ERNESTO BETHENCOURT
At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions.
7. LONDON 18-19 OCT 2018
Key Elements For This
Transformation
• Internal talent
• End-to-end automation
• DevOps “philosophy”
• API and obsession to reuse
• Global communities
8. Ether is BBVA’s global banking platform, which allows developers to easily build, deploy and
operate banking services of any kind by leveraging cloud
Global Cloud Services
Automation
Open Source &
Vendor decoupling
Developer centric
Hybrid cloud
Reliability /Operability
13. LONDON 18-19 OCT 2018
What are we doing?
• SECaaS, part of the New Platform
• BBVA Labs Advance Security
• ACS (for Legacy Platform)
• Cultural Change (Tribes/Clans)
14. LONDON 18-19 OCT 2018
Security As A Service (SECaaS)
BBVA’s SECaaS is one of the main Cloud
components composing Ether.
SECaaS builds on the concept that Security
can be provided on demand to the user
SECaaS provides a security embedded by
default.
15. LONDON 18-19 OCT 2018
SECaaS Objectives 4 SDLC
• Early Security Feedback for Developers
(Shifting Left)
• Security Feedback also must be “aaS”
• Automate Security Checks & Enforcement
18. LONDON 18-19 OCT 2018
Since 2016!
Slides: https://www.rsaconference.com/writable/presentations/file_upload/asd-f01-security-as-a-service-in-a-financial-institution-reality-or-chimera.pdf
20. LONDON 18-19 OCT 2018
Our Vision
• Abstraction of Security “Solutions”
• Orchestration
• Added Value
CHIMERA
disclaimer: vendors logo used as an example only that we want our developers to know Chimera and not Vendors
21. LONDON 18-19 OCT 2018
In-take Triage Test Deliver
DevSecOps “Foundations”
Static Black-box “Manual”
DevSecOps
Analytics
Blue Team
Services
Security
Provision
DevSecOps
Threat Model
Auto-Enrollment
Continuous
Monitoring
Governance
Added Value
Services
Continuous Feedback
& Optimization
Our long term “Services” proposal
22. LONDON 18-19 OCT 2018
SECURITY TOOLS
CI Pipelines (i.e: Ether Pipelines)
CHIMERA
Security Code Review Docker Images Review Secrets Review
Current Status
BANDIT GECRETS
In-take Analytics
23. LONDON 18-19 OCT 2018
4 Devs Teams
CI Pipelines (i.e: Ether Pipelines)
Docker Images
Review
CHIMERA
Orchestrations +
Added Value
24. LONDON 18-19 OCT 2018
Developers can access and use this
information on their pipelines and in
Ether’s Console
25. LONDON 18-19 OCT 2018
4 Sec Teams
CI Pipelines (i.e: Ether Pipelines)
Docker Images
Review
CHIMERA
“Security Seal”Orchestrations
AUTOMATIC!
27. LONDON 18-19 OCT 2018
BBVA Labs - Advanced Security Labs
• “Working how to adapt security processes from the risk analysis to the
security operation in the Cloud and DevOps worlds, researching and
developing concept tests that can be converted into open source tools”
• Example Public Research:
• https://www.bbva.com/en/vulnerability-management-in-dependencies-in-ci-cd-
environments-with-open-source-tools/
28. LONDON 18-19 OCT 2018
Example of our Public Work
https://github.com/BBVA/gitsechttps://github.com/BBVA/deeptracy https://patton-server.readthedocs.io/en/latest/
31. LONDON 18-19 OCT 2018
ACS – (Continuous Security Analysis)
• Blue Team’s Service
• BBVA’s Worldwide Service
• Free for all BBVA’s projects
• Manual, APIs and Jenkins library options for
integrations
• Compliance compatible for some projects
• Manual results processing by blue team member
32. LONDON 18-19 OCT 2018
Current Process
Secure
SDLC
Source
Repository
Build
Management
Code
Analysis
Result
Triage
Publish
Results
Developer
Feedback
35. LONDON 18-19 OCT 2018
Next Steps (2019)
• Chimera Triage and DAST MVPs
• Chimera – ACS Integrations
• BBVA Labs Tools in Chimera
• DevSecOps Ninja and TechU Tracks
• Security Champions Pilot Programs