Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
LONDON 18-19 OCT 2018
Enabling shift-left for 12k banking
developers from scratch and
without breaking the bank
ERNESTO BE...
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
Ernesto Bethencourt
Product Owner for Chimera
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
Source: https://www.bbva.com/en/corporate-information/the-transformation-of-bbva/
LONDON 18-19 OCT 2018
*12k Developers
LONDON 18-19 OCT 2018
Key Elements For This
Transformation
• Internal talent
• End-to-end automation
• DevOps “philosophy”...
Ether is BBVA’s global banking platform, which allows developers to easily build, deploy and
operate banking services of a...
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
What are we doing?
• SECaaS, part of the New Platform
• BBVA Labs Advance Security
• ACS (for Legacy...
LONDON 18-19 OCT 2018
Security As A Service (SECaaS)
BBVA’s SECaaS is one of the main Cloud
components composing Ether.
SE...
LONDON 18-19 OCT 2018
SECaaS Objectives 4 SDLC
• Early Security Feedback for Developers
(Shifting Left)
• Security Feedbac...
TOOLS! TOOLS EVERYWHERE! DEVELOP A PRODUCT
CHIMERA
LONDON 18-19 OCT 2018
Since 2016!
Slides: https://www.rsaconference.com/writable/presentations/file_upload/asd-f01-securit...
SELF-SERVICE 4 DEV TEAMS SERVICES 4 SECURITY TEAMS
LONDON 18-19 OCT 2018
Our Vision
• Abstraction of Security “Solutions”
• Orchestration
• Added Value
CHIMERA
disclaimer: v...
LONDON 18-19 OCT 2018
In-take Triage Test Deliver
DevSecOps “Foundations”
Static Black-box “Manual”
DevSecOps
Analytics
Bl...
LONDON 18-19 OCT 2018
SECURITY TOOLS
CI Pipelines (i.e: Ether Pipelines)
CHIMERA
Security Code Review Docker Images Review...
LONDON 18-19 OCT 2018
4 Devs Teams
CI Pipelines (i.e: Ether Pipelines)
Docker Images
Review
CHIMERA
Orchestrations +
Added...
LONDON 18-19 OCT 2018
Developers can access and use this
information on their pipelines and in
Ether’s Console
LONDON 18-19 OCT 2018
4 Sec Teams
CI Pipelines (i.e: Ether Pipelines)
Docker Images
Review
CHIMERA
“Security Seal”Orchestr...
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
BBVA Labs - Advanced Security Labs
• “Working how to adapt security processes from the risk analysis...
LONDON 18-19 OCT 2018
Example of our Public Work
https://github.com/BBVA/gitsechttps://github.com/BBVA/deeptracy https://p...
LONDON 18-19 OCT 2018
Deep Tracy + Patton
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
ACS – (Continuous Security Analysis)
• Blue Team’s Service
• BBVA’s Worldwide Service
• Free for all...
LONDON 18-19 OCT 2018
Current Process
Secure
SDLC
Source
Repository
Build
Management
Code
Analysis
Result
Triage
Publish
R...
LONDON 18-19 OCT 2018
Culture
Tribes and Clans
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
Next Steps (2019)
• Chimera Triage and DAST MVPs
• Chimera – ACS Integrations
• BBVA Labs Tools in C...
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
[https://www.bbvanexttechnologies.com/]
Nächste SlideShare
Wird geladen in …5
×

DevSecCon London 2018: Enabling shift-left for 12k banking developers from scratch and without breaking the bank

354 Aufrufe

Veröffentlicht am

ERNESTO BETHENCOURT
At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions.

Veröffentlicht in: Technologie
  • You have to choose carefully. ⇒ www.WritePaper.info ⇐ offers a professional writing service. I highly recommend them. The papers are delivered on time and customers are their first priority. This is their website: ⇒ www.WritePaper.info ⇐
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

DevSecCon London 2018: Enabling shift-left for 12k banking developers from scratch and without breaking the bank

  1. 1. LONDON 18-19 OCT 2018 Enabling shift-left for 12k banking developers from scratch and without breaking the bank ERNESTO BETHENCOURT
  2. 2. LONDON 18-19 OCT 2018
  3. 3. LONDON 18-19 OCT 2018 Ernesto Bethencourt Product Owner for Chimera
  4. 4. LONDON 18-19 OCT 2018
  5. 5. LONDON 18-19 OCT 2018 Source: https://www.bbva.com/en/corporate-information/the-transformation-of-bbva/
  6. 6. LONDON 18-19 OCT 2018 *12k Developers
  7. 7. LONDON 18-19 OCT 2018 Key Elements For This Transformation • Internal talent • End-to-end automation • DevOps “philosophy” • API and obsession to reuse • Global communities
  8. 8. Ether is BBVA’s global banking platform, which allows developers to easily build, deploy and operate banking services of any kind by leveraging cloud Global Cloud Services Automation Open Source & Vendor decoupling Developer centric Hybrid cloud Reliability /Operability
  9. 9. LONDON 18-19 OCT 2018
  10. 10. LONDON 18-19 OCT 2018
  11. 11. LONDON 18-19 OCT 2018
  12. 12. LONDON 18-19 OCT 2018
  13. 13. LONDON 18-19 OCT 2018 What are we doing? • SECaaS, part of the New Platform • BBVA Labs Advance Security • ACS (for Legacy Platform) • Cultural Change (Tribes/Clans)
  14. 14. LONDON 18-19 OCT 2018 Security As A Service (SECaaS) BBVA’s SECaaS is one of the main Cloud components composing Ether. SECaaS builds on the concept that Security can be provided on demand to the user SECaaS provides a security embedded by default.
  15. 15. LONDON 18-19 OCT 2018 SECaaS Objectives 4 SDLC • Early Security Feedback for Developers (Shifting Left) • Security Feedback also must be “aaS” • Automate Security Checks & Enforcement
  16. 16. TOOLS! TOOLS EVERYWHERE! DEVELOP A PRODUCT
  17. 17. CHIMERA
  18. 18. LONDON 18-19 OCT 2018 Since 2016! Slides: https://www.rsaconference.com/writable/presentations/file_upload/asd-f01-security-as-a-service-in-a-financial-institution-reality-or-chimera.pdf
  19. 19. SELF-SERVICE 4 DEV TEAMS SERVICES 4 SECURITY TEAMS
  20. 20. LONDON 18-19 OCT 2018 Our Vision • Abstraction of Security “Solutions” • Orchestration • Added Value CHIMERA disclaimer: vendors logo used as an example only that we want our developers to know Chimera and not Vendors
  21. 21. LONDON 18-19 OCT 2018 In-take Triage Test Deliver DevSecOps “Foundations” Static Black-box “Manual” DevSecOps Analytics Blue Team Services Security Provision DevSecOps Threat Model Auto-Enrollment Continuous Monitoring Governance Added Value Services Continuous Feedback & Optimization Our long term “Services” proposal
  22. 22. LONDON 18-19 OCT 2018 SECURITY TOOLS CI Pipelines (i.e: Ether Pipelines) CHIMERA Security Code Review Docker Images Review Secrets Review Current Status BANDIT GECRETS In-take Analytics
  23. 23. LONDON 18-19 OCT 2018 4 Devs Teams CI Pipelines (i.e: Ether Pipelines) Docker Images Review CHIMERA Orchestrations + Added Value
  24. 24. LONDON 18-19 OCT 2018 Developers can access and use this information on their pipelines and in Ether’s Console
  25. 25. LONDON 18-19 OCT 2018 4 Sec Teams CI Pipelines (i.e: Ether Pipelines) Docker Images Review CHIMERA “Security Seal”Orchestrations AUTOMATIC!
  26. 26. LONDON 18-19 OCT 2018
  27. 27. LONDON 18-19 OCT 2018 BBVA Labs - Advanced Security Labs • “Working how to adapt security processes from the risk analysis to the security operation in the Cloud and DevOps worlds, researching and developing concept tests that can be converted into open source tools” • Example Public Research: • https://www.bbva.com/en/vulnerability-management-in-dependencies-in-ci-cd- environments-with-open-source-tools/
  28. 28. LONDON 18-19 OCT 2018 Example of our Public Work https://github.com/BBVA/gitsechttps://github.com/BBVA/deeptracy https://patton-server.readthedocs.io/en/latest/
  29. 29. LONDON 18-19 OCT 2018 Deep Tracy + Patton
  30. 30. LONDON 18-19 OCT 2018
  31. 31. LONDON 18-19 OCT 2018 ACS – (Continuous Security Analysis) • Blue Team’s Service • BBVA’s Worldwide Service • Free for all BBVA’s projects • Manual, APIs and Jenkins library options for integrations • Compliance compatible for some projects • Manual results processing by blue team member
  32. 32. LONDON 18-19 OCT 2018 Current Process Secure SDLC Source Repository Build Management Code Analysis Result Triage Publish Results Developer Feedback
  33. 33. LONDON 18-19 OCT 2018 Culture Tribes and Clans
  34. 34. LONDON 18-19 OCT 2018
  35. 35. LONDON 18-19 OCT 2018 Next Steps (2019) • Chimera Triage and DAST MVPs • Chimera – ACS Integrations • BBVA Labs Tools in Chimera • DevSecOps Ninja and TechU Tracks • Security Champions Pilot Programs
  36. 36. LONDON 18-19 OCT 2018
  37. 37. LONDON 18-19 OCT 2018 [https://www.bbvanexttechnologies.com/]

×