Scott M. Johnson, Lead PM - Technical Compliance presented, "How Docusign uses Black Duck for DevOps, AppSec and Compliance." For more information, visit our website at www.blackducksoftware.com.
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
Flight East 2018 Presentation–Black Duck at Docusign
1. Black Duck @ DocuSign
Scott M. Johnson
Lead PM – Technical Compliance
How DocuSign uses BlackDuck for
Devops, AppSec and Compliance
2. DocuSign is now a verb
The industry leader in signing is now building
the first end to end digital System of Agreement
3. 430,000 Customers – 350 Million users – 1 Million documents/day
High Performance Architecture at DocuSign
3
1.1 M+
transactions
per day
100s of Gbps
of network
bandwidth
6,000+
Blob trx/sec
150TB+
of PCI flash storage
powering our
OLTP system
Thousands
of drives, tens
of PBs of storage
4.5K+ HTTP
requests/sec
>99.99%
uptime
4. Platform Security is Core to our Mission
4
Hardware &
Infrastructure
• Geo-dispersed data
centers
• Near real-time data
replication
• Round-the-clock security
Systems &
Operations
• Separate corporate,
development and
production networks
• Active 24/7 monitoring and
alerting
• Data stored up to nine
times across
geographically disparate
locations
Applications
& Access
• Customer control over
account authentication
options
• Multiple recipient
authentication options
• Layers of auditing,
including digital audit trails
and logging capabilities
Transmission
& Storage
• Anti-tampering controls on
documents
• Reliable, systematic
capture of signing data
• Cloud and on-premises
solutions
7. DocuSign Complies With the Top Security and Privacy
Standards
Global Security
Gold Standard:
Full ISO
27001:2013
Standardized
approach to
security
assessment,
authorization, and
continuous
monitoring for cloud
products and
services
First company to be
compliant with
xDTM Standard,
v.1.0, standard
focused on quality
for Digital
Transaction
Management
DocuSign adheres
to the requirements
of the European
Union’s General
Data Protection
Regulation (GDPR)
SOC 1 Type 2:
Audit report on
controls relevant to
financial reporting,
verifies operating
effectiveness
SOC 2 Type 2:
Audit report covers
security, availability,
processing integrity,
confidentiality
Data Security
Standard for
handling credit card
information.
DocuSign
compliant as both
service provider
and merchant
Approved
DocuSign Binding
Corporate Rules
(BCR) as a data
Controller and
Processor,
sponsored by the
Irish Data
Protection
Commissioner
10. Top 10 Challenges of OSS Governance
1) Creating accurate reports of what is actually shipping in a complex
dev environment.
2) Implementing a Patching Policy without disrupting new features
3) Compiled binaries in GitHub. Arg!
4) 10 year old code is still in the system - POC / Dead Code / Unshipped
repos
5) Some GitHub code not actually shipping, or team ships from a sub
branch
6) Identifying ownership and non-ownership
7) Integrating with Sonarcube, Fortify, Nessus scanning to augment
results.
8) AGPL converted to commercial – Still detected as AGPL
9) Refreshing all data while persisting exceptions, ignores and license
updates.
24. Automate the creation of compliance evidence:
BlackDuck, Jenkins, Github, SonarCube, Artifactory and DocuSign
• Automatically sync and scan code bases, builds and release artifacts
• Annotate risks for developers in SonarCube and Artifactory
• Create DocuSign embedded component authorization forms for AppSec + architecture leads
• Auto-generate DocuSign envelopes for quarterly authorization signoffs for each project
• Build quarterly inventory for compliance evidence with signoff from VP and deputy risk
managers
• SQL Import jobs to automatically link ownership with binaries and produce Power BI reports
• Scan every PR for new components and follow up with developers and teams.
• AI?
In-progress Aspirations: API Mashups!
27. Regular Assessment Activities
Activity Cadence Requirement Scope
Vulnerability Scanning Monthly ISO/PCI/FedRamp, Customer All DocuSign systems
ASV Scanning Quarterly PCI PCI Scope
Release Scanning Monthly ISO/PCI/FedRamp, Customer Primary Products
Go Live Scanning On Demand ISO/PCI/FedRamp New dynamic web sites
Website Scan On Demand ISO/PCI/FedRamp All DocuSign web sites
Website Malware and
Change Monitoring
Daily ISO/PCI/FedRamp All DocuSign web sites
Server Acceptance On Demand ISO/PCI/FedRamp New DocuSign systems
Pentest Annual PCI/ISO/FedRamp PCI Scope
28. 3rd Party Security Tooling
Product Area Scope
BlackDuck Hub Open source vulnerabilities, licenses,
operational risks, patch levels and
attribution.
Open Source in Github,
Compiled apps, Jenkins,
Artifactory
Tenable Security Center and
Nessus Scanners
Network and OS vulnerability scanning All DocuSign systems
Rapid 7 AppSpider / Arachni Web application and release scanning /
Dynamic Analysis
Primary Products / New
dynamic websites
Risk IQ Web application inventory management All DocuSign websites
HP Fortify Static code analysis Primary Products
Burp Suite Dynamic application scanning and
penetration testing tool
Primary Products / PenTests
29. Delivering World-Class Security
Platform and Architecture Overview2
• Security strategy
• Security policies
• Security council
• SDLC security
• Threat &
Vulnerability mgmt
• Information
assurance
Governance,
Risk, and
Compliance
Endpoint
Security
• Security tools
architecture
• Intel security suite
• Data leakage
prevention
• Malware protection
Monitoring,
Defense,
and Incident
Response
• 24/7 security ops
center
• Correlation ranking
and escalation of
security events
Managed
Services
• Vendor security life-
cycle compliance
program
Physical
Security
• Data centers
& offices
• People security
& safety
• Badging
• Cameras
• Sign-in process
World-
Class
Security
Program
30. Processes
The DocuSign Security Program
3
Delivering World-Class Security
People
• Comprehensive cross-functional security
expertise
• Industry thought leadership
• Extensive security and privacy training
Platform and Operations
• Customer control over account authentication
options
• Multiple recipient authentication options
• Layers of auditing and logging capabilities
People
Platform
Processes
• Expansive, holistic protection program with
incident response, endpoint security,
physical security, privacy and compliance
• Internationally recognized security standards
and certifications