SlideShare a Scribd company logo
1 of 36
Download to read offline
Confidential / © Harness Inc. 2020
Applying Governance to CI/CD
Tiffany Jachja | Technical Evangelist | Harness
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
The SolarWinds Hack of 2020.
Discovered in December 2020, by cybersecurity firm FireEye
Confidential / © Harness Inc. 2020 P/2
Resource: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-
that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
The SolarWinds Hack of 2020.
Discovered in December 2020, by cybersecurity firm FireEye
Caused by a supply chain hack
Compromised over 18,000 SolarWinds customers
Confidential / © Harness Inc. 2020 P/3
Resource: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-
that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
The Cost of Software Failures
Confidential / © Harness Inc. 2020 P/4
Resource: https://dzone.com/articles/open-source-vulnerabilities-will-they-ever-end
https://raygun.com/blog/cost-of-software-errors/
$4million
per data breach
correction
3.6billion
people affected
$1.7trillion
In financial
losses
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
Why use a CI/CD pipeline?
Confidential / © Harness Inc. 2020 P/5
D E S I G N D E V E L O P M E N T T E S T I N G D E P L O Y M E N T
ESTIMATED COST OF RECOVERING FROM
VULNERABILITIES
5x
15x
95x
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
CI/CD Governance is how organizations attest to
the integrity of assets in a delivery pipeline
Confidential / © Harness Inc. 2020 P/6
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
In this session:
Definitions
Principles of governance
Practices and tooling
Confidential / © Harness Inc. 2020 P/7
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020 P/8
Continuous Integration
& Continuous Delivery
Confidential / © Harness Inc. 2020 P/9
Confidential / © Harness Inc. 2020 P/9
A Basic CI/CD Pipeline
Confidential / © Harness Inc. 2020 P/10
Confidential / © Harness Inc. 2020 P/10
Continuous Integration != Continuous Delivery
Code
Build & Test Artifacts
Continuous Integration
Artifact
Confidential / © Harness Inc. 2020 P/11
Confidential / © Harness Inc. 2020 P/11
Continuous Integration != Continuous Delivery
Code
Build & Test Release
Strategy
Rollback
Verification
Infrastructure
Provisioning
Cloud Stacks Change
Management
Artifacts
Continuous Integration
Artifact
Continuous Delivery
Basic
Rolling
Canary
Blue / Green
Confidential / © Harness Inc. 2020 P/12
Confidential / © Harness Inc. 2020 P/12
Succeeding CI/CD
Code
Build & Test
Overall Visibility, Dashboards, & Reporting
Release
Strategy
Secrets, Auditing & Compliance
Rollback
Verification
Infrastructure
Provisioning
Cloud Stacks Change
Management
Artifacts
Continuous Integration
Artifact
Environment Variables & Pipeline Management
Continuous Delivery
Custom Scripts
Basic
Rolling
Canary
Blue / Green
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020 P/13
What is Governance?
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
What is GRC?
Governance–
Expecting the unexpected
Setting communication channels
Overseeing maintenance and achievement
Confidential / © Harness Inc. 2020 P/14
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
What is GRC?
Risk–
Identifying Risks
Rating and prioritizing them
Mitigate them
Confidential / © Harness Inc. 2020 P/15
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
What is GRC?
Compliance–
Meeting expectations
Documenting and logging
Improving on the gaps
Confidential / © Harness Inc. 2020 P/16
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
IT Governance is how organizations
monitor and control IT capabilities and decisions
for the delivery of value to key stakeholders.
Confidential / © Harness Inc. 2020 P/17
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020 P/18
Monitor Control
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
In the Build phase:
Coded, and ready to go?
Dependency Check
Static Code Analysis
Container or App Runtime Scanners
Secret Scanning
Confidential / © Harness Inc. 2020 P/19
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Open-source software is currently used by
96 percent of the most popular applications in the enterprise market.
More than 4000 security vulnerabilities are discovered in
open-source projects a year.
Confidential / © Harness Inc. 2020 P/20
Resource: https://www.zdnet.com/article/enterprise-codebases-plagued-by-open-source-vulnerabilities/
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020 P/21
Resource: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-
that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020 P/22
 Infected function
Original function 
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020 P/23
—
Where do security vulnerabilities live?
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020 P/24
—
Who has access?
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
In the test phase:
We’re packed, and ready to go!
Automated Testing Suites
White and Black Box unit testing
In pre-prod environments: integration test
Confidential / © Harness Inc. 2020 P/25
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Control: Unit Test
Attestation: “All tests executed and passed”
Confidential / © Harness Inc. 2020 P/26
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Control: Unit Tests
Attestation: “All tests executed and passed.”
Control: Clean Dependencies
Attestation: “All dependencies in this build are free of known security
defects.”
Confidential / © Harness Inc. 2020 P/27
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
In the deployment phase:
We’re provisioning, configuring, and delivering!
Testing your configurations
System tests, Vulnerability Scanning
Pen Testing
Confidential / © Harness Inc. 2020 P/28
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020 P/29
—
Introducing Manual Approvals
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020 P/30
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020 P/31
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
Where can I find this in the wild?
Capital One implements what’s called
16 gates.
Confidential / © Harness Inc. 2020 P/32
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
Where can I find this in the wild?
Capital One implements what’s called
16 gates.
John Willis co-authored a whitepaper in 2019 on
automated pipeline governance.
Confidential / © Harness Inc. 2020 P/33
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
—
Where can I find this in the wild?
Capital One implements what’s called
16 gates.
John Willis co-authored a whitepaper in 2019 on
automated pipeline governance.
Harness customers in the financial sector doing
this.
Confidential / © Harness Inc. 2020 P/34
Confidential / © Harness Inc. 2020
Confidential / © Harness Inc. 2020
THE
KEY
TAKE
AWAYS
Automated Pipeline Governance
Controlling, Understanding, and
Mitigating Risk
Continuous Improvements
Confidential / © Harness Inc. 2020 P/35
Confidential / © Harness Inc. 2020 P/36
Confidential / © Harness Inc. 2020
@tiffanyjachja
THANK
YOU
—
Any Questions?
/
Contact:
tiffany@harness.io
Confidential / © Harness Inc. 2020 P/36
@harnessio

More Related Content

What's hot

2015 ISA Calgary Show: IACS Cyber Incident Preparation
2015 ISA Calgary Show: IACS Cyber Incident Preparation2015 ISA Calgary Show: IACS Cyber Incident Preparation
2015 ISA Calgary Show: IACS Cyber Incident PreparationCimation
 
Securely Deploying Micro Services, Containers & Serverless PaaS Web Apps
Securely Deploying Micro Services, Containers & Serverless PaaS Web AppsSecurely Deploying Micro Services, Containers & Serverless PaaS Web Apps
Securely Deploying Micro Services, Containers & Serverless PaaS Web AppsPriyanka Aash
 
2017 Security Report Presentation
2017 Security Report Presentation2017 Security Report Presentation
2017 Security Report Presentationixiademandgen
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationBlack Duck by Synopsys
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Decisions
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Black Duck by Synopsys
 
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos RienziReporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos RienziOscar Romano
 
Cisco - The Security Scoop
Cisco - The Security ScoopCisco - The Security Scoop
Cisco - The Security ScoopDerek Lewis
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...Denim Group
 
Finding Secrets in Source Code the DevOps Way
Finding Secrets in Source Code the DevOps WayFinding Secrets in Source Code the DevOps Way
Finding Secrets in Source Code the DevOps WayPhillip Marlow
 
Today's Predictions for Tomorrow's Connected World
 Today's Predictions for Tomorrow's Connected World  Today's Predictions for Tomorrow's Connected World
Today's Predictions for Tomorrow's Connected World Symantec
 
Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan   data connectors 2013Considerations for a secure enterprise wlan   data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013AirTight Networks
 

What's hot (18)

2015 ISA Calgary Show: IACS Cyber Incident Preparation
2015 ISA Calgary Show: IACS Cyber Incident Preparation2015 ISA Calgary Show: IACS Cyber Incident Preparation
2015 ISA Calgary Show: IACS Cyber Incident Preparation
 
Securely Deploying Micro Services, Containers & Serverless PaaS Web Apps
Securely Deploying Micro Services, Containers & Serverless PaaS Web AppsSecurely Deploying Micro Services, Containers & Serverless PaaS Web Apps
Securely Deploying Micro Services, Containers & Serverless PaaS Web Apps
 
2017 Security Report Presentation
2017 Security Report Presentation2017 Security Report Presentation
2017 Security Report Presentation
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene Presentation
 
AirTight Networks - Wireless Security 2011
AirTight Networks - Wireless Security 2011AirTight Networks - Wireless Security 2011
AirTight Networks - Wireless Security 2011
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto Presentation
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
 
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos RienziReporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
 
Cisco - The Security Scoop
Cisco - The Security ScoopCisco - The Security Scoop
Cisco - The Security Scoop
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
 
Finding Secrets in Source Code the DevOps Way
Finding Secrets in Source Code the DevOps WayFinding Secrets in Source Code the DevOps Way
Finding Secrets in Source Code the DevOps Way
 
Today's Predictions for Tomorrow's Connected World
 Today's Predictions for Tomorrow's Connected World  Today's Predictions for Tomorrow's Connected World
Today's Predictions for Tomorrow's Connected World
 
Fortinet Broşür
Fortinet BroşürFortinet Broşür
Fortinet Broşür
 
Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan   data connectors 2013Considerations for a secure enterprise wlan   data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013
 

Similar to Linux Foundation Live Webinar: Applying Governance to CI/CD

Devops JS A Guide to CI/CD
Devops JS A Guide to CI/CDDevops JS A Guide to CI/CD
Devops JS A Guide to CI/CDTiffany Jachja
 
Skilup Day Value Stream Management: Fundamentals in Lean Thinking
Skilup Day Value Stream Management: Fundamentals in Lean ThinkingSkilup Day Value Stream Management: Fundamentals in Lean Thinking
Skilup Day Value Stream Management: Fundamentals in Lean ThinkingTiffany Jachja
 
{unscripted} 2020 : A Conference for Simplifying and Scaling Software Delivery
{unscripted} 2020 : A Conference for Simplifying and Scaling Software Delivery{unscripted} 2020 : A Conference for Simplifying and Scaling Software Delivery
{unscripted} 2020 : A Conference for Simplifying and Scaling Software DeliveryTiffany Jachja
 
A Leader’s Guide to DevOps Practices and Culture
A Leader’s Guide to DevOps Practices and CultureA Leader’s Guide to DevOps Practices and Culture
A Leader’s Guide to DevOps Practices and CultureVMware Tanzu
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Succeeding With Microservices | Harness Webinar
Succeeding With Microservices | Harness WebinarSucceeding With Microservices | Harness Webinar
Succeeding With Microservices | Harness WebinarTiffany Jachja
 
A DevOps Practitioner’s Guide to AI and ML
A DevOps Practitioner’s Guide to AI and MLA DevOps Practitioner’s Guide to AI and ML
A DevOps Practitioner’s Guide to AI and MLTiffany Jachja
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Amazon Web Services
 
Prepare Your DevOps Culture to Withstand the Digital Experience Onslaught
Prepare Your DevOps Culture to Withstand the Digital Experience OnslaughtPrepare Your DevOps Culture to Withstand the Digital Experience Onslaught
Prepare Your DevOps Culture to Withstand the Digital Experience OnslaughtDevOps.com
 
JLove conference 2020 - Reacting to an Event-Driven World
JLove conference 2020 - Reacting to an Event-Driven WorldJLove conference 2020 - Reacting to an Event-Driven World
JLove conference 2020 - Reacting to an Event-Driven WorldGrace Jansen
 
Fortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptxFortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptxThanhBoHoaluaVn
 
[Cisco Connect 2018 - Vietnam] Brink sanders cisco connect opening_keynote_vn_v4
[Cisco Connect 2018 - Vietnam] Brink sanders cisco connect opening_keynote_vn_v4[Cisco Connect 2018 - Vietnam] Brink sanders cisco connect opening_keynote_vn_v4
[Cisco Connect 2018 - Vietnam] Brink sanders cisco connect opening_keynote_vn_v4Nur Shiqim Chok
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.DevOps.com
 
Brink sanders cisco architecture keynote
Brink sanders   cisco architecture keynoteBrink sanders   cisco architecture keynote
Brink sanders cisco architecture keynoteNur Shiqim Chok
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Amazon Web Services
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationPrathan Phongthiproek
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar |  Tips for Successful CASB ProjectsSymantec Webinar |  Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec
 
HK VForum F5 apps centric security nov 4, 2016 - final
HK VForum F5 apps centric security nov 4, 2016 - finalHK VForum F5 apps centric security nov 4, 2016 - final
HK VForum F5 apps centric security nov 4, 2016 - finalJuni Yan
 

Similar to Linux Foundation Live Webinar: Applying Governance to CI/CD (20)

A Snapshot of DevOps
A Snapshot of DevOpsA Snapshot of DevOps
A Snapshot of DevOps
 
Devops JS A Guide to CI/CD
Devops JS A Guide to CI/CDDevops JS A Guide to CI/CD
Devops JS A Guide to CI/CD
 
Skilup Day Value Stream Management: Fundamentals in Lean Thinking
Skilup Day Value Stream Management: Fundamentals in Lean ThinkingSkilup Day Value Stream Management: Fundamentals in Lean Thinking
Skilup Day Value Stream Management: Fundamentals in Lean Thinking
 
{unscripted} 2020 : A Conference for Simplifying and Scaling Software Delivery
{unscripted} 2020 : A Conference for Simplifying and Scaling Software Delivery{unscripted} 2020 : A Conference for Simplifying and Scaling Software Delivery
{unscripted} 2020 : A Conference for Simplifying and Scaling Software Delivery
 
A Leader’s Guide to DevOps Practices and Culture
A Leader’s Guide to DevOps Practices and CultureA Leader’s Guide to DevOps Practices and Culture
A Leader’s Guide to DevOps Practices and Culture
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Succeeding With Microservices | Harness Webinar
Succeeding With Microservices | Harness WebinarSucceeding With Microservices | Harness Webinar
Succeeding With Microservices | Harness Webinar
 
A DevOps Practitioner’s Guide to AI and ML
A DevOps Practitioner’s Guide to AI and MLA DevOps Practitioner’s Guide to AI and ML
A DevOps Practitioner’s Guide to AI and ML
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
 
Prepare Your DevOps Culture to Withstand the Digital Experience Onslaught
Prepare Your DevOps Culture to Withstand the Digital Experience OnslaughtPrepare Your DevOps Culture to Withstand the Digital Experience Onslaught
Prepare Your DevOps Culture to Withstand the Digital Experience Onslaught
 
JLove conference 2020 - Reacting to an Event-Driven World
JLove conference 2020 - Reacting to an Event-Driven WorldJLove conference 2020 - Reacting to an Event-Driven World
JLove conference 2020 - Reacting to an Event-Driven World
 
Fortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptxFortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptx
 
[Cisco Connect 2018 - Vietnam] Brink sanders cisco connect opening_keynote_vn_v4
[Cisco Connect 2018 - Vietnam] Brink sanders cisco connect opening_keynote_vn_v4[Cisco Connect 2018 - Vietnam] Brink sanders cisco connect opening_keynote_vn_v4
[Cisco Connect 2018 - Vietnam] Brink sanders cisco connect opening_keynote_vn_v4
 
What Is Spring?
What Is Spring?What Is Spring?
What Is Spring?
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
 
Brink sanders cisco architecture keynote
Brink sanders   cisco architecture keynoteBrink sanders   cisco architecture keynote
Brink sanders cisco architecture keynote
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar |  Tips for Successful CASB ProjectsSymantec Webinar |  Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
 
HK VForum F5 apps centric security nov 4, 2016 - final
HK VForum F5 apps centric security nov 4, 2016 - finalHK VForum F5 apps centric security nov 4, 2016 - final
HK VForum F5 apps centric security nov 4, 2016 - final
 

More from Tiffany Jachja

AWS MLS-C01 Exam Study Notes
AWS MLS-C01 Exam Study NotesAWS MLS-C01 Exam Study Notes
AWS MLS-C01 Exam Study NotesTiffany Jachja
 
Scaling Software Delivery.pdf
Scaling Software Delivery.pdfScaling Software Delivery.pdf
Scaling Software Delivery.pdfTiffany Jachja
 
Observability for CI/CD Pipelines | Infographic
Observability for CI/CD Pipelines | InfographicObservability for CI/CD Pipelines | Infographic
Observability for CI/CD Pipelines | InfographicTiffany Jachja
 
Continuous Delivery | Infographic
Continuous Delivery | InfographicContinuous Delivery | Infographic
Continuous Delivery | InfographicTiffany Jachja
 
Lean Thinking | Infographic
Lean Thinking | InfographicLean Thinking | Infographic
Lean Thinking | InfographicTiffany Jachja
 
Enterprise Kubernetes | Infographic
Enterprise Kubernetes | InfographicEnterprise Kubernetes | Infographic
Enterprise Kubernetes | InfographicTiffany Jachja
 
Agile foundations for developers
Agile foundations for developers  Agile foundations for developers
Agile foundations for developers Tiffany Jachja
 
DevOps World 2020: Optimizing Kubernetes Cloud Costs
DevOps World 2020: Optimizing Kubernetes Cloud CostsDevOps World 2020: Optimizing Kubernetes Cloud Costs
DevOps World 2020: Optimizing Kubernetes Cloud CostsTiffany Jachja
 
CdCon 2020 Lightning Talk: CI/CD Patterns
CdCon 2020 Lightning Talk: CI/CD PatternsCdCon 2020 Lightning Talk: CI/CD Patterns
CdCon 2020 Lightning Talk: CI/CD PatternsTiffany Jachja
 
Connect Ahead 2020: Continuous Delivery Today
Connect Ahead 2020: Continuous Delivery TodayConnect Ahead 2020: Continuous Delivery Today
Connect Ahead 2020: Continuous Delivery TodayTiffany Jachja
 
A Developer's Guide to Cloud Costs
A Developer's Guide to Cloud CostsA Developer's Guide to Cloud Costs
A Developer's Guide to Cloud CostsTiffany Jachja
 
DevOps Institute SkilUp Day Enterprise Kubernetes - Navigating Your Kubernete...
DevOps Institute SkilUp Day Enterprise Kubernetes - Navigating Your Kubernete...DevOps Institute SkilUp Day Enterprise Kubernetes - Navigating Your Kubernete...
DevOps Institute SkilUp Day Enterprise Kubernetes - Navigating Your Kubernete...Tiffany Jachja
 
Building Microservices with Distributed Tracing and Eclipse Vert.x
Building Microservices with Distributed Tracing and Eclipse Vert.xBuilding Microservices with Distributed Tracing and Eclipse Vert.x
Building Microservices with Distributed Tracing and Eclipse Vert.xTiffany Jachja
 

More from Tiffany Jachja (14)

CD_Con_Japan_2023.pdf
CD_Con_Japan_2023.pdfCD_Con_Japan_2023.pdf
CD_Con_Japan_2023.pdf
 
AWS MLS-C01 Exam Study Notes
AWS MLS-C01 Exam Study NotesAWS MLS-C01 Exam Study Notes
AWS MLS-C01 Exam Study Notes
 
Scaling Software Delivery.pdf
Scaling Software Delivery.pdfScaling Software Delivery.pdf
Scaling Software Delivery.pdf
 
Observability for CI/CD Pipelines | Infographic
Observability for CI/CD Pipelines | InfographicObservability for CI/CD Pipelines | Infographic
Observability for CI/CD Pipelines | Infographic
 
Continuous Delivery | Infographic
Continuous Delivery | InfographicContinuous Delivery | Infographic
Continuous Delivery | Infographic
 
Lean Thinking | Infographic
Lean Thinking | InfographicLean Thinking | Infographic
Lean Thinking | Infographic
 
Enterprise Kubernetes | Infographic
Enterprise Kubernetes | InfographicEnterprise Kubernetes | Infographic
Enterprise Kubernetes | Infographic
 
Agile foundations for developers
Agile foundations for developers  Agile foundations for developers
Agile foundations for developers
 
DevOps World 2020: Optimizing Kubernetes Cloud Costs
DevOps World 2020: Optimizing Kubernetes Cloud CostsDevOps World 2020: Optimizing Kubernetes Cloud Costs
DevOps World 2020: Optimizing Kubernetes Cloud Costs
 
CdCon 2020 Lightning Talk: CI/CD Patterns
CdCon 2020 Lightning Talk: CI/CD PatternsCdCon 2020 Lightning Talk: CI/CD Patterns
CdCon 2020 Lightning Talk: CI/CD Patterns
 
Connect Ahead 2020: Continuous Delivery Today
Connect Ahead 2020: Continuous Delivery TodayConnect Ahead 2020: Continuous Delivery Today
Connect Ahead 2020: Continuous Delivery Today
 
A Developer's Guide to Cloud Costs
A Developer's Guide to Cloud CostsA Developer's Guide to Cloud Costs
A Developer's Guide to Cloud Costs
 
DevOps Institute SkilUp Day Enterprise Kubernetes - Navigating Your Kubernete...
DevOps Institute SkilUp Day Enterprise Kubernetes - Navigating Your Kubernete...DevOps Institute SkilUp Day Enterprise Kubernetes - Navigating Your Kubernete...
DevOps Institute SkilUp Day Enterprise Kubernetes - Navigating Your Kubernete...
 
Building Microservices with Distributed Tracing and Eclipse Vert.x
Building Microservices with Distributed Tracing and Eclipse Vert.xBuilding Microservices with Distributed Tracing and Eclipse Vert.x
Building Microservices with Distributed Tracing and Eclipse Vert.x
 

Recently uploaded

Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 

Recently uploaded (20)

Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 

Linux Foundation Live Webinar: Applying Governance to CI/CD

  • 1. Confidential / © Harness Inc. 2020 Applying Governance to CI/CD Tiffany Jachja | Technical Evangelist | Harness
  • 2. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 The SolarWinds Hack of 2020. Discovered in December 2020, by cybersecurity firm FireEye Confidential / © Harness Inc. 2020 P/2 Resource: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file- that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
  • 3. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 The SolarWinds Hack of 2020. Discovered in December 2020, by cybersecurity firm FireEye Caused by a supply chain hack Compromised over 18,000 SolarWinds customers Confidential / © Harness Inc. 2020 P/3 Resource: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file- that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
  • 4. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — The Cost of Software Failures Confidential / © Harness Inc. 2020 P/4 Resource: https://dzone.com/articles/open-source-vulnerabilities-will-they-ever-end https://raygun.com/blog/cost-of-software-errors/ $4million per data breach correction 3.6billion people affected $1.7trillion In financial losses
  • 5. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — Why use a CI/CD pipeline? Confidential / © Harness Inc. 2020 P/5 D E S I G N D E V E L O P M E N T T E S T I N G D E P L O Y M E N T ESTIMATED COST OF RECOVERING FROM VULNERABILITIES 5x 15x 95x
  • 6. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 CI/CD Governance is how organizations attest to the integrity of assets in a delivery pipeline Confidential / © Harness Inc. 2020 P/6
  • 7. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — In this session: Definitions Principles of governance Practices and tooling Confidential / © Harness Inc. 2020 P/7
  • 8. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 P/8 Continuous Integration & Continuous Delivery
  • 9. Confidential / © Harness Inc. 2020 P/9 Confidential / © Harness Inc. 2020 P/9 A Basic CI/CD Pipeline
  • 10. Confidential / © Harness Inc. 2020 P/10 Confidential / © Harness Inc. 2020 P/10 Continuous Integration != Continuous Delivery Code Build & Test Artifacts Continuous Integration Artifact
  • 11. Confidential / © Harness Inc. 2020 P/11 Confidential / © Harness Inc. 2020 P/11 Continuous Integration != Continuous Delivery Code Build & Test Release Strategy Rollback Verification Infrastructure Provisioning Cloud Stacks Change Management Artifacts Continuous Integration Artifact Continuous Delivery Basic Rolling Canary Blue / Green
  • 12. Confidential / © Harness Inc. 2020 P/12 Confidential / © Harness Inc. 2020 P/12 Succeeding CI/CD Code Build & Test Overall Visibility, Dashboards, & Reporting Release Strategy Secrets, Auditing & Compliance Rollback Verification Infrastructure Provisioning Cloud Stacks Change Management Artifacts Continuous Integration Artifact Environment Variables & Pipeline Management Continuous Delivery Custom Scripts Basic Rolling Canary Blue / Green
  • 13. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 P/13 What is Governance?
  • 14. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — What is GRC? Governance– Expecting the unexpected Setting communication channels Overseeing maintenance and achievement Confidential / © Harness Inc. 2020 P/14
  • 15. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — What is GRC? Risk– Identifying Risks Rating and prioritizing them Mitigate them Confidential / © Harness Inc. 2020 P/15
  • 16. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — What is GRC? Compliance– Meeting expectations Documenting and logging Improving on the gaps Confidential / © Harness Inc. 2020 P/16
  • 17. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 IT Governance is how organizations monitor and control IT capabilities and decisions for the delivery of value to key stakeholders. Confidential / © Harness Inc. 2020 P/17
  • 18. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 P/18 Monitor Control
  • 19. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — In the Build phase: Coded, and ready to go? Dependency Check Static Code Analysis Container or App Runtime Scanners Secret Scanning Confidential / © Harness Inc. 2020 P/19
  • 20. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Open-source software is currently used by 96 percent of the most popular applications in the enterprise market. More than 4000 security vulnerabilities are discovered in open-source projects a year. Confidential / © Harness Inc. 2020 P/20 Resource: https://www.zdnet.com/article/enterprise-codebases-plagued-by-open-source-vulnerabilities/
  • 21. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 P/21 Resource: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file- that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
  • 22. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 P/22  Infected function Original function 
  • 23. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 P/23 — Where do security vulnerabilities live?
  • 24. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 P/24 — Who has access?
  • 25. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — In the test phase: We’re packed, and ready to go! Automated Testing Suites White and Black Box unit testing In pre-prod environments: integration test Confidential / © Harness Inc. 2020 P/25
  • 26. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Control: Unit Test Attestation: “All tests executed and passed” Confidential / © Harness Inc. 2020 P/26
  • 27. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Control: Unit Tests Attestation: “All tests executed and passed.” Control: Clean Dependencies Attestation: “All dependencies in this build are free of known security defects.” Confidential / © Harness Inc. 2020 P/27
  • 28. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — In the deployment phase: We’re provisioning, configuring, and delivering! Testing your configurations System tests, Vulnerability Scanning Pen Testing Confidential / © Harness Inc. 2020 P/28
  • 29. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 P/29 — Introducing Manual Approvals
  • 30. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 P/30
  • 31. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 P/31
  • 32. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — Where can I find this in the wild? Capital One implements what’s called 16 gates. Confidential / © Harness Inc. 2020 P/32
  • 33. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — Where can I find this in the wild? Capital One implements what’s called 16 gates. John Willis co-authored a whitepaper in 2019 on automated pipeline governance. Confidential / © Harness Inc. 2020 P/33
  • 34. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 — Where can I find this in the wild? Capital One implements what’s called 16 gates. John Willis co-authored a whitepaper in 2019 on automated pipeline governance. Harness customers in the financial sector doing this. Confidential / © Harness Inc. 2020 P/34
  • 35. Confidential / © Harness Inc. 2020 Confidential / © Harness Inc. 2020 THE KEY TAKE AWAYS Automated Pipeline Governance Controlling, Understanding, and Mitigating Risk Continuous Improvements Confidential / © Harness Inc. 2020 P/35
  • 36. Confidential / © Harness Inc. 2020 P/36 Confidential / © Harness Inc. 2020 @tiffanyjachja THANK YOU — Any Questions? / Contact: tiffany@harness.io Confidential / © Harness Inc. 2020 P/36 @harnessio