46. PAGE46
NaradaCode
CISA | Scrum Master | Devops Leader
Devops – Bad Cop or Robo Cop?
Christian Hermanus
v1.0
This document is confidential and is intended solely for the use
and information of the client whom it is addressed
Devops Implementation @ Bank
48. PAGE48
NaradaCode
RisksofApplicationDevelopment
SURAT EDARAN OTORITAS JASA KEUANGAN NOMOR 21 /SEOJK.03/2017
2.1. Pendahuluan
Kesalahan (error)
Kecurangan (fraud)
Manipulasi data (data manipulation)
Penyalahgunaan sistem (system misuse)
Ketidaktepatan fungsi layanan yang dikembangkan (incorrect function)
49. PAGE49
NaradaCode
ApplicationDevelopmentProcess
Identify And Analyze User
Needs
Defining User Needs System Planning Programming
Testing Implementation
Post-Implementation
Review
Maintenance
SURAT EDARAN OTORITAS JASA KEUANGAN NOMOR 21 /SEOJK.03/2017
2.3. Kebijakan, Standar, dan Prosedur Pengembangan dan Pengadaan
50. PAGE50
NaradaCode
ApplicationDevelopmentProcess
SURAT EDARAN OTORITAS JASA KEUANGAN NOMOR 21 /SEOJK.03/2017
2.3. Kebijakan, Standar, dan Prosedur Pengembangan dan Pengadaan
Identify And Analyze User
Needs
Defining User Needs System Planning Programming
Testing Implementation
Post-Implementation
Review
Maintenance
BUSINESS ANALYST DESIGNER DEVELOPER
QA OPERATION
51. PAGE51
NaradaCode
ApplicationDevelopmentProcess
SURAT EDARAN OTORITAS JASA KEUANGAN NOMOR 21 /SEOJK.03/2017
2.3. Kebijakan, Standar, dan Prosedur Pengembangan dan Pengadaan
Identify And Analyze User
Needs
Defining User Needs System Planning Programming
Testing Implementation
Post-Implementation
Review
Maintenance
BUSINESS ANALYST DESIGNER DEVELOPER
QA OPERATION
55. PAGE55
NaradaCode
WallofConfusion
Development Operation
Wall of
Confusion
“Wall of Confusion” between development and operations is caused by a combination of
conflicting motivations, processes, and tooling
I want
Change!!
I want
Stability!!
The main reasons the DevOps movement started was to address the communication
challenges between Dev and Ops teams, getting teams with very different perspectives to
work more effectively together.
58. PAGE58
NaradaCode
DevOpsPractices
Build Unit Test
Deploy to
Stage
Acceptance
Test
Deploy to
Production
Auto Manual Approval Required
Continuous Deployment
Build Unit Test
Deploy to
Stage
Acceptance
Test
Build Unit Test
Deploy to
Stage
Acceptance
Test
Deploy to
Production
Acceptable
for Bank
Continuous Integration
Continuous Delivery
62. PAGE62
NaradaCode
DevSecOps,anotherDevOpsPractices
DevSecOps strives to automate core security tasks by embedding security controls and
processes into the DevOps workflow.
DevSecOps
originally
focused
primarily on
automating
code security
and testing, but
now it also
encompasses
more
operations-
centric controls.
64. PAGE64
NaradaCode
DevOps may introduce new risk but mitigate
other risk, from a technical and business
perspective.
The question is not :
“ What is the risk of implementing DevOps?”
but
“ What is the risk of not implementing DevOps”
67. Behavior Driven
Development (BDD) -
Why it cares about you and
why you should love it
Antony Marsh
Agile Coach
Ignite Session -
DevOps Jakarta
2018
69. “Tests take time to
write
Tests slow us down
Let’s just get it out to
market and fix the
bugs later”
70. Scrum is a great
framework for product
development, but it
can be supplemented
by other good
developer practices
that relate more
specifically to the
practice of writing
quality code
71. Even before the Agile Manifesto, there was….
EXTREME PROGRAMMING (XP) (Kent Beck, Ward Cunningham, Ron
Jeffries c. 1996)
74. 1.Understand
user story
2.Write test
3.Run test
4.Test fails
5.Write code
6.Test fails
7.Refactor
8.Test passes
XP uses test driven development (TDD) and
refactoring to help uncover the most effective design
75. TDD, unit tests, functional tests, acceptance tests-
I’M CONFUSED
76. OK - TDD is great - but
we still have a problem -
How does a developer know
their tests which drive
development are the right
tests?
80. Given a user (of type) is at a location in the system (and system state is)
When the user performs an action (interacts with system)
Then the system will execute a command and the outcome will be
(output/benefit)
Given an authenticated user is on the account summary page
When the user clicks on the Transfer Money tab
Then the transfer money dialogue will be displayed
81. Always remember - the
Three Amigos are good
friends and always work
closely together to
understand each other
and overcome problems!
82. Taking the next
steps
Automate your testing
using Gherkin syntax,
feature files, and
automated testing using
tools like Selenium
**NB Please don’t test
on production**
85. We all love BDD
●Product Owners/Business Analysts love BDD because they can specify and
determine correct system behaviour for users
●Stakeholders love BDD because they can understand Acceptance Criteria
●Developers love BDD because it gives them greater clarity on user stories
and requirements, and what unit/functional tests they should write
●Testers love BDD for the same reasons but they can also work with the BA
to enhance ACs in advance of development
●Testers love BDD because they can write/use feature files and automate
functional tests!
86. Your path to success
with BDD!
●Three Amigos!!!
●Business Analyst/PO write
Given/When/Then ACs
●Discuss the ACs to estimate and
validate stories
●Start using Gherkin feature files
document feature behavior
●Automate your tests!
Frameworks like Scrum are simply a set of practices that apply a set of values and principles.
Organizations are complex adaptive systems, each unique with its own set of challenges, values, objectives and culture.
Can you take a framework like Scrum and make it one size fits all?
Will culture mindset affect how practices used? If so, how much?
Is there a universal ‘Scrum culture’?
Do underlying cultural traits prevail?
How have different cultures adopted Scrum to suit them?
Are some cultures naturally more suited to adopting Scrum than others?
No job titles, no managers, people are empowered to make decisions in their role
Company standup – no facilitators required
Sign of Openness – office keys hanging in office for access to all
Company empowered one team to decide their own pay rises
They created transparency, then created equality and devised reward system based on team members noting value adding contributions
Social aspect – they would take into account team mates personal needs.
At the University of Buenos Aires Scrum is being used for non software development projects.
The University’s kindergarden team works with Scrum to help with the roll out of their new initiatives.
The documentation library also has a Scrum team working on an initiative to sign up staff and students to the documentation facilities.
Developers for good is running event in Buenos Aires where change agents (age 13-24) and experienced developers from the Agile community work together to create digital prototypes that have social impact.
Hackathon weekends to create digital prototypes that have social impact
Sponsored by software development companies in the local Agile community
Prototypes are often developed by the sponsors; e.g. App for people with Down Syndrome
Digital centre set up in a bank. 4 Scrum teams
Product teams – can release independently
Developers & UX work together; guerrilla testing in Starbucks. Develop what the customer wants, not what the ‘bank’ wants
Culture change for the bank employees that do not work in IT
Retail company with 14 stores
Change to get all 14 stores to work towards the same goal/ vision
Agile transformation – inspired by Lean Change Management
Experiments
Digital transformation to create transparency
To help stores to work towards the same goal
CRM real time updates of product sales etc at stores
Open source
- By investing in DevOps and build automation, 324 working days saved so far
Customer satisfaction on the new ways of working
In 2014 11% of internal clients recommended using Scrum and Agile, in 2016 this was up to 71% and in 2017 this reached a perfect 100%
On a scale from 1-5 team satisfaction regularly scores between a 4 and 5
On a scale from 1-5 customer satisfaction regularly scores between a 4 and 5
We have learnt many things ourselves, new tools and techniques for change
We continue our journey in Asia and beyond
Halo
My name is Christian Hermanus
From Naradacode
I am sure that for those who work in the Bank, you are familiar with these PBI and POJK regulation
This rule is designed to mitigate the risks of information technology
One of the rules is about application development
According to these OJK Regulation, there are several risks of application development
To mitigate risk of application development, POJK establishes application development procedure
As you can see on the slide, basically the procedure is a waterfall methodology
we have been doing application development this way since 2007
so this methodology have great impact on a lot of aspect on information technology @ Bank
For example, we set up IT Organization based on this methodology
On daily practices, we usually setup walls between process, in the name of control and segregation of duties
and the walls are getting thicker along the process
The thickest wall is the wall between development and production
This wall has a name that is wall of confusion
Why is that?
Because business basically provides two different missions
For the Development team the mission is the ability to rapidly change the system
And for the Operation team the mission is keep the stability of the systems
And the one who suffer the most on this situation is IT Head
It is like riding two horses with different direction
The solution to solve this situation is Devops
DevOps break down the walls between development and operations team, unifying development to operations for better, faster outcomes
But not everybody can accept Devops
Some people think Devops will by pass all controls to mitigate risk
It is a nightmare if Developers can push code to production environment without any proper control
So if the waterfall is a good cops how about Devops
Is it a bad cop?
Is Devops conflicting with regulations?
Actually, Devops have several practices
Continuous Integration and Continuous Delivery are Devops practices that acceptable for bank
Let's take a look on Devops process
The sequence of the process is quite similar with the process according to POJK
But Devops add more practices and automation to each steps
If we put those Devops practices into the POJK process we can see that implementation of Devops is not conflicting the the POJK regulation
So we can get the benefits of Devops and at the same time still comply to regulation
but how about Security?
Security usually is the lowest priority after functional requirement, usability and performance
In this situation Security do the Garbage Collector jobs
dont worry
Devops have another practice called DevSecOps
With DevSecOps security controls and processes are embedded into the DevOps workflow.
so it is clear for us
that devops is not a bad cop
Devops is robo cop
DevOps may introduce new risk but at the same time mitigate other risk,
The question is not : “ What is the risk of implementing DevOps?”
but
“ What is the risk of not implementing DevOps
Thank you for your attention
Write down what the actual to say.
Healthy DevOps
DevOps for holiday
J
N
Should be
I
Should be security
Source
K
K
You can put security in the left, First you can define secure design for your process,
Do security risk assessments, after that you can get like threat modeling for your security, maybe you can use OpenSamm from owasp and SD Elements
Before you go to the war, we need prepare the tools,this is good tools to explore, Its based on CVE NVD, Mitre etc
I think this is simple practice to implement security in your Devops CI/CD process.
Put your security into your pipeline
Are you IDE lover?You still can start security with plugin,allot plugin security
Are you IDE lover?You still can start security with plugin,allot plugin security
I need your feedback,You can sent me email and tag me in twitter @mastositorus,Good moment also we grab some beers