SlideShare a Scribd company logo

DevOps & DevSecOps in Swiss Banking

Aarno Aukia
Aarno Aukia

This document discusses DevSecOps principles for banks and financial institutions. It introduces DevSecOps as an evolution from DevOps that incorporates security practices like risk assessments, security testing, and compliance monitoring directly into the development lifecycle. The presentation outlines key DevSecOps principles like establishing security requirements upfront, implementing controls like access management and logging, and conducting continuous security testing. It provides an example of a Swiss bank that uses Kubernetes, Docker, and security tools from VSHN to operationalize DevSecOps and improve governance.

Software
1 of 41
Download to read offline
1 DevOps & DevSecOps In Swiss Banking VSHN - The DevOps Company Aarno Aukia, CTO 2021-11-18 SMIDEX Zürich
● About Aarno & VSHN ● Why? From Dev to DevOps to DevSecOps ● What? DevSecOps principles ● How? Concrete measures, team topologies ● Who? Customer: Finnova AG Bankware ● Because? Resulting IT Governance & Security benefits Agenda 2
CTO & Co-Founder @aarnoaukia a@vs.hn ETH -> Google -> Atrila -> VSHN VSHN - The DevOps Company @vshn_ch https://vshn.ch Since 2014, currently 48 VSHNeers in Zürich, Switzerland Helping developers run online businesses without having to worry about operations and security 3 About Aarno & VSHN.ch
Software Project Management 4 Requirements Design Implementation Validation Maintenance
Software Project Management 5 Requirements Design Implementation Validation Maintenance
Software Project Management 6 Requirements Design Implementation Validation Maintenance
Agile Software Project Management 7 Requirements Design Implementation Testing Release Biz
Agile Software Project Management 8
Agile Software Project Management 9 Requirements Design Implementation Testing Release Ops Biz
10 OPS = Firefighting-as-a-Service ?
Collaboration between software developers and operations: ● Teamwork ● Continuous improvement ● Efficient and lean ● Agile: being able to react to new requirements ● Automate as much as possible (“Infrastructure as code”) DevOps: People, Processes & Tools 11
DevOps Software Project Management 12 Requirements Design Implementation Testing Release Deploy Operate Monitor
DevOps Software Project Management 13 Requirements Design Implementation Testing Release Deploy Operate Monitor S E C U R I T Y
DevSecOps Software Project Management 14 Requirements Design Implementation Testing Release Deploy Operate Monitor Todo-List Data & Risks Secure Practices Validation traceability auditability Anomalies Availability
DevSecOps Software Project Management 15
DevSecOps principles 16
● Document “non-functional security requirements” for any new product backlog -> objective criteria ● Support product teams with security requirements proactively ● Provide self-service tools to establish baseline quickly & scalably ○ AAI/SSO ○ LB/WAF, SSL/TLS/PKI/certificates ○ Logging ○ Scanning of code, containers, infrastructure ○ Dependency management & updates ○ (hardened) container platform ○ Configuration & secrets management (vault, HSM) 1. Increase trust & transparency 17
● Proactively help product teams with data & availability risk assessments ● Detect incidents quickly, limiting impact 2. Understand risk probability and impact 18
● Which “non-functional security requirements” need to be done by “beta” and which by “productive” launch? ● Which control (tool) scales over all applications/infrastructures, increasing the security incrementally overall? 3. Incremental security improvement 19
● “Security as code” ● Automated scanning, testing as part of the continuous delivery pipeline ● “Shift-left” security scanning remediation from production to dev to git-check-in 4. Continuous security in the pipeline 20
● Automate dependency updates, monitor production compliance ● Work with software architecture teams to promote standardization 5. Standardize & update third-party SW 21
● Automate processes -> integrity, less errors, no production access needed ● Log changes, e.g. git commits and access logs 6. Govern with automated audit trails 22
● Training & education, including practical applications ● Red teaming 7. Test preparedness with security games 23
DevSecOps principles 24
● GitLab: on-premises GIT, CI, scanning, container build/registry, deployment, dependency analysis, all integrated in RBAC ● Renovate: container/software dependency updates ● Micro Focus Fortify: SAST/DAST scanning ● Docker: standardized packaging & runtime ● Kubernetes: standardized container platform ● Keycloak: AAI/SSO to OID/SAML/LDAP/ActiveDirectory ● ELK: Elasticsearch, Logstash & Kibana: Logs, indexing, access ● Prometheus: time-series database for metrics ● Crossplane: external service provisioning from Kubernetes Tools 25
Layers of abstraction 26 Docker Kubernetes Hardware Operating System Service discovery & Load balancing Application Server Application Cloud/On-premises
Zooming in 27
● Free & open standard, adopted by all major vendors (Google, AWS, MSFT, Redhat, SUSE, IBM, etc) ● Available as managed service both on-premises and (private) cloud ● Provides integration in infrastructure (compute, storage, networking) ● Provides optional integration in plattform (e.g. DBaaS, S3) services ● Infrastructure as code, automation, tools for DevOps processes ● Large ecosystem of auxiliary tooling & integration available ● Is being adopted as standard runtime by ISVs (Avaloq, Finnova, Abacus, Adcubum, Ergon, etc) Benefits of Kubernetes as abstraction 28
Team topologies 29
Team topologies 30
Team topologies 31
Team topologies 32
Team topologies 33
● Developer and Operator of Banking Software used by ~100 Banks ● Based in Lenzburg, Switzerland ● Founded 1974 ● ~400 Employees Example: Finnova AG Bankware 34
35
Deployment process & security 36 DEV (Repository) Files (Pods) Docker Images Container (OpenShift) Betrieb AM Seewen (PRD) Code Image-Scan (Security & Compliance Policies) » Code Analyse » Image Scanning » Container Hardening Runtime » Network Security » Monitoring » Logging & Reporting » Code Security » Access » Security & Auditing Security Deployment
DevOps collaboration 37
● “Full Stack Audit” ● Review design document ● Every layer was custom built ○ physical hardware ○ handcrafted servers ○ manual application deployment ● Review each layer ● Review each layer again next year... Traditional IT governance 38
● Standardized components ○ already audited, some even externally certified ○ re-used, economies of scale, CMMI level 5 ○ tech controls (AAI, RBAC, logs/SIEM) implemented once ○ financial controls implemented once ● Infrastructure: private/public cloud ● Ops: Container orchestration platform ● Review design document & platform configuration Cloud-native IT governance 39
● prevent configuration drift through immutable infrastructure ● prevent manual errors through automation and less root access ● security by default through automation integration ● compute resources billable by project ● self-service-onboarding ● autoscaling, scale-down dev envs outside office hours ● vendor procurement/due diligence/certification management ● SLA, 24x7, service process, escalation management clearly defined IT governance benefits 40
Thank you 41 41 Please get in touch with feedback @aarnoaukia a@vs.hn https://www.linkedin.com/in/aukia/

Recommended

DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...WhiteSource
 
HelloCloud.io - Introduction to IaC & Terraform
HelloCloud.io - Introduction to IaC & TerraformHelloCloud.io - Introduction to IaC & Terraform
HelloCloud.io - Introduction to IaC & TerraformHello Cloud
 
Platform engineering 101
Platform engineering 101Platform engineering 101
Platform engineering 101Sander Knape
 
Monitoring kubernetes with prometheus
Monitoring kubernetes with prometheusMonitoring kubernetes with prometheus
Monitoring kubernetes with prometheusBrice Fernandes
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as codeAmazon Web Services
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 

Recommended

DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...WhiteSource
 
HelloCloud.io - Introduction to IaC & Terraform
HelloCloud.io - Introduction to IaC & TerraformHelloCloud.io - Introduction to IaC & Terraform
HelloCloud.io - Introduction to IaC & TerraformHello Cloud
 
Platform engineering 101
Platform engineering 101Platform engineering 101
Platform engineering 101Sander Knape
 
Monitoring kubernetes with prometheus
Monitoring kubernetes with prometheusMonitoring kubernetes with prometheus
Monitoring kubernetes with prometheusBrice Fernandes
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as codeAmazon Web Services
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Developer Experience on AWS
Developer Experience on AWSDeveloper Experience on AWS
Developer Experience on AWSAmazon Web Services
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
SplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNowSplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNowSplunk
 
Openshift serverless Solution
Openshift serverless SolutionOpenshift serverless Solution
Openshift serverless SolutionRyan ZhangCheng
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
 
Platform engineering
Platform engineeringPlatform engineering
Platform engineeringPrasanna Venkatesan
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Introduction to Red Hat
Introduction to Red HatIntroduction to Red Hat
Introduction to Red HatAlbert Wong
 
Platform Engineering - a 360 degree view
Platform Engineering - a 360 degree viewPlatform Engineering - a 360 degree view
Platform Engineering - a 360 degree viewGiulio Roggero
 
Platform Engineering
Platform EngineeringPlatform Engineering
Platform EngineeringOpsta
 
Pave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformPave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformMauricio (Salaboy) Salatino
 
Digital Disruption with DevOps - Reference Architecture Overview
Digital Disruption with DevOps - Reference Architecture OverviewDigital Disruption with DevOps - Reference Architecture Overview
Digital Disruption with DevOps - Reference Architecture OverviewIBM UrbanCode Products
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Azure DevOps & GitHub... Better Together!
Azure DevOps & GitHub... Better Together!Azure DevOps & GitHub... Better Together!
Azure DevOps & GitHub... Better Together!Lorenzo Barbieri
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and AlertingKhairul Zebua
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
 

More Related Content

What's hot

Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
SplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNowSplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNowSplunk
 
Openshift serverless Solution
Openshift serverless SolutionOpenshift serverless Solution
Openshift serverless SolutionRyan ZhangCheng
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Introduction to Red Hat
Introduction to Red HatIntroduction to Red Hat
Introduction to Red HatAlbert Wong
 
Platform Engineering - a 360 degree view
Platform Engineering - a 360 degree viewPlatform Engineering - a 360 degree view
Platform Engineering - a 360 degree viewGiulio Roggero
 
Platform Engineering
Platform EngineeringPlatform Engineering
Platform EngineeringOpsta
 
Digital Disruption with DevOps - Reference Architecture Overview
Digital Disruption with DevOps - Reference Architecture OverviewDigital Disruption with DevOps - Reference Architecture Overview
Digital Disruption with DevOps - Reference Architecture OverviewIBM UrbanCode Products
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Azure DevOps & GitHub... Better Together!
Azure DevOps & GitHub... Better Together!Azure DevOps & GitHub... Better Together!
Azure DevOps & GitHub... Better Together!Lorenzo Barbieri
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and AlertingKhairul Zebua
 

What's hot (20)

Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
Developer Experience on AWS
Developer Experience on AWSDeveloper Experience on AWS
Developer Experience on AWS
 
Container Security
Container SecurityContainer Security
Container Security
 
SplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNowSplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNow
 
Openshift serverless Solution
Openshift serverless SolutionOpenshift serverless Solution
Openshift serverless Solution
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
 
Platform engineering
Platform engineeringPlatform engineering
Platform engineering
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
Introduction to Red Hat
Introduction to Red HatIntroduction to Red Hat
Introduction to Red Hat
 
Platform Engineering - a 360 degree view
Platform Engineering - a 360 degree viewPlatform Engineering - a 360 degree view
Platform Engineering - a 360 degree view
 
Platform Engineering
Platform EngineeringPlatform Engineering
Platform Engineering
 
Pave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformPave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal Platform
 
Digital Disruption with DevOps - Reference Architecture Overview
Digital Disruption with DevOps - Reference Architecture OverviewDigital Disruption with DevOps - Reference Architecture Overview
Digital Disruption with DevOps - Reference Architecture Overview
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
 
Azure DevOps & GitHub... Better Together!
Azure DevOps & GitHub... Better Together!Azure DevOps & GitHub... Better Together!
Azure DevOps & GitHub... Better Together!
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and Alerting
 

Similar to DevOps & DevSecOps in Swiss Banking

DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Weaveworks
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Vietnam Open Infrastructure User Group
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOpsAarno Aukia
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdWeaveworks
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Wie macht man aus Software einen Online-Service in der Cloud
Wie macht man aus Software einen Online-Service in der CloudWie macht man aus Software einen Online-Service in der Cloud
Wie macht man aus Software einen Online-Service in der CloudAarno Aukia
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Devops phase-1
Devops phase-1Devops phase-1
Devops phase-1G R VISHAL
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
 
Leveraging Analytics for DevOps
Leveraging Analytics for DevOpsLeveraging Analytics for DevOps
Leveraging Analytics for DevOpsMichael Floyd
 
AzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementAzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementSergii Kryshtop
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021William Caban
 
Expedite Enterprise Software Development with JIRA®, TeamForge® SCM, and Jenkins
Expedite Enterprise Software Development with JIRA®, TeamForge® SCM, and JenkinsExpedite Enterprise Software Development with JIRA®, TeamForge® SCM, and Jenkins
Expedite Enterprise Software Development with JIRA®, TeamForge® SCM, and JenkinsCollabNet
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 

Similar to DevOps & DevSecOps in Swiss Banking (20)

DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Wie macht man aus Software einen Online-Service in der Cloud
Wie macht man aus Software einen Online-Service in der CloudWie macht man aus Software einen Online-Service in der Cloud
Wie macht man aus Software einen Online-Service in der Cloud
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Devops phase-1
Devops phase-1Devops phase-1
Devops phase-1
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
 
Leveraging Analytics for DevOps
Leveraging Analytics for DevOpsLeveraging Analytics for DevOps
Leveraging Analytics for DevOps
 
Api gitlab: configurazione dei progetti as a service
Api gitlab: configurazione dei progetti as a serviceApi gitlab: configurazione dei progetti as a service
Api gitlab: configurazione dei progetti as a service
 
AzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementAzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release Management
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
 
Expedite Enterprise Software Development with JIRA®, TeamForge® SCM, and Jenkins
Expedite Enterprise Software Development with JIRA®, TeamForge® SCM, and JenkinsExpedite Enterprise Software Development with JIRA®, TeamForge® SCM, and Jenkins
Expedite Enterprise Software Development with JIRA®, TeamForge® SCM, and Jenkins
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 

More from Aarno Aukia

The printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookThe printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookAarno Aukia
 
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
Applikationsmodernisierung: Der Weg von Legacy in die CloudApplikationsmodernisierung: Der Weg von Legacy in die Cloud
Applikationsmodernisierung: Der Weg von Legacy in die CloudAarno Aukia
 
Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...Aarno Aukia
 
Next gen software operations models in the cloud
Next gen software operations models in the cloudNext gen software operations models in the cloud
Next gen software operations models in the cloudAarno Aukia
 
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...Aarno Aukia
 
Kubecon 2019 Recap
Kubecon 2019 RecapKubecon 2019 Recap
Kubecon 2019 RecapAarno Aukia
 
My broken container is gone - how to debug containers on container platforms
My broken container is gone - how to debug containers on container platformsMy broken container is gone - how to debug containers on container platforms
My broken container is gone - how to debug containers on container platformsAarno Aukia
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAarno Aukia
 
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
IT Governance and Security Architecture in Docker, Kubernetes, OpenShiftIT Governance and Security Architecture in Docker, Kubernetes, OpenShift
IT Governance and Security Architecture in Docker, Kubernetes, OpenShiftAarno Aukia
 
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?Aarno Aukia
 
Continuous security improvements in the DevOps process
Continuous security improvements in the DevOps processContinuous security improvements in the DevOps process
Continuous security improvements in the DevOps processAarno Aukia
 
Application Portability using Cloud Native Technology: Docker, Kubernetes
Application Portability using Cloud Native Technology: Docker, KubernetesApplication Portability using Cloud Native Technology: Docker, Kubernetes
Application Portability using Cloud Native Technology: Docker, KubernetesAarno Aukia
 
Moving Applications to the cloud
Moving Applications to the cloudMoving Applications to the cloud
Moving Applications to the cloudAarno Aukia
 
Migration von Applikationen in die Cloud
Migration von Applikationen in die CloudMigration von Applikationen in die Cloud
Migration von Applikationen in die CloudAarno Aukia
 
IPv6 on Container Plattforms
IPv6 on Container PlattformsIPv6 on Container Plattforms
IPv6 on Container PlattformsAarno Aukia
 
Cloud Native Computing & DevOps
Cloud Native Computing & DevOpsCloud Native Computing & DevOps
Cloud Native Computing & DevOpsAarno Aukia
 
Cloud Native Computing
Cloud Native ComputingCloud Native Computing
Cloud Native ComputingAarno Aukia
 
Cloud Native Computing Meetup Zürich Jan 11 2018
Cloud Native Computing Meetup Zürich Jan 11 2018Cloud Native Computing Meetup Zürich Jan 11 2018
Cloud Native Computing Meetup Zürich Jan 11 2018Aarno Aukia
 
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Wie nutzen wir Cloud-Infrastruktur @ VSHN.chWie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Wie nutzen wir Cloud-Infrastruktur @ VSHN.chAarno Aukia
 
Scalable Web Applications with 100% open source
Scalable Web Applications with 100% open sourceScalable Web Applications with 100% open source
Scalable Web Applications with 100% open sourceAarno Aukia
 

More from Aarno Aukia (20)

The printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookThe printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN Handbook
 
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
Applikationsmodernisierung: Der Weg von Legacy in die CloudApplikationsmodernisierung: Der Weg von Legacy in die Cloud
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
 
Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...
 
Next gen software operations models in the cloud
Next gen software operations models in the cloudNext gen software operations models in the cloud
Next gen software operations models in the cloud
 
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
 
Kubecon 2019 Recap
Kubecon 2019 RecapKubecon 2019 Recap
Kubecon 2019 Recap
 
My broken container is gone - how to debug containers on container platforms
My broken container is gone - how to debug containers on container platformsMy broken container is gone - how to debug containers on container platforms
My broken container is gone - how to debug containers on container platforms
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOps
 
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
IT Governance and Security Architecture in Docker, Kubernetes, OpenShiftIT Governance and Security Architecture in Docker, Kubernetes, OpenShift
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
 
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
 
Continuous security improvements in the DevOps process
Continuous security improvements in the DevOps processContinuous security improvements in the DevOps process
Continuous security improvements in the DevOps process
 
Application Portability using Cloud Native Technology: Docker, Kubernetes
Application Portability using Cloud Native Technology: Docker, KubernetesApplication Portability using Cloud Native Technology: Docker, Kubernetes
Application Portability using Cloud Native Technology: Docker, Kubernetes
 
Moving Applications to the cloud
Moving Applications to the cloudMoving Applications to the cloud
Moving Applications to the cloud
 
Migration von Applikationen in die Cloud
Migration von Applikationen in die CloudMigration von Applikationen in die Cloud
Migration von Applikationen in die Cloud
 
IPv6 on Container Plattforms
IPv6 on Container PlattformsIPv6 on Container Plattforms
IPv6 on Container Plattforms
 
Cloud Native Computing & DevOps
Cloud Native Computing & DevOpsCloud Native Computing & DevOps
Cloud Native Computing & DevOps
 
Cloud Native Computing
Cloud Native ComputingCloud Native Computing
Cloud Native Computing
 
Cloud Native Computing Meetup Zürich Jan 11 2018
Cloud Native Computing Meetup Zürich Jan 11 2018Cloud Native Computing Meetup Zürich Jan 11 2018
Cloud Native Computing Meetup Zürich Jan 11 2018
 
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Wie nutzen wir Cloud-Infrastruktur @ VSHN.chWie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
 
Scalable Web Applications with 100% open source
Scalable Web Applications with 100% open sourceScalable Web Applications with 100% open source
Scalable Web Applications with 100% open source
 

Recently uploaded

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456KiaraTiradoMicha
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfayushiqss
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxalwaysnagaraju26
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyAnusha Are
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 

Recently uploaded (20)

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 

DevOps & DevSecOps in Swiss Banking

  • 1. 1 DevOps & DevSecOps In Swiss Banking VSHN - The DevOps Company Aarno Aukia, CTO 2021-11-18 SMIDEX Zürich
  • 2. ● About Aarno & VSHN ● Why? From Dev to DevOps to DevSecOps ● What? DevSecOps principles ● How? Concrete measures, team topologies ● Who? Customer: Finnova AG Bankware ● Because? Resulting IT Governance & Security benefits Agenda 2
  • 3. CTO & Co-Founder @aarnoaukia a@vs.hn ETH -> Google -> Atrila -> VSHN VSHN - The DevOps Company @vshn_ch https://vshn.ch Since 2014, currently 48 VSHNeers in Zürich, Switzerland Helping developers run online businesses without having to worry about operations and security 3 About Aarno & VSHN.ch
  • 4. Software Project Management 4 Requirements Design Implementation Validation Maintenance
  • 5. Software Project Management 5 Requirements Design Implementation Validation Maintenance
  • 6. Software Project Management 6 Requirements Design Implementation Validation Maintenance
  • 7. Agile Software Project Management 7 Requirements Design Implementation Testing Release Biz
  • 8. Agile Software Project Management 8
  • 9. Agile Software Project Management 9 Requirements Design Implementation Testing Release Ops Biz
  • 11. Collaboration between software developers and operations: ● Teamwork ● Continuous improvement ● Efficient and lean ● Agile: being able to react to new requirements ● Automate as much as possible (“Infrastructure as code”) DevOps: People, Processes & Tools 11
  • 12. DevOps Software Project Management 12 Requirements Design Implementation Testing Release Deploy Operate Monitor
  • 13. DevOps Software Project Management 13 Requirements Design Implementation Testing Release Deploy Operate Monitor S E C U R I T Y
  • 14. DevSecOps Software Project Management 14 Requirements Design Implementation Testing Release Deploy Operate Monitor Todo-List Data & Risks Secure Practices Validation traceability auditability Anomalies Availability
  • 15. DevSecOps Software Project Management 15
  • 17. ● Document “non-functional security requirements” for any new product backlog -> objective criteria ● Support product teams with security requirements proactively ● Provide self-service tools to establish baseline quickly & scalably ○ AAI/SSO ○ LB/WAF, SSL/TLS/PKI/certificates ○ Logging ○ Scanning of code, containers, infrastructure ○ Dependency management & updates ○ (hardened) container platform ○ Configuration & secrets management (vault, HSM) 1. Increase trust & transparency 17
  • 18. ● Proactively help product teams with data & availability risk assessments ● Detect incidents quickly, limiting impact 2. Understand risk probability and impact 18
  • 19. ● Which “non-functional security requirements” need to be done by “beta” and which by “productive” launch? ● Which control (tool) scales over all applications/infrastructures, increasing the security incrementally overall? 3. Incremental security improvement 19
  • 20. ● “Security as code” ● Automated scanning, testing as part of the continuous delivery pipeline ● “Shift-left” security scanning remediation from production to dev to git-check-in 4. Continuous security in the pipeline 20
  • 21. ● Automate dependency updates, monitor production compliance ● Work with software architecture teams to promote standardization 5. Standardize & update third-party SW 21
  • 22. ● Automate processes -> integrity, less errors, no production access needed ● Log changes, e.g. git commits and access logs 6. Govern with automated audit trails 22
  • 23. ● Training & education, including practical applications ● Red teaming 7. Test preparedness with security games 23
  • 25. ● GitLab: on-premises GIT, CI, scanning, container build/registry, deployment, dependency analysis, all integrated in RBAC ● Renovate: container/software dependency updates ● Micro Focus Fortify: SAST/DAST scanning ● Docker: standardized packaging & runtime ● Kubernetes: standardized container platform ● Keycloak: AAI/SSO to OID/SAML/LDAP/ActiveDirectory ● ELK: Elasticsearch, Logstash & Kibana: Logs, indexing, access ● Prometheus: time-series database for metrics ● Crossplane: external service provisioning from Kubernetes Tools 25
  • 26. Layers of abstraction 26 Docker Kubernetes Hardware Operating System Service discovery & Load balancing Application Server Application Cloud/On-premises
  • 28. ● Free & open standard, adopted by all major vendors (Google, AWS, MSFT, Redhat, SUSE, IBM, etc) ● Available as managed service both on-premises and (private) cloud ● Provides integration in infrastructure (compute, storage, networking) ● Provides optional integration in plattform (e.g. DBaaS, S3) services ● Infrastructure as code, automation, tools for DevOps processes ● Large ecosystem of auxiliary tooling & integration available ● Is being adopted as standard runtime by ISVs (Avaloq, Finnova, Abacus, Adcubum, Ergon, etc) Benefits of Kubernetes as abstraction 28
  • 34. ● Developer and Operator of Banking Software used by ~100 Banks ● Based in Lenzburg, Switzerland ● Founded 1974 ● ~400 Employees Example: Finnova AG Bankware 34
  • 35. 35
  • 36. Deployment process & security 36 DEV (Repository) Files (Pods) Docker Images Container (OpenShift) Betrieb AM Seewen (PRD) Code Image-Scan (Security & Compliance Policies) » Code Analyse » Image Scanning » Container Hardening Runtime » Network Security » Monitoring » Logging & Reporting » Code Security » Access » Security & Auditing Security Deployment
  • 38. ● “Full Stack Audit” ● Review design document ● Every layer was custom built ○ physical hardware ○ handcrafted servers ○ manual application deployment ● Review each layer ● Review each layer again next year... Traditional IT governance 38
  • 39. ● Standardized components ○ already audited, some even externally certified ○ re-used, economies of scale, CMMI level 5 ○ tech controls (AAI, RBAC, logs/SIEM) implemented once ○ financial controls implemented once ● Infrastructure: private/public cloud ● Ops: Container orchestration platform ● Review design document & platform configuration Cloud-native IT governance 39
  • 40. ● prevent configuration drift through immutable infrastructure ● prevent manual errors through automation and less root access ● security by default through automation integration ● compute resources billable by project ● self-service-onboarding ● autoscaling, scale-down dev envs outside office hours ● vendor procurement/due diligence/certification management ● SLA, 24x7, service process, escalation management clearly defined IT governance benefits 40
  • 41. Thank you 41 41 Please get in touch with feedback @aarnoaukia a@vs.hn https://www.linkedin.com/in/aukia/