Presenter - Peter Chestna, Veracode If you are moving between methodologies, you are probably looking for a roadmap or at least lessons from someone that’s been through it already. Over its 10+ years, Veracode has moved from monolith to microservice and fromwaterfall to DevOps. We have learned a lot along the way and I’m eager to share the story. As you consider the shift from waterfall to agile, or agile to continuous deployment and eventually DevOps, there is more to think about than just architecture. Peter Chestna, the Director of Developer Engagement at Veracode, led Veracode’s own transition from Waterfall to DevOps and in turn has helped hundreds of customers do the same. Join us as Peter shares his own case study, how Veracode reengineered its own architecture but more importantly the overall process including team structure, the technologies to build a robust pipeline, security considerations and the cultural shifts required.

1. November 15, 2016
A Secure DevOps Journey
Peter Chestna, Director of Developer Engagement, Veracode

2. November 15, 2016

3. • Development methodologies used at Veracode
– Waterfall, Agile, DevOps
– People
– Process
– Technology
– Security
• Veracode’s journey
– What did we change
– What were the results
Goals

4. • 2006 – Veracode founded/Waterfall
• 2012 – Agile
• 2013 – Purina
• 2014 – Microservices
• 2015 - DevOps
Veracode Timeline

5. Felt like…
Transformation – People/Org/Culture
Management
• Leading change
• Organizational
• Breaking the silos
• New specialties
• New skills – care & feeding
• New expectations
Individual
• Uncertainty/fear/anger
• Organizational
• New manager
• New team/peers
• New skills – X-functional
• New expectations

6. Looked like…
Transformation - Process
Most of the change occurred in Agile
• Waterfall -> Agile was revolutionary
• Agile -> DevOps was evolutionary
• Like the Monty Python theory of
dinosaurs

7. Waterfall
Transformation - Technology
Agile
DevOps
Not as big of a difference between stages
Just more and more automation

8. There was Waterfall
In the beginning…

9. Waterfall - Process
Finding anything
late creates a
cycle of waste

10. O
p
e
r
a
t
i
o
n
s
S
e
c
u
r
i
t
y
Q
u
a
l
i
t
y
D
e
v
e
l
o
p
m
e
n
t
A
r
c
h
i
t
e
c
t
u
r
e
R
e
q
u
i
r
e
m
e
n
t
s
Waterfall - People

11. • Gantt charts
• Text documents
• Requirements
• Architecture
• Designs
• Test plans
• Manual tests
• Manual deploy
• Shell scripts
• SQL cripts
Waterfall - Technology
Old School

12. Waterfall - Security
Occurred during
testing cycle
Back end of
process
Mostly manual
Unpredictable
amount of work

13. Coming of Age: Agile

14. Agile - Process
Copyright 2005, Mountain Goat Software

15. Agile - People
Dev/QA
ITDept
OPS
Org
Security

16. Agile – Technology Initially

17. Agile – Security – Early Days
3
Build
4
Static
Analysis
Hardening
Sprint
5
Security
Results
Security
Results
2
Check in
1
Develop
Agile
Backlog

18. 1
Develop
6
Static
Analysis
7
Synchronize
4
Check in
Static
Analysis
3
Build
& Test
2
Agile
Backlog
Agile – Security – Automated and Integrated
5
Build
Nightly

19. Agile – Security is not limited to automation of static analysis!
Security
Champions
Security
Grooming
(Requirements
Review)
Security as part
of the Definition
of Done
Threat Modeling
Secure Code
Review
Pen Testing
Pre-Productions
Dynamic
Analysis

20. Agile - Culture clash between Dev, OPS and Security

21. We Have Arrived: DevOps

22. DevOps - Process

23. DevOps - People
Break the
Silos
Reorganize
Change
the Culture

24. DevOps - Technology
Automate!
Automate!
Automate!
Feature
switching
for
controlled
rollout
Rolling
upgrades
Zero
downtime
Make
incremental
changes

25. DevOps - Security

26. 1
Develop
4
Check in
Static
Analysis
3
Build
& Test
2
Backlog
DevOps – Security – Integrated into CD Pipeline
Pass?
7
Synchronize
No Yes
7
Deploy to
Stage
6
Static
Analysis
6
Unit
Tests
8
Dynamic
Analysis
8
Regression
Testing
Pass?
Yes
Prod
Per
Check-in
5
Build
CD
Pipeline

27. Training
(eLearning, instructor led, metadata driven)
Static Application Security Testing + 3rd Party Risk Analysis
Remediation and Mitigation Guidance
Secure Code Reviews
Manual Penetration Testing
Red Team Activities
Runtime Application
Self Protection
Dynamic Application Security Testing
Plan Code Build Test Stage Deploy Monitor
Threat Modeling
Security Grooming
Secure Design
DevOps – Pervasive Security

28. This Is Our Journey
• Revolution at the micro level
• Evolution at the macro level
Innovation
• Always constructively dissatisfied
• Hypothesize, prototype, measure
• Sharpen the saw
Continuous
Improvement

29. November 15, 2016

30. Thank You
w w w . v e r a c o d e . c o m
@PeteChestna