Download to read offline
Uploaded byAnders Lundsgård
Scania's DevSecOps approach - Gamifying Security - auto:CODE
The document outlines Scania's DevSecOps approach, highlighting the evolution of their cloud adoption and security practices from 2014 to 2019. It emphasizes the shift to autonomous teams, continuous delivery, and the introduction of a gamified security culture that makes security compliance a shared responsibility. Key initiatives include enhancing cloud security awareness and fostering a risk-aware organizational culture through education and communication.
More Related Content
Similar to Scania's DevSecOps approach - Gamifying Security - auto:CODE
Scania's DevSecOps approach - Gamifying Security - auto:CODE
- 1. Scania’s DevSecOps Approach – GamifyingSecurity in the Cloud ANDERS LUNDSGÅRD, BERLIN – 2019-11-28
- 2. Scania Cloud Adoption– Security Team Anders Lundsgård Senior Engineer @ CS Delivery Engineering Cloud Engineer/Architect @ Scania Cloud Adoption @anderslundsgard
- 3. Disclaimer There is noofficial Scania “DevSecOps manifest definition”. DevSecOps in this presentation is only one view of DevSecOps. Based on the presenters experience in building, deploying and operating software in a secure way.
- 4. in the earlydays… More features quicker Stability
- 5. in the earlydays… Stability This is me today
- 6. • 3-8 people •Requirements • Technologies • Quality • Deployment • Monitoring • Operations 6 Autonomous Teams that fully own their services
- 7.
- 8. Zero Downtime Enables engineersto be present when their code goes live
- 9. Deploy != Release FeatureTeam Concern Business Decision
- 10. Remove Handovers Avoid suboptimize in organizational silos
- 11. Deploy frequency - ScaniaConnected Services • 2015 – Agile teams • 12 deploys per year • 2016 – Autonomous Teams • Continuous Delivery • 30+ Prod deploys per day • 2011 – Software projects • 2-3 in parallel • 3 deploys per year 1. Microservice Architecture 2. Challenged and improved infra related processes 3. Trust and courage from management Continuous Integration Infrastructure changes NOT included
- 13. Cloud Adoption 20162014 Cloud First 2019 CloudOnly (For new initiatives) Cloud Native
- 14.
- 15. 1000+ Engineers and400+ AWS accounts = Feature TeamFT DE = Delivery Engineering (Cloud Satellite) DE FT FT FT FT FT FT FT FT DE FT FT FT FT FT DE FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT FT Multiple other departments co-located in same building Cloud Adoption (~10 engineers) Dev-teams that move to “DevOps”-teams with no investment tend to struggle in their cloud journey
- 16. Greenfield AWS setup VersionControl cloud enabled AWS multi account strategy Immutable infrastructure In each Feature Team! Read Only in Prod for human beings NO CLOUD OPS
- 17.
- 18. Cloud Security Team- Mission Increase organizational awareness of Cloud security through education, visualization and communication. Creating a risk aware culture that makes continuous security compliance everyone’s responsibility.
- 19. Cloud Security Team- Principles Gamifying Security Get out from the cave Don’t just say “NO” Ubiquitous encryption Cloud Native Security Share failures
- 20. Security JAM 2019 ScaniaCloud Adoption – 4th of June 2019 Scania Cloud Security
- 21.
- 23.
- 24. Security smells trend(May November) Hand picked cloud accounts with low security posture New positive trend! Weekly security email
- 25.
Editor's Notes
- #2 Scania’s DevSecOps Approach – Gamifying Security in the Cloud Anders will share Scania’s journey to the Cloud. How we have transformed the organization and our strategies for enabling teams to work autonomous with building, shipping and securing their applications in AWS. Key Takeaways * Establishing Self-Sufficient, Autonomous Software Teams * Managing 100+ Teams and 400+ Accounts in The Cloud * How We Make Security Fun for Developers via Gamification * Security Is Everyone’s Job!
- #5 Ops1: “Wait until Tuesdays CAB!” Dev1: “You must start to code and version your stuff” Dev2: “Use my repo. I’ll be contributing”
- #6 Ops1: “Wait until Tuesdays CAB!” Dev1: “You must start to code and version your stuff” Dev2: “Use my repo. I’ll be contributing”
- #9 2+ servers (load balanced) No state on servers Live upgrade of Database schema
- #11 2+ servers (load balanced) No state on servers Live upgrade of Database schema
- #12 Moved from software projects to agile teams and continuous integration. Even with continuous integration and agile teams it is hard to maintain a big codebase Also about 4 times more check-ins with the microservice architecture.
- #17 Version Control hosted in cloud: VCS is like bread and butter: Free for everyone Enabled fully automation in AWS
- #19 $en,Joanna$ Over 50 engineers participated in the security jam. $en,Joanna$ 13 teams with 4 engineers in each team.
- #21 $en,Joanna$ Hello. This is a summary of the AWS Security Jam event hosted by AWS professional services and Scania Cloud Adoption.
- #22 $en,Joanna$ The day started with a short introduction on how to register and get started with the Security Jam.
- #23 $en,Joanna$ There were 10 challenges of various difficulty. Taking clues reduced the score for accomplish a challenge. $en,Joanna$ 6 hours of focused work ended up in, without doubt, amazing results.
- #24 $en,Joanna$ Exciting to follow the scoreboard as the day progressed.