Presenter - Peter Chestna, Veracode
If you are moving between methodologies, you are probably looking for a roadmap or at least lessons from someone that’s been through it already. Over its 10+ years, Veracode has moved from monolith to microservice and fromwaterfall to DevOps. We have learned a lot along the way and I’m eager to share the story.
As you consider the shift from waterfall to agile, or agile to continuous deployment and eventually DevOps, there is more to think about than just architecture. Peter Chestna, the Director of Developer Engagement at Veracode, led Veracode’s own transition from Waterfall to DevOps and in turn has helped hundreds of customers do the same.
Join us as Peter shares his own case study, how Veracode reengineered its own architecture but more importantly the overall process including team structure, the technologies to build a robust pipeline, security considerations and the cultural shifts required.
3. • Development methodologies used at Veracode
– Waterfall, Agile, DevOps
– People
– Process
– Technology
– Security
• Veracode’s journey
– What did we change
– What were the results
Goals
5. Felt like…
Transformation – People/Org/Culture
Management
• Leading change
• Organizational
• Breaking the silos
• New specialties
• New skills – care & feeding
• New expectations
Individual
• Uncertainty/fear/anger
• Organizational
• New manager
• New team/peers
• New skills – X-functional
• New expectations
6. Looked like…
Transformation - Process
Most of the change occurred in Agile
• Waterfall -> Agile was revolutionary
• Agile -> DevOps was evolutionary
• Like the Monty Python theory of
dinosaurs
19. Agile – Security is not limited to automation of static analysis!
Security
Champions
Security
Grooming
(Requirements
Review)
Security as part
of the Definition
of Done
Threat Modeling
Secure Code
Review
Pen Testing
Pre-Productions
Dynamic
Analysis
26. 1
Develop
4
Check in
Static
Analysis
3
Build
& Test
2
Backlog
DevOps – Security – Integrated into CD Pipeline
Pass?
7
Synchronize
No Yes
7
Deploy to
Stage
6
Static
Analysis
6
Unit
Tests
8
Dynamic
Analysis
8
Regression
Testing
Pass?
Yes
Prod
Per
Check-in
5
Build
CD
Pipeline
27. Training
(eLearning, instructor led, metadata driven)
Static Application Security Testing + 3rd Party Risk Analysis
Remediation and Mitigation Guidance
Secure Code Reviews
Manual Penetration Testing
Red Team Activities
Runtime Application
Self Protection
Dynamic Application Security Testing
Plan Code Build Test Stage Deploy Monitor
Threat Modeling
Security Grooming
Secure Design
DevOps – Pervasive Security
28. This Is Our Journey
• Revolution at the micro level
• Evolution at the macro level
Innovation
• Always constructively dissatisfied
• Hypothesize, prototype, measure
• Sharpen the saw
Continuous
Improvement