded at the HR office - Hanan Zakai
When your release plan is concluded at the HR office - Hanan ZakaiWhen your release plan is concluded at the HR office - Hanan Zakai
When your release plan is concluded at the HR office - Hanan Zakai
 
Agile Integration with APIs and Containers Workshop
Agile Integration with APIs and Containers Workshop Agile Integration with APIs and Containers Workshop
Agile Integration with APIs and Containers Workshop
 
Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...
Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...
Progress Report - C3 IoT Analyst Day - A unique approach to PaaS needs more a...
 
[WSO2Con USA 2018] Unravelling Todays Disruptive Tech Landscape
[WSO2Con USA 2018] Unravelling Todays Disruptive Tech Landscape[WSO2Con USA 2018] Unravelling Todays Disruptive Tech Landscape
[WSO2Con USA 2018] Unravelling Todays Disruptive Tech Landscape
 

Similar to Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS DESARROLLADORES PARA ESCALAR A UNA CULTURA DEVSECOPS [rooted18]

Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Ken Owens
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 
Agility and Control from AWS [FutureStack16]
Agility and Control from AWS [FutureStack16]Agility and Control from AWS [FutureStack16]
Agility and Control from AWS [FutureStack16]New Relic
 
DataAquitaine February 2022
DataAquitaine February 2022DataAquitaine February 2022
DataAquitaine February 2022Yves Caseau
 
Platform governance, gestire un ecosistema di microservizi a livello enterprise
Platform governance, gestire un ecosistema di microservizi a livello enterprisePlatform governance, gestire un ecosistema di microservizi a livello enterprise
Platform governance, gestire un ecosistema di microservizi a livello enterpriseGiulio Roggero
 
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...apidays
 
It Consulting & Services - Black Basil Technologies
It Consulting & Services - Black Basil TechnologiesIt Consulting & Services - Black Basil Technologies
It Consulting & Services - Black Basil TechnologiesBlack Basil Technologies
 
Digital Product Development On Demand.pdf
Digital Product Development On Demand.pdfDigital Product Development On Demand.pdf
Digital Product Development On Demand.pdfForgeahead Solutions
 
Fast, Secure Deployments with Docker on AWS
Fast, Secure Deployments with Docker on AWSFast, Secure Deployments with Docker on AWS
Fast, Secure Deployments with Docker on AWSAmazon Web Services
 
Engineering Simulation Meets the Cloud
Engineering Simulation Meets the CloudEngineering Simulation Meets the Cloud
Engineering Simulation Meets the CloudBurak Yenier
 
Engineering Simulation Meets the Cloud
Engineering Simulation Meets the CloudEngineering Simulation Meets the Cloud
Engineering Simulation Meets the CloudThe UberCloud
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDiego Gabriel Cardoso
 
[WSO2 Summit Brazil 2018] The API-driven World
[WSO2 Summit Brazil 2018] The API-driven World[WSO2 Summit Brazil 2018] The API-driven World
[WSO2 Summit Brazil 2018] The API-driven WorldWSO2
 
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API Calls
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API CallsAWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API Calls
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API CallsAmazon Web Services
 
AWS and Dynatrace: Moving your Cloud Strategy to the Next Level
AWS and Dynatrace: Moving your Cloud Strategy to the Next LevelAWS and Dynatrace: Moving your Cloud Strategy to the Next Level
AWS and Dynatrace: Moving your Cloud Strategy to the Next LevelDynatrace
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Security strategies for html5 enterprise mobile apps
Security strategies for html5 enterprise mobile appsSecurity strategies for html5 enterprise mobile apps
Security strategies for html5 enterprise mobile appsGizmox
 
Gartner: Top 10 Technology Trends 2015
Gartner: Top 10 Technology Trends 2015Gartner: Top 10 Technology Trends 2015
Gartner: Top 10 Technology Trends 2015Den Reymer
 
Delivering DevOps on AWS - Transformation Day Public Sector London 2017
Delivering DevOps on AWS - Transformation Day Public Sector London 2017Delivering DevOps on AWS - Transformation Day Public Sector London 2017
Delivering DevOps on AWS - Transformation Day Public Sector London 2017Amazon Web Services
 

Similar to Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS DESARROLLADORES PARA ESCALAR A UNA CULTURA DEVSECOPS [rooted18] (20)

Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
Agility and Control from AWS [FutureStack16]
Agility and Control from AWS [FutureStack16]Agility and Control from AWS [FutureStack16]
Agility and Control from AWS [FutureStack16]
 
DataAquitaine February 2022
DataAquitaine February 2022DataAquitaine February 2022
DataAquitaine February 2022
 
Platform governance, gestire un ecosistema di microservizi a livello enterprise
Platform governance, gestire un ecosistema di microservizi a livello enterprisePlatform governance, gestire un ecosistema di microservizi a livello enterprise
Platform governance, gestire un ecosistema di microservizi a livello enterprise
 
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...
 
It Consulting & Services - Black Basil Technologies
It Consulting & Services - Black Basil TechnologiesIt Consulting & Services - Black Basil Technologies
It Consulting & Services - Black Basil Technologies
 
Digital Product Development On Demand.pdf
Digital Product Development On Demand.pdfDigital Product Development On Demand.pdf
Digital Product Development On Demand.pdf
 
Fast, Secure Deployments with Docker on AWS
Fast, Secure Deployments with Docker on AWSFast, Secure Deployments with Docker on AWS
Fast, Secure Deployments with Docker on AWS
 
Engineering Simulation Meets the Cloud
Engineering Simulation Meets the CloudEngineering Simulation Meets the Cloud
Engineering Simulation Meets the Cloud
 
Engineering Simulation Meets the Cloud
Engineering Simulation Meets the CloudEngineering Simulation Meets the Cloud
Engineering Simulation Meets the Cloud
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
 
[WSO2 Summit Brazil 2018] The API-driven World
[WSO2 Summit Brazil 2018] The API-driven World[WSO2 Summit Brazil 2018] The API-driven World
[WSO2 Summit Brazil 2018] The API-driven World
 
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API Calls
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API CallsAWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API Calls
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API Calls
 
AWS and Dynatrace: Moving your Cloud Strategy to the Next Level
AWS and Dynatrace: Moving your Cloud Strategy to the Next LevelAWS and Dynatrace: Moving your Cloud Strategy to the Next Level
AWS and Dynatrace: Moving your Cloud Strategy to the Next Level
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Security strategies for html5 enterprise mobile apps
Security strategies for html5 enterprise mobile appsSecurity strategies for html5 enterprise mobile apps
Security strategies for html5 enterprise mobile apps
 
Gartner: Top 10 Technology Trends 2015
Gartner: Top 10 Technology Trends 2015Gartner: Top 10 Technology Trends 2015
Gartner: Top 10 Technology Trends 2015
 
Scaling Legacy
Scaling LegacyScaling Legacy
Scaling Legacy
 
Delivering DevOps on AWS - Transformation Day Public Sector London 2017
Delivering DevOps on AWS - Transformation Day Public Sector London 2017Delivering DevOps on AWS - Transformation Day Public Sector London 2017
Delivering DevOps on AWS - Transformation Day Public Sector London 2017
 

Recently uploaded

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS DESARROLLADORES PARA ESCALAR A UNA CULTURA DEVSECOPS [rooted18]

  • 1. OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS DESARROLLADORES PARA ESCALAR A UNA CULTURA DEVSECOPS
  • 2. Javier Sanz Enjuto Security Architecture @ BBVA javier.sanz.enjuto@bbva.com Ernesto Bethencourt Product Owner Chimera @ i4s ernesto.bethencourt@i4s.com
  • 3. STOP AND TAKE A LOOK AROUND YOU
  • 4. Exponential increase of compute, data and storage demand will severely challenge our “production model” ... Source: BBVA More and more interaction with customers Source: EFMA: “World Retail Banking Report 2015” But many will not generate additional revenues
  • 5. Digital Players operational paradigms show the way forward though our current rate of adoption is way too slow (*) (*) Illustrative proxy of productivity
  • 6. BBVA´s ability to produce what we need with our current technology narrows by the day and will become unattainable and unaffordable ... THE GENERAL LANDSCAPE @BBVA (and in banking) ... Data Algorithm based solutions Channels Branch, mobile, web & contact center Productivity Low cost processing & automation
  • 7.
  • 8.
  • 9. KEY ELEMENTS FOR THIS TRANSFORMATION • Internal talent (few good people …) • End-to-end automation • DevOps “philosophy” (NoOps …) • API and obsession to reuse • Global communities
  • 10. WE ARE BUILDING ETHER Ether is BBVA’s global banking platform, which allows developers to easily build, deploy and operate banking services of any kind by leveraging cloud Global Cloud Services Automation Open Source & Vendor decoupling Developer centric Hybrid cloud Reliability /Operability
  • 11.
  • 13. SECURITY AS A SERVICE (SECaaS) BBVA’s SECaaS is one of the main Cloud components composing Ether. SECaaS builds on the concept that Security can be provided on demand to the user, regardless of the geographic or organizational separation between provider and consumer. SECaaS provides a security embedded by default. powered by
  • 14. SECaaS OBJECTIVES 4 SDLC • Early Security Feedback for Developers • Shifting Left • Add Value to selected tools • Security also must be “aaS”
  • 16. 16 GREAT SOFTWARE DEVELOPMENT MEANS 2 THINGS: VELOCITY QUALITY
  • 17. Great Developer Ecosystem... …in a “Continuously integrated” Global Cloud Platform 12k developers (?) working on a common “Cloud Age” development ecosystem: Ether
  • 19. HOW ARE WE DOING IT?
  • 20. SHIFT LEFT, DEVSECOPS, SECDEVOPS, RUGGED, ETC OWASP AppSec Pipeline Project OWASP project is a place to gather together information, techniques and tools to create your own AppSec Pipeline. AppSec Pipelines takes the principles of DevOps and Lean and applies that to an application security program DevSecOps.org Initiative funded by security that propose that security should be delivered as code Grafeas.io A Google Project, Grafeas is an open artifact metadata API to audit and govern your software supply chain
  • 21.
  • 22. TOOLS! TOOLS EVERYWHERE! DEVELOP A PRODUCT
  • 24. In-take Triage Test Deliver DevSecOps Foundations Rugged DevOps Pipeline Static Black-box Manual DevSecOps Analytics Blue Team Services Security Provision DevSecOps Threat Model Auto-Enrollment Continuous Monitoring Governance Added Value Services Continuous Feedback & Optimization MAIN GOALS
  • 25. CHIMERA OUR PROPOSAL ● Abstraction of Security “Solutions” ● Added Value ● Orchestration
  • 26. SECURITY TOOLS CI Pipelines (i.e: Ether Pipelines) CHIMERA Sec. Code Review Docker Images Review “Analytics” WHAT WE HAVE BANDIT GECRETS
  • 27. SELF-SERVICE 4 DEV TEAMS SERVICES 4 SECURITY TEAMS
  • 28. 4 DEVELOPMENT TEAMS CI Pipelines (i.e: Ether Pipelines) Docker Images Review CHIMERA Orquestation + Added Value
  • 30. 4 DEVELOPMENT TEAMS Developers can access and use this information on their pipelines and in the near future on Ether’s Console
  • 31. 4 SECURITY TEAMS CI Pipelines (i.e: Ether Pipelines) Docker Images Review CHIMERA “Security Seal” Orquestation + Added Value AUTOMATIC!
  • 32. 4 SECURITY TEAMS “Security Seal” ● “Distributed” model (Chimera doesn’t need to be online/reachable) ○ We also have the “centralized” model (API - PIP) ● The security seal is a JWT ← standardization ● We use a Artifactory’s “property” fields ● The Docker Image ID is used for JWT sub claim ● Know JWT “insecurities” are mitigated correctly
  • 33. DEMO
  • 34. BARACK OBAMA–FAREWELL ADDRESS, JANUARY 10 2017 “I’M ASKING YOU TO BELIEVE. NOT IN MY ABILITY TO BRING ABOUT CHANGE – BUT IN YOURS.”
  • 35. @