Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wild? - A real world case study

1.360 visualizaciones

Publicado el

Trinh Tran & Dennis Stötzel

Are you trying to stay secure while developing and running a bunch of services and applications every day? So are we and it’s a huge pain in the… pipeline. We have been juggling these aspects while working with one of the biggest insurance companies in the world.

In this talk, we will share our experiences of the last three years: Trinh, as a software engineer in Vietnam and Dennis, as a security engineer in Germany. We will present our experiences of making "dev", "sec" and "ops" coexist – without sparing any dirty details. Our goal has always been fast delivery and secure applications using pipelines, containers, orchestration, and the cloud. Let us explain which of these goals we have met and which remain goals, where we messed up and where we found glory.

We will cover the following topics in our talk:

* Evolution of our project, from beginning with four engineers running in one office, to expanding to fifty engineers coming from three continents and different backgrounds,
* Development, delivery and security as a requirement in an agile project,
* The good, the bad and the ugly in technology, architecture and infrastructure.

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wild? - A real world case study

  1. 1. Singapore | 28 Feb - 01 Mar 2019 Can dev, sec and ops really coexist in the wild? A real world case study TRÌNH ĐỨC TRẦN & DENNIS STÖTZEL
  2. 2. Singapore | 28 Feb - 01 Mar 2019 TRÌNH ĐỨC TRẦN trinh.duc.tran@mgm-tp.com www.linkedin.com/in/tranductrinh/ DENNIS STÖTZEL dennis.stoetzel@mgm-sp.com https://www.linkedin.com/in/dennis- stötzel-669421167/
  3. 3. Singapore | 28 Feb - 01 Mar 2019 •CONTENT Introduction & Business Case Security in Agile Processes Automated Testing Architecture Decisions
  4. 4. Singapore | 28 Feb - 01 Mar 2019 •INTRODUCTION
  5. 5. Singapore | 28 Feb - 01 Mar 2019 Client Insurer employeeBroker employee
  6. 6. Singapore | 28 Feb - 01 Mar 2019
  7. 7. Singapore | 28 Feb - 01 Mar 2019 Client Broker employee Insurer employee Back Office Sales Platform Contract request
  8. 8. Singapore | 28 Feb - 01 Mar 2019
  9. 9. Singapore | 28 Feb - 01 Mar 2019 Hamburg Munich 1 SEC 1 BA1 PM 3 DEVs
  10. 10. Singapore | 28 Feb - 01 Mar 2019 Hamburg Munich Đà Nẵng Berlin 15 DEVs1 PM 6 BAs
  11. 11. Singapore | 28 Feb - 01 Mar 2019
  12. 12. Singapore | 28 Feb - 01 Mar 2019 •SECURITY IN AGILE PROCESSES
  13. 13. Singapore | 28 Feb - 01 Mar 2019 Security responsible in a software development team
  14. 14. Singapore | 28 Feb - 01 Mar 2019 Grooming Grooming Planning Review Retrospective Discuss with Customer Standup Standup StandupStandupStandup Agile Cycle
  15. 15. Singapore | 28 Feb - 01 Mar 2019 Requirements
  16. 16. Singapore | 28 Feb - 01 Mar 2019 JIRA ticketJIRA ticketJIRA ticket
  17. 17. Singapore | 28 Feb - 01 Mar 2019 JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket JIRA ticket
  18. 18. Singapore | 28 Feb - 01 Mar 2019 Scale the sec role with the dev team. 1 sec for 10-20 devs LESSON LEARNED
  19. 19. Singapore | 28 Feb - 01 Mar 2019 Involve security as early as possible in the process. LESSON LEARNED
  20. 20. Singapore | 28 Feb - 01 Mar 2019 •AUTOMATED TESTING
  21. 21. Singapore | 28 Feb - 01 Mar 2019 Penetration Testing Back Office Sales Platform Penetration Tester
  22. 22. Singapore | 28 Feb - 01 Mar 2019 Penetration Testing Sales Platform Penetration Tester Sales Platform Back Office
  23. 23. Singapore | 28 Feb - 01 Mar 2019 Penetration Testing Penetration Tester FrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendSales Platform ?? ? Back Office
  24. 24. Singapore | 28 Feb - 01 Mar 2019 UI & Authorization testing FrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendSales Platform Back Office Broker employee
  25. 25. Singapore | 28 Feb - 01 Mar 2019
  26. 26. Singapore | 28 Feb - 01 Mar 2019 mgm ATLAS burp Automation Static Analysis Automated Authorization Tests Dependency Analysis Pipeline Integration
  27. 27. Singapore | 28 Feb - 01 Mar 2019 Performance testing FrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendSales Platform Back Office
  28. 28. Singapore | 28 Feb - 01 Mar 2019
  29. 29. Singapore | 28 Feb - 01 Mar 2019 Manual testing does not scale well. Especially not penetration testing. LESSON LEARNED
  30. 30. Singapore | 28 Feb - 01 Mar 2019 Devs are not the right people to design test cases. True for security and feature tests. LESSON LEARNED
  31. 31. Singapore | 28 Feb - 01 Mar 2019 A good test suite needs a great integration between dev, sec, ops and ba. LESSON LEARNED
  32. 32. Singapore | 28 Feb - 01 Mar 2019 •ARCHITECTURE DECISIONS
  33. 33. Singapore | 28 Feb - 01 Mar 2019 Back Office Sales platform Rest APIs Broker employee Insurer employee Sales platform Sales platform Sales platform Sales Platform
  34. 34. Singapore | 28 Feb - 01 Mar 2019 German Sales Platform mgm A12 Insurance products
  35. 35. Singapore | 28 Feb - 01 Mar 2019
  36. 36. Singapore | 28 Feb - 01 Mar 2019 German Sales Platform mgm A12 Insurance products
  37. 37. Singapore | 28 Feb - 01 Mar 2019
  38. 38. Singapore | 28 Feb - 01 Mar 2019
  39. 39. Singapore | 28 Feb - 01 Mar 2019 Sales Platform CORE A12 German Sales Platform Sales Platform CORE Insurance products Configuration
  40. 40. Singapore | 28 Feb - 01 Mar 2019
  41. 41. Singapore | 28 Feb - 01 Mar 2019 3rd party frameworks lead to faster features but painfully slow fixing of bugs and security issues. LESSON LEARNED
  42. 42. Singapore | 28 Feb - 01 Mar 2019 The more stakeholders are involved the more dev and sec work becomes politics. LESSON LEARNED
  43. 43. Singapore | 28 Feb - 01 Mar 2019 Make boring dev tasks more spicy by combining them with ops work. LESSON LEARNED
  44. 44. Singapore | 28 Feb - 01 Mar 2019 Questions?

×