For most of us, compliance audits are painful processes that interfere with our ability to do our job – building and delivering software – and steal time and resources away from that next great innovation. Until now.
The XebiaLabs Software Chain of Custody provides everything you need to visualize, monitor, and prove the integrity of your software delivery pipelines on demand. Push the button, get the report. You’re done. No more audit hell.
Learn how a Software Chain of Custody helps:
DevOps teams focus on doing what they love, rather than wasting valuable time putting together audit reports
Executives gain full visibility into release pipelines so they can stop losing sleep over governance and security audits
InfoSec teams and auditors instantly get the reports they need so they can quickly approve releases
2. 2
Housekeeping
▪ This webinar is being recorded
▪ Links to the slides and the recording will be
made available after the presentation
▪ You can post questions via the GoToWebinar
Control Panel
3. 3
Top-ranked by
Hundreds of Companies
deliver software with
XebiaLabs - faster, safer and
more customer focused
End-to-end Agile + DevOps Platform
providing intelligence, automation and control
across the entire software lifecycle
Agile Planning, Continuous
Delivery and DevOps pioneer,
authority and technology leader
Global Teams
in the US,
Europe & APAC
Enterprise Agile Planning
Application Release Orchestration
Value Stream Management
4. 4
Meet Your Presenters
Andreas PrinsDan Beauregard
VP Cloud and DevOps Evangelist
XebiaLabs
VP Product Strategy
XebiaLabs
5. 5
Agenda
▪ Defining Chain of Custody
▪ 3 layers of the Software Chain of Custody
▪ 4 common patterns to avoid
▪ How to get started
− Automation and acceleration in the modern era
▪ Q&A
A couple of poll questions along the way
6. What the software development
industry can learn from other
industries from the Chain of Custody
13. 13
Understanding the business chain: Focus on relationships,
from vision to execution
▪ A business chain often needs to be stretched earlier into the process
to gain full visibility on why, and with what purpose, activities are
executed
▪ Truly understanding and measuring whether goals are achieved is
often hard, but worth it to build a cycle of validation
Goal setting DefineIdeate Plan and execute
Value validation
and measurement
14. 14
Build your own business chain: An exercise to execute
within your departments and teams
The Value-Stream-Mapping technique from Lean manufacturing is a
useful instrument to understand your chain of custody in the first place.
1. Identify the process steps
2. Describe for each step the outcomes (artifacts)
3. List the actors that are involved
4. Identify where 1-2-3 are documented
15. 15
Understand your own business chain: Identify the process
steps
Goal setting Define Plan and execute
Quarterly goal setting
and evaluation
(Strategic) portfolio
investment
distribution
Customer problem
investigation
Solution direction
definition
Quarterly
roadmap
refinement
Quarterly program
increment planning
Bi-weekly
execution
through Scrum
16. 16
Understand your own business chain: Describe the
outcomes (artifacts) for each step
Goal setting Define Plan and execute
Quarterly goal setting
and evaluation
(Strategic) portfolio
investment
distribution
Customer problem
investigation
Solution direction
definition
Quarterly Product
roadmap
refinement
Quarterly program
increment planning
Bi-weekly
execution
through Scrum
> Updated product
roadmap
> Updated
arcitectural runway
> Defined (ne)
themes and Epics
> Product Increment
planning (session)
> PI Objectives
> System Demo(s)
> Refined Epics
> Defined Features
> Refined Features
> Refined stories
> Sprint Demos
> Working software
Process
> Updated strategic
themes
> Updated portfolio
budgets
> Updated Portfolio
vision
> Updated Program
roadmap
> Personas
> Empathy maps
> Problem definition
> Journey Maps
> Story Maps
> Prototype
> Designs
17. 17
Understand your own business chain: List the actors that
are involved
Goal setting Define Plan and execute
Quarterly goal setting
and evaluation
(Strategic) portfolio
investment
distribution
Customer problem
investigation
Solution direction
definition
Quarterly Product
roadmap
refinement
Quarterly program
increment planning
Bi-weekly
execution
through Scrum
> Updated product
roadmap
> Updated
arcitectural runway
> Defined (ne)
themes and Epics
> Product Increment
planning (session)
> PI Objectives
> System Demo(s)
> Refined Epics
> Defined Features
> Refined Features
> Refined stories
> Sprint Demos
> Working software
ProcessArtifacts
> Updated strategic
themes
> Updated portfolio
budgets
> Updated Portfolio
vision
> Updated Program
roadmap
> Personas
> Empathy maps
> Problem definition
> Journey Maps
> Story Maps
> Prototype
> Designs
> System Arch.
> Product Owner
> Product
Management
> Business Owner
> Agile Teams
> Scrum Master
> Producrt Owner
> Business Owner
> Scrum master
> Product Owner
> Agile/Dev Team
> Management Team
> Line Management
> Product Team
> Line Management
> Epic Owners
> Enterprise Architect
> Business Owners
> Product
Management
> UX Team
18. 18
Understand your own business chain: Identify where
everything is documented
Goal setting Define Plan and execute
Quarterly goal setting
and evaluation
(Strategic) portfolio
investment
distribution
Customer problem
investigation
Solution direction
definition
Quarterly Product
roadmap
refinement
Quarterly program
increment planning
Bi-weekly
execution
through Scrum
> Updated product
roadmap
> Updated
arcitectural runway
> Defined themes
and Epics
> Product Increment
planning (session)
> PI Objectives
> System Demo(s)
> Refined Epics
> Defined Features
> Refined Features
> Refined stories
> Sprint Demos
> Working software
ProcessArtifacts
> Updated strategic
themes
> Updated portfolio
budgets
> Updated Portfolio
vision
> Updated Program
roadmap
> Personas
> Empathy maps
> Problem definition
> Journey Maps
> Story Maps
> Prototype
> Designs
> System Arch.
> Product Owner
> Product
Management
> Business Owner
> Agile Teams
> Scrum Master
> Producrt Owner
> Business Owner
> Scrum master
> Product Owner
> Agile/Dev Team
> Management Team
> Line Management
> Product Team
> Line Management
> Epic Owners
> Enterprise Architect
> Business Owners
> Product
Management
> UX Team
ActorSystem
19. 19
Poll #1
How mature is your business chain of custody?
Runs like a well-oiled machine - we know all the data points
1/2 automated and 1/2 manual - most data points are known
Lacking data to complete the chain
Don’t even know where to look
21. 21
The technology chain has radically transformed in the last
few years
Automation through CI/CD and Cloud Technologies…
▪ Empowers organizations to delivered software more frequently
▪ Has enabled companies to have a full chain of connected activities
▪ Allows different personas to collaborate at various points in the chain
▪ Creates a lot of data about what happened, when it happened, how it happened
Source control
repository
Build Package
Non-prod
deployment
Prod
deployment
Dependency
management
Artifact
repository
Monitor
deployed
Source: IT Revolution, DevOps Automated Governance Reference Architecture
22. 22
Asset Integrity depends on both product inspection and
process inspection
Product inspection Process inspection
23. 23
Automation must also focus on software asset integrity
Traceability—Is every software artifact stamped with a unique identifier that
can be verified as the artifact moves through environments?
Performance—Does the software perform as it should? Can you detect
whether performance is degrading over time?
Security—Is the software protected from data breaches and other security
violations? Can you detect if and when security is compromised?
Scalability—Can you increase capacity on the fly by adding physical servers,
virtual machines, container instances, or pods?
24. 2424
Product Inspection: Building product inspection into your technology
chain
Integrate security into all stages of the DevOps toolchain
25. 25
Poll #2
How mature is your technology chain of custody?
Runs like a well-oiled machine - we know all the data points
1/2 automated and 1/2 manual - most data points are known
Lacking data to complete the chain
Don’t even know where to look
27. 27
Process Inspection: Build IT auditing into your governance
chain
Create governance chain that has the
following qualities:
▪ Usable by both technical and non-technical users
▪ Each control, actor, and action should be uniquely
verifiable
▪ Software should be traceable through all stages
without DevOps intervention
▪ The audit log should be immutable Source: IT Revolution, DevOps Automated Governance
Reference Architecture
28. 28
Your governance chain can now prove compliance of your
software pipelines
▪ Developers can stop wasting up to 20-30% of their valuable time
piecing together audit reports so they can focus on doing what they
love
• Executives can get full visibility into release pipelines so they aren't
losing sleep over governing and security audits
• InfoSec teams and auditors get the reports they need with complete
data
Plan Develop Deliver Monitor
29. 29
Poll #3
How mature is your governance chain of custody?
Runs like a well-oiled machine - we know all the data points
1/2 automated and 1/2 manual - most data points are known
Lacking data to complete the chain
Don’t even know where to look
30. The 4 most common patterns to avoid
when building a true chain of custody
36. 36
Structure the business flow
From having your
▪ ideas in mind,
▪ vision and goals from on paper,
▪ roadmaps in PowerPoint,
▪ planning from Excel
▪ work items in backlogs
To everything structured and connected
37. 37
From a fragmented business chain of custody to a
connected flow of information
Strategy
Features
Portfolios
Epics
Work Items
Release On-
Demand
Artifacts
Packages
Commit
Team Planning &
Activity Visibility
Portfolio Planning &
Execution Management
Planning & Test Execution
Management
Quality, Security and
Compliance Dashboards
Quality, Security, and Compliance
Metrics across Value Streams
Release Orchestration
and Delivery
Deployments
Value Stream
38. 38
Simplify the IT Control Framework
Step 1 - Review audit rules and
simplify compliance practices
Step 2 - Create a process that is fast
and compliant by default
Step 3 - Automate the process
from end to end
40. 40
Business
Technical
Governance
Goal setting DefineIdeate Plan and execute
Source control
repository
Build Package
Non-prod
deployment
Prod
deployment
Dependency
management
Artifact
repository
Value validation
and measurement
Monitor
deployed
Get your own Software Chain of Custody right: simplify,
structure, shift validation left and automate
Plan Develop Deliver Monitor
41. 41
Continuous effort!
Continuous Feedback
To get the model as
simple as possible
Continuous Improvement
To include and automate
more and more controls
Continuous Collaboration
To make sure all disciplines
are involved
42. 42
Thank you for joining
The software chain of custody proves
what happened,
when it happened,
where it happened,
how it happened, and
who made it happen
Without this information, it’s impossible
to meet compliance and security
requirements as you develop and deliver
software at scale
Through CollabNet/XebiaLabs it is
now possible to build a full software
chain of custody, and cover your,
business, technical and governance
chain.
Hinweis der Redaktion
Before we begin, a few housekeeping notes. This webinar is being recorded, and links to the recording and to these slides will be shared after the webinar is over.
If you have questions, please share them in the GoToWebinar control panel, and we’ll address them near the end of the webinar.
A quick introduction, for those of you who may not be familiar with XebiaLabs: we’ve been part of the DevOps movement since the very early days. We’re solely focused on DevOps and Continuous Delivery and we’ve been repeatedly recognized as a leader by the top analysts in this space. You can find our customers across many of the best known and best run companies around the world. They’re in all types of industries from financial services, to retail, to manufacturing... all the way to the public sector and government agencies.
We just recently announced that we will be merging with CollabNet VersionOne to create a new company which unites CollabNet VersionOne’s up-stream Agile planning functionality with XebiaLabs downstream release orchestration and deployment automation capabilities. Together, we will provide enterprises with and end-to-end agile + devops platform that can deliver unprecedented visibility and value across the software development and delivery lifecycle. If you are a XebiaLabs or CollabNet VersionOne customer, rest assured, non of your great capabilities are going away or will you forced to make any unwanted changes. Overtime, you will see great additions that will make your platforms even stronger and more valuable to your organization.
Thanks everyone for joining us today. We are exciting to discuss how a Software Chain of Custody can help your organization, especially around compliance and audit times. Some of you may have viewed a previous webinar of ours on making Audit Nightmares a thing of the Past. Don’t worry, that is not a pre-requisite for today’s discussion. And if you did join, I think you will find today’s discussion will complement that one by focusing on the creation of the software chain and immediate benefits you can achieve.
Todays agenda:
First: Provide a much wider view of a software chain of custody, why it is crucial and how it will strengthen you company
We will then introduce the 3 layer that make up the chain of custody
We will look at some patterns you should avoid
Give practical guidance on where to start and how to achieve real benefits from your software chain.
We will also sprinkle in a couple poll questions along the way…
Andreas makes statement…
Dan: With the enhancements gained from implementing DevOps practices, along with an abundance of new modern tools and automation, we have seen significant increases in the speed of delivering software. But what has become obvious is speed alone is not enough. We have started to lose visibility across our pipelines. The amount of data that is being generated by all of these tools can become overbearing. Furthermore, the ability to gain contextual data that spans a devops toolchain that consist of 15 to 25 or more tools is becoming almost impossible. We must find a way to automate this process. Just as automation with testing, deployment and security tools reduced variation and manual error within the pipelines, we need to automate the collection and unification of data across the pipelines to create a traceable record from ideation to production.
Andreas, yes, the industry is behind. There is a strong need to rectify this problem. What I do find encouraging is that connecting and unifying data across the pipeline from planning through production will have significant other benefits for organizations as well. Value mapping and advanced analytics certainly come to mind…
Andreas
Use a whiteboard to start clearing
Investigate the business layer: Quarterly planning cycle, the involvement of everyone to be aligned with the goal
Identify all the bookkeeping that is taking place. Bookkeeping has never been more important, tickets, planning, vision, budgeting, setting the right connections etc.
List underlying development and delivery cycle, use Value Stream Mapping to create the flow from code to finish.
Business outcomes vs business objectives
Define where everything is stored
Explain we take the business chain as example, but don’t go in detail for the technical chain. This is also more easy to do since systems are often already connected.
Building, visualizing and getting ready for inspecting…
The technology chain has evolved immensely over the last quite a few years. I have provided an example of a technology chain here which was taken from the “Automated Governance Reference Architecture” from IT Revolution. I had the opportunity to co-author this paper with some great minds in the DevOps space. The paper is closely aligned with what Andreas and I are discussing today, so encourage anyone to reference this report if they are interested in additional information.
As we discussed earlier, the advancement in DevOps practices and automation along with the technology advances, such as cloud, containers and serverless, has enabled organizations to build faster and more efficient pipelines. These advances has certainly had some pretty positive outcomes…
1) Organizations are empowered to deliver code faster, more efficiently and more reliably
2) Integration and automation has enable more tightly connected pipelines
3) Has allowed for better collaboration across different personas and groups
4) And improved visibility into data that describes what happened, when it happened and by who
Speed, automation and loosely coupled data are great, but we still need more.
It’s widely accepted that every business is a software business, which means that every large enterprise that builds, buys, or runs software—from leading retailers, to financial service providers, to insurance companies, and more— must be concerned with the integrity of its software assets.
Software asset integrity is inexorably linked to the credibility of your corporate brand, meaning any negative publicity or event tied to your applications can lead to lost business income, operational shutdown, or breach of contract.
Software asset integrity is everyone’s responsibility: from C-level executives to product owners, release managers, auditors, and DevOps team members. All stakeholders need visibility into all phase of software delivery from planning, design, build, test, release, and monitoring processes, so they can prove that the software running in their environments is truly what it claims to be.
Just like in manufacturing, there are two areas that we need to be concerned about. Product inspection and process inspection…. As you build your technology pipelines, you must not only protect the quality of your asset, but the process in which the asset flows from planning all the way to production.
With our extreme focus on speed and automation, we have lost some other important qualities of asset integrity that are related to both Product Inspection and Process Inspection…
Traceability: Can you trace with certainly, you asset through the pipeline? Critical that the asset is immutable from stage to stage.
Performance: Are you able to detect performance issues at peak times, or degradation over time?
Scalability: Can you increase or decrease capacity of your system simply by adding or removing nodes?
Security: And how protected are you against data breaches or other security violations?
Just as we looked at the IT Revolution technology chain earlier, let’s now walk-through Gartner’s DevOps Toolchain with integrated security. All of these examples are types of Product Inspection techniques that prove the integrity of your artifacts.
Create/Development stage: To deliver on the “shift-left” approach, companies should utilize tools that integrate directly into the dev’s CI/CD environment
Verify/Build stage: Additional security test should be run including SAST, DAST and SCA (Software Composition Analyses for Opensource software)
Preprod: Organizations should evaluate application security testing solutions that identify how product code reacts to both known attacks and nondeterministic tests. Introducing chaos testing during pre-production is starting to become more popular.
Release: Validating time stamp signatures prior to release… which really should happen before all pre-prod stages as well.
Detect/Respond: Despite all of the previous preventative actions, vulnerabilities will inevitably make it into production. Therefore leveraging Runtime application self-protection solutions (RASP) can help respond to attacks by either self-protecting or failing safe.
All of these are great examples of tools that prove compliance by validating the integrity of the product. All of this data needs to be captures as part of your technology chain of custody.
Andreas
Now let’s take process inspection into consideration… Again, DevOps practices have increased the tempo of software delivery. If we can push a change to production every few minutes, no manual governance process can keep up. So, just as we have automated other parts of the software pipeline, we must also seek to automate the governance process.
The model to the right represents a single phase in the software development and delivery pipeline (This is also referenced from the Automated Governance Report from IT Revolution).
For each stage, this model identifies a set of inputs and outputs, which typically map to the asset. You then have the actors and the actions that can occur during that stage along with a set of risks that can be attributed to the stage. Finally, based on these risks, a set of controls are chosen to mitigate the risks and attest to the integrity of all actions. This model is really describing a method that can be used to prove who did what, when, and how.
All of these steps are critical components of Process Inspection and must be properly captured.
A governance chain should also consist of the following qualities…
If you do this, you governance chain can now prove compliance for the flow of your assets through the software development and delivery lifecyle…
Andreas
Business often starts with a great idea but is lacking the ability to express the value in measurable goals, followed by a disconnect in execution.
Impact on business chain
Impact on technology chain
Transform Change Management
Manual handoffs from one group to another
Email guidance and updates of release process
Manually data harvesting for updating on delivery progress
Impact on business chain
Impact on technology chain
Automation is already progressed a bit but it is still happening in isolation.
Roadmap in PowerPoint
Planning in Excel
Backlog in Jira
Build and CI disconnected from Release to production
Development separated from Operations
Impact on business chain
Impact on technology chain
Dev/test/qa complete and then goes to security team for approval
All test run but no record kept, so fails to get compliance/audit clearance
Impact on business chain
Impact on technology chain
Impact on governance chain
Dan
Just as the chain of custody for a piece of evidence involved in a legal case proves that that evidence was handled properly, the software chain of custody proves what happened, when it happened, where it happened, and who made it happen.