SlideShare a Scribd company logo

Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery Meetup

Download as PPTX, PDF
S
Simon Storm

The document provides tips for auditors and examiners to better prepare for audits when using agile and continuous delivery practices. It recommends socializing plans for process changes to avoid surprises. It also suggests demonstrating expertise in agile and continuous delivery through training and certifications. Continuous delivery practices like infrastructure as code, static code analysis, automated testing, and repository management make the development process more auditable. The tips emphasize digitizing documentation, logging pipeline activity, and capturing metrics to demonstrate maturity. Ensuring quality practices like keeping QA involved, logging deployments, and code reviews with pull requests can help pass audits. Finally, it recommends getting ahead of outstanding risks like access controls and separation of duties when using tools like Jenkins and Git

Technology
1 of 45
Downloaded 48 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
1 Positioning Agile and Continuous Delivery for Auditors and Examiners
2 Where to Start The single most important step in preparing for an audit or examination is to put yourself in the auditors shoes and understand their goals: • Does this entity have a sound development practice? • Do they have repeatable processes that ensure consistent results? • Do they have the appropriate controls in place? • Does the management team understand the risk they are exposed to?
3 Taking a Step Back…Let’s Start with the Bible During an examination, the examiner explained that he wanted to see our “Bible”, aka our SDLC. He wanted every step to be documented and auditable so he could be sure that every project followed the exact process, every time. Credit: http://www.stpatselkhorn.org/AdultFormation/BibleStudy.aspx
4 How We Responded 1. The Mammoth Waterfall SDLC 2. The Mammoth SDLC & SDLC Lite 3. Agile SDLC 4. Agile & Continuous Delivery
5 Enough about us… We have turned the corner and are now reaping the rewards of properly implementing Agile and Continuous Delivery. We now find that WE HAVE TIME to automate and strengthen our processes. Let’s get to the 25 things you can do to better prepare for your next audit or exam!
6 Tips and Tricks for Audits and Exams 1 - 6 : Agile Education 7 - 12 : Continuous Delivery Education 13 - 18 : Demonstrating Maturity 19 - 21 : Orchestrate for Improved Quality 22 - 24 : Source Code Control is KEY 25 : Getting Ahead
7 Agile Education Credit: http://flickfacts.com/movie/4925/back-to-school
8 #1 – Socialize Your Plans Don’t surprise your auditor with a major change to your process. Provide Useful Information: • Agile Overview: https://www.youtube.com/watch?v=502ILHjX9EE • Continuous Delivery Overview: Continuous Delivery: Reliable Software Releases Through Build, Test and Deployment Automation by Jez Humble and David Farley • Continuous Delivery Adoption: http://www.thoughtworks.com/insights/blog/case-continuous-delivery http://www.perforce.com/continuous-delivery-report
9 #2 – Don’t Risk the Crown Jewels If possible, demonstrate the new technologies and procedures on a lower risk application. You will thank me later….because there will be bumps If you do start with a major application, find a way to segment the implementation to minimize the up front risk
10 #3 – Demonstrate Your Expertise While many of these technologies and procedures are not new, they may be new to you or your organization. Make sure you can demonstrate your expertise: Certifications - Scrum Alliance, etc. Training Programs – Learning Tree, Scrum Alliance, etc. Meetups & User Groups – Continuous Delivery, Agile, etc. Social Media – LinkedIn Continuous Delivery Group, etc.
11 #4 - Map Agile SDLC to Waterfall SDLC Design Waterfall Agile Design The entire application is designed at one time The design evolves as the application is developed The design is created by technical resources working from the requirements The design is created by the developers working with the key stakeholders The design is based on the best estimate of how the application is used The design is based on customer behavior Design Review The design is reviewed by technical resources to ensure completeness and accuracy The design is shown as a working solution to the Product Owner and other stakeholders Changes to the design may have a major ripple effect to the rest of the application The design is continually revisited and adjusts to customer need Design Sign Off Specific step where designated parties agree that the design is complete and accurate Implicit to the process when everyone agrees that the work is acceptable to go to production (Sprint Review)
12 #5 – Explain Benefits of Shorter Cycle Time When a vulnerability is found, how quickly can you address it? When a new OS patch is released, how long until it is on all of your servers?
13 #6 – Explain How Small Batches Reduces Risk • Schedule risk – Feature creep – Gold plating • Quality risk – New bugs – Instability • Business risk – Wrong functionality – Missed opportunity
14 Continuous Delivery Education
15 #7 – A More Auditable Process The key takeaway…. An automated process is far more auditable!
16 #8 – Correct Version of the Application Everyone needs environments and now there are great tools that make it even easier to enable environment sprawl. Every developer has a local environment 3 Development environments 4 QA environments 4 Staging environments 4 Production environments
17 #9 – Infrastructure as Code 1. Baseline Image – The latest patched base server OS, ssh, etc 2. Apply common applications (that require configuration) – TripWire, Splunk, PostFix, etc 3. Application critical applications – Java, App server, etc 4. Deploy your software ** Even with configuration management, you still need a tool like TripWire
18 Infrastructure as Code – Benefits • Environments stay in sync – Changes are made in development and migrated – Administrators should not make changes directly to environments – Changes made manually to an environment are undone with the next migration through the pipeline • Environments can be built on demand – Becomes faster to rebuild an environment than to troubleshoot – A process to build an environment that took weeks can now be completed in under an hour – Environments will no longer be a bottleneck to new functionality • Environments are documented and version controlled – Each setting change is a line of code that can be read – All configurations reside in GIT so that the team can recover or revert to a prior configuration
19 #10 – Static Code Analysis
20 Sonar – Security Tests
21 Sonar – Test Changelog
22 Sonar – Additional Tracking 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 Number of Issues Issues Issues - Blocker Issues - Critical Issues - Major Issues - Minor Issues - Info
23 #11 – Automated Testing Automated tests are the answer to MANY questions about reducing risk….but they open the door to a whole new world of questions • Who validated that the automated test worked correctly? • How do you know that the test meets the desired result? • How can you be sure you have sufficient coverage? • Where are the tests for specific user stories?
24 User Acceptance Test
25 #12 – Repository Management Single source for software, binaries & libraries demonstrates: • Consistency across environments • Single, auditable repository of external resources • Control access to external sites
26 Demonstrating Maturity Credit: http://ihkstories.com/maturity-is-not-when-we-start-speaking-big-thingsit-is-when-we-start-understanding-small-things/
27 #13 – Go Digital Online Agile Boards An Auditor once pulled a sticky off our physical board that was in the Ready for Test queue. He asked “if I don’t put this back, how do you know this was tested?”
28 #14 – Automating Sign-Offs Credit: http://www.polscheit.de/plugins/jira/group-sign-off/images/GroupSignOff-Banner.png
29 #15 – Automating Documentation Credit: http://jiraxporter.xpand-it.com/download/attachments/327684/Banner.png?version=1&modificationDate=1364461203281&api=v2
30 Bank Assetpoint Agile Implementation Retrieved from Jira Retrieved from Jira
31 #16 – Logging Pipeline Activity
32 #17 – Capturing Meaningful Metrics 0 10 20 30 40 50 60 70 80 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Positive Sprint Quality Trend 0 2 4 6 8 10 12 14 16 18 1 2 3 4 5 6 7 8 9 10 Sprint 2014-1 Done QA In Progress Backlog
33 #18 – Add one more meeting Sprint Planning Review Meeting • Additional demonstration of oversight • Shows that we are willing to adapt to meet company goals • Great catch-all for interested stakeholders
34 Orchestrate for Improved Quality Credit: http://accupackmidwest.com/quality-control/
35 #19 – Keep QA Firmly in the Process • When new code comes into Test Environment • When new code can be moved to a higher environment • Perform the deployment to the Staging Environment • Perform the deployment to Production Environment
36 #20 – Don’t Forget Operations The System Engineering Team to controls when code can enter the Staging Environment Application Engineering Team controls when code can enter the Production Environment
37 #21 – When All Else Fails – Email! Email notifications keep parties informed Security Compliance Management Operations Product Owner
38 Source Code Control is KEY
39 #22 – Demonstrate Permissions Making sure that the appropriate controls are in place in GIT are critical. You will need to use a management tool on top of GIT like Stash.
40 #23 –Code Reviews with Pull Requests
41 #24 – Secure Your Pull Requests Custom GIT Hook
42 Administrator approved pull request alert
43 Getting Ahead Credit: https://dzihxiql01vk4.cloudfront.net/wp-content/uploads/2013/06/Get-Ahead-with-Repricing.jpg
44 #25 - Be Aware of Outstanding Audit Risks • Get Ahead of Permission Questions – Jenkins, Puppet, Nexus, Stash, etc. • Continuous Improvement means that you are not following the same process over and over – Allowing Agile Teams to change their development process to make themselves more efficient is scary to auditors • Management (e.g. upgrades) of Pipeline software • Separation of duties • Management aware (and approving) work • Continuous Deployment may be a step too far – There is a lot of value in ensuring that humans are involved in the process
45 Questions

More Related Content

PPTX
Techniques for Keeping Distributed Retrospectives Effective and Fun
Excella
 
PDF
Heart of agile by Pierre Hervouet
Agile ME
 
PDF
Lean Discovery, Agile Delivery & the DevOps Mindset
Fadi Stephan
 
PPTX
Agile Pushback
Katy Saulpaugh
 
PDF
The Agile BA
IIBA UK Chapter
 
PDF
Techniques for Keeping Retrospectives Effective and Fun
Fadi Stephan
 
PPTX
Real world experience from Microsoft - Deniz Ercoskun
AgileSparks
 
PDF
The complexity in the simplicity of Agile? by Arie van Bennekum
Agile ME
 
Techniques for Keeping Distributed Retrospectives Effective and Fun
Excella
 
Heart of agile by Pierre Hervouet
Agile ME
 
Lean Discovery, Agile Delivery & the DevOps Mindset
Fadi Stephan
 
Agile Pushback
Katy Saulpaugh
 
The Agile BA
IIBA UK Chapter
 
Techniques for Keeping Retrospectives Effective and Fun
Fadi Stephan
 
Real world experience from Microsoft - Deniz Ercoskun
AgileSparks
 
The complexity in the simplicity of Agile? by Arie van Bennekum
Agile ME
 

What's hot (20)

PDF
Collaborative Agile Development in Virtual Reality by Talal Shaikh
Agile ME
 
PDF
Agile Development – Why requirements matter by Fariz Saracevic
Agile ME
 
PDF
ALN_Nepal-Agile_for_the_real_world
Roland Leibundgut
 
PPT
DevOps-driving-blind
Paul Peissner
 
PDF
Why Scaling Agile Doesn't Work (and What to Do About It)
Jez Humble
 
KEY
Intro to Lean Software Development
gcaprio
 
PDF
Professional Developer by Alexandre Cuva
Agile ME
 
PPT
Technical and Product Debt Management
Sergey Sundukovskiy
 
PDF
Introducing Agile Methodologies
Stfalcon Meetups
 
PPTX
Lynn Winterboer : Test automation
AgileDenver
 
PDF
Introductionto Agile Executive Overview Gpi Asia Rev2
Benjamin Scherrey
 
PDF
Pair programming pair testing working together with the developers by Simon ...
Agile ME
 
PPTX
Agile Metrics: Value, Flow, Quality, Culture
Brad Appleton
 
PDF
KPI's are your best friend - Slides
itSMF Belgium
 
PPTX
Pooja shift left 1.0
Xebia India
 
PDF
Modernizing Development - The Road to Agility and DevOps at Compuware
Atlassian
 
PPTX
Agile Development Models
DeepaThirumurugan
 
PDF
W4 0245 agility_v1
colleenfry
 
PDF
Post-agile approaches - agile for the real world and how to avoid agile failure
Yuval Yeret
 
PDF
Panel Discussion "Agile and Business Analysis" Dr. Mohamed Salama, Hind Zanto...
Agile ME
 
Collaborative Agile Development in Virtual Reality by Talal Shaikh
Agile ME
 
Agile Development – Why requirements matter by Fariz Saracevic
Agile ME
 
ALN_Nepal-Agile_for_the_real_world
Roland Leibundgut
 
DevOps-driving-blind
Paul Peissner
 
Why Scaling Agile Doesn't Work (and What to Do About It)
Jez Humble
 
Intro to Lean Software Development
gcaprio
 
Professional Developer by Alexandre Cuva
Agile ME
 
Technical and Product Debt Management
Sergey Sundukovskiy
 
Introducing Agile Methodologies
Stfalcon Meetups
 
Lynn Winterboer : Test automation
AgileDenver
 
Introductionto Agile Executive Overview Gpi Asia Rev2
Benjamin Scherrey
 
Pair programming pair testing working together with the developers by Simon ...
Agile ME
 
Agile Metrics: Value, Flow, Quality, Culture
Brad Appleton
 
KPI's are your best friend - Slides
itSMF Belgium
 
Pooja shift left 1.0
Xebia India
 
Modernizing Development - The Road to Agility and DevOps at Compuware
Atlassian
 
Agile Development Models
DeepaThirumurugan
 
W4 0245 agility_v1
colleenfry
 
Post-agile approaches - agile for the real world and how to avoid agile failure
Yuval Yeret
 
Panel Discussion "Agile and Business Analysis" Dr. Mohamed Salama, Hind Zanto...
Agile ME
 
Ad

Similar to Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery Meetup (20)

PPT
Agile Cafe Boulder - Panelist and keynote slides
Cloud Elements
 
PDF
Agile Software Development in practice: Experience, Tips and Tools from the T...
Valerie Puffet-Michel
 
PDF
Agility via Software Engineering Practices - Agile Tour Montreal 2015
Steve Mercier
 
PPT
Agile Development From A Developers Perspective
Richard Banks
 
PPTX
When agility meets software quality
Babak Khorrami
 
PPTX
From XP and Continuous Integration to DevOps
IBM UrbanCode Products
 
PDF
What is agile
Orange and Bronze Software Labs
 
PPT
Road to agile: federal government case study
David Marsh
 
PPTX
Eliminate Bottlenecks in Software Development & Delivery
Micro Focus
 
PDF
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Steve Mercier
 
PDF
5 Steps on the Way to Continuous Delivery
XebiaLabs
 
PDF
Preparing for Enterprise Continuous Delivery - 5 Critical Steps
XebiaLabs
 
PPT
Agile Software Delivery for the Ugandan Context - 2019 Edition
Stephen Senkomago Musoke
 
PDF
Stldodn 2014 agile on a shoestring
Angela Dugan
 
PPT
Phoenix User Group Slides
agilebuddy
 
PDF
Agile 2008 Retrospective
Craig Smith
 
PDF
10 lessons learned in managing digital transformation
Victoria Livschitz
 
PDF
Business Value of Agile Testing: Using TDD, CI, CD, & DevOps
David Rico
 
PDF
Hans Eckman: 7 Agile and DevOps Insights I Wish I Knew Earlier
Edunomica
 
PDF
Agile Product Management
SVPMA
 
Agile Cafe Boulder - Panelist and keynote slides
Cloud Elements
 
Agile Software Development in practice: Experience, Tips and Tools from the T...
Valerie Puffet-Michel
 
Agility via Software Engineering Practices - Agile Tour Montreal 2015
Steve Mercier
 
Agile Development From A Developers Perspective
Richard Banks
 
When agility meets software quality
Babak Khorrami
 
From XP and Continuous Integration to DevOps
IBM UrbanCode Products
 
What is agile
Orange and Bronze Software Labs
 
Road to agile: federal government case study
David Marsh
 
Eliminate Bottlenecks in Software Development & Delivery
Micro Focus
 
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Steve Mercier
 
5 Steps on the Way to Continuous Delivery
XebiaLabs
 
Preparing for Enterprise Continuous Delivery - 5 Critical Steps
XebiaLabs
 
Agile Software Delivery for the Ugandan Context - 2019 Edition
Stephen Senkomago Musoke
 
Stldodn 2014 agile on a shoestring
Angela Dugan
 
Phoenix User Group Slides
agilebuddy
 
Agile 2008 Retrospective
Craig Smith
 
10 lessons learned in managing digital transformation
Victoria Livschitz
 
Business Value of Agile Testing: Using TDD, CI, CD, & DevOps
David Rico
 
Hans Eckman: 7 Agile and DevOps Insights I Wish I Knew Earlier
Edunomica
 
Agile Product Management
SVPMA
 
Ad

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
KodekX | Application Modernization Development
KodekX
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Cloud computing and distributed systems.
kkkkkhan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Approach and Philosophy of On baking technology
30anthuong17
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
KodekX | Application Modernization Development
KodekX
 

Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery Meetup

  • 1. 1 Positioning Agile and Continuous Delivery for Auditors and Examiners
  • 2. 2 Where to Start The single most important step in preparing for an audit or examination is to put yourself in the auditors shoes and understand their goals: • Does this entity have a sound development practice? • Do they have repeatable processes that ensure consistent results? • Do they have the appropriate controls in place? • Does the management team understand the risk they are exposed to?
  • 3. 3 Taking a Step Back…Let’s Start with the Bible During an examination, the examiner explained that he wanted to see our “Bible”, aka our SDLC. He wanted every step to be documented and auditable so he could be sure that every project followed the exact process, every time. Credit: http://www.stpatselkhorn.org/AdultFormation/BibleStudy.aspx
  • 4. 4 How We Responded 1. The Mammoth Waterfall SDLC 2. The Mammoth SDLC & SDLC Lite 3. Agile SDLC 4. Agile & Continuous Delivery
  • 5. 5 Enough about us… We have turned the corner and are now reaping the rewards of properly implementing Agile and Continuous Delivery. We now find that WE HAVE TIME to automate and strengthen our processes. Let’s get to the 25 things you can do to better prepare for your next audit or exam!
  • 6. 6 Tips and Tricks for Audits and Exams 1 - 6 : Agile Education 7 - 12 : Continuous Delivery Education 13 - 18 : Demonstrating Maturity 19 - 21 : Orchestrate for Improved Quality 22 - 24 : Source Code Control is KEY 25 : Getting Ahead
  • 8. 8 #1 – Socialize Your Plans Don’t surprise your auditor with a major change to your process. Provide Useful Information: • Agile Overview: https://www.youtube.com/watch?v=502ILHjX9EE • Continuous Delivery Overview: Continuous Delivery: Reliable Software Releases Through Build, Test and Deployment Automation by Jez Humble and David Farley • Continuous Delivery Adoption: http://www.thoughtworks.com/insights/blog/case-continuous-delivery http://www.perforce.com/continuous-delivery-report
  • 9. 9 #2 – Don’t Risk the Crown Jewels If possible, demonstrate the new technologies and procedures on a lower risk application. You will thank me later….because there will be bumps If you do start with a major application, find a way to segment the implementation to minimize the up front risk
  • 10. 10 #3 – Demonstrate Your Expertise While many of these technologies and procedures are not new, they may be new to you or your organization. Make sure you can demonstrate your expertise: Certifications - Scrum Alliance, etc. Training Programs – Learning Tree, Scrum Alliance, etc. Meetups & User Groups – Continuous Delivery, Agile, etc. Social Media – LinkedIn Continuous Delivery Group, etc.
  • 11. 11 #4 - Map Agile SDLC to Waterfall SDLC Design Waterfall Agile Design The entire application is designed at one time The design evolves as the application is developed The design is created by technical resources working from the requirements The design is created by the developers working with the key stakeholders The design is based on the best estimate of how the application is used The design is based on customer behavior Design Review The design is reviewed by technical resources to ensure completeness and accuracy The design is shown as a working solution to the Product Owner and other stakeholders Changes to the design may have a major ripple effect to the rest of the application The design is continually revisited and adjusts to customer need Design Sign Off Specific step where designated parties agree that the design is complete and accurate Implicit to the process when everyone agrees that the work is acceptable to go to production (Sprint Review)
  • 12. 12 #5 – Explain Benefits of Shorter Cycle Time When a vulnerability is found, how quickly can you address it? When a new OS patch is released, how long until it is on all of your servers?
  • 13. 13 #6 – Explain How Small Batches Reduces Risk • Schedule risk – Feature creep – Gold plating • Quality risk – New bugs – Instability • Business risk – Wrong functionality – Missed opportunity
  • 15. 15 #7 – A More Auditable Process The key takeaway…. An automated process is far more auditable!
  • 16. 16 #8 – Correct Version of the Application Everyone needs environments and now there are great tools that make it even easier to enable environment sprawl. Every developer has a local environment 3 Development environments 4 QA environments 4 Staging environments 4 Production environments
  • 17. 17 #9 – Infrastructure as Code 1. Baseline Image – The latest patched base server OS, ssh, etc 2. Apply common applications (that require configuration) – TripWire, Splunk, PostFix, etc 3. Application critical applications – Java, App server, etc 4. Deploy your software ** Even with configuration management, you still need a tool like TripWire
  • 18. 18 Infrastructure as Code – Benefits • Environments stay in sync – Changes are made in development and migrated – Administrators should not make changes directly to environments – Changes made manually to an environment are undone with the next migration through the pipeline • Environments can be built on demand – Becomes faster to rebuild an environment than to troubleshoot – A process to build an environment that took weeks can now be completed in under an hour – Environments will no longer be a bottleneck to new functionality • Environments are documented and version controlled – Each setting change is a line of code that can be read – All configurations reside in GIT so that the team can recover or revert to a prior configuration
  • 19. 19 #10 – Static Code Analysis
  • 21. 21 Sonar – Test Changelog
  • 22. 22 Sonar – Additional Tracking 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 Number of Issues Issues Issues - Blocker Issues - Critical Issues - Major Issues - Minor Issues - Info
  • 23. 23 #11 – Automated Testing Automated tests are the answer to MANY questions about reducing risk….but they open the door to a whole new world of questions • Who validated that the automated test worked correctly? • How do you know that the test meets the desired result? • How can you be sure you have sufficient coverage? • Where are the tests for specific user stories?
  • 25. 25 #12 – Repository Management Single source for software, binaries & libraries demonstrates: • Consistency across environments • Single, auditable repository of external resources • Control access to external sites
  • 27. 27 #13 – Go Digital Online Agile Boards An Auditor once pulled a sticky off our physical board that was in the Ready for Test queue. He asked “if I don’t put this back, how do you know this was tested?”
  • 28. 28 #14 – Automating Sign-Offs Credit: http://www.polscheit.de/plugins/jira/group-sign-off/images/GroupSignOff-Banner.png
  • 29. 29 #15 – Automating Documentation Credit: http://jiraxporter.xpand-it.com/download/attachments/327684/Banner.png?version=1&modificationDate=1364461203281&api=v2
  • 30. 30 Bank Assetpoint Agile Implementation Retrieved from Jira Retrieved from Jira
  • 31. 31 #16 – Logging Pipeline Activity
  • 32. 32 #17 – Capturing Meaningful Metrics 0 10 20 30 40 50 60 70 80 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Positive Sprint Quality Trend 0 2 4 6 8 10 12 14 16 18 1 2 3 4 5 6 7 8 9 10 Sprint 2014-1 Done QA In Progress Backlog
  • 33. 33 #18 – Add one more meeting Sprint Planning Review Meeting • Additional demonstration of oversight • Shows that we are willing to adapt to meet company goals • Great catch-all for interested stakeholders
  • 34. 34 Orchestrate for Improved Quality Credit: http://accupackmidwest.com/quality-control/
  • 35. 35 #19 – Keep QA Firmly in the Process • When new code comes into Test Environment • When new code can be moved to a higher environment • Perform the deployment to the Staging Environment • Perform the deployment to Production Environment
  • 36. 36 #20 – Don’t Forget Operations The System Engineering Team to controls when code can enter the Staging Environment Application Engineering Team controls when code can enter the Production Environment
  • 37. 37 #21 – When All Else Fails – Email! Email notifications keep parties informed Security Compliance Management Operations Product Owner
  • 39. 39 #22 – Demonstrate Permissions Making sure that the appropriate controls are in place in GIT are critical. You will need to use a management tool on top of GIT like Stash.
  • 40. 40 #23 –Code Reviews with Pull Requests
  • 41. 41 #24 – Secure Your Pull Requests Custom GIT Hook
  • 44. 44 #25 - Be Aware of Outstanding Audit Risks • Get Ahead of Permission Questions – Jenkins, Puppet, Nexus, Stash, etc. • Continuous Improvement means that you are not following the same process over and over – Allowing Agile Teams to change their development process to make themselves more efficient is scary to auditors • Management (e.g. upgrades) of Pipeline software • Separation of duties • Management aware (and approving) work • Continuous Deployment may be a step too far – There is a lot of value in ensuring that humans are involved in the process

Editor's Notes

  • #2: 182 slides for last audit 85 slides with a lot of content for Gene Kim - Phoenix Project
  • #3: The last two bullets are key - COMPENSATING CONTROLS IF IT IS HARD DO IT MORE OFTEN
  • #5: – Super detailed including RACI charts, tractability matrices…even included who to invite to meetings and required meeting invitations to be saved! Result: Development came to a grinding halt. – A second SDLC was written which stripped away 90% of the full SDLC rigor Result: Every project became SDLC Lite. Agile – We obviously blamed Waterfall for our shortcomings (it couldn’t be us). We went Agile….sort of. Result: Chaos. Team was not ready for quick sprints, documentation wasn’t done, code wasn’t finished….. Agile & Continuous Delivery – A proper implementation of Agile with the technical craftsmanship that is required. Result: A successful and strong base in which to build
  • #10: Counter intuitive - You may not get the best bang for the buck
  • #11: David Farley answers posts in LinkedIn
  • #12: Some auditors and examiners are very familiar with Agile. Many even have CSM and CPO certifications. However, some are entrenched in Waterfall. Also, keep in mind that many guidelines that examiners are required to follow are based on the Waterfall methodology. Shows that the check points still exist, just a little in a different order or a little more often
  • #13: Infrastructure as Code enabled us to reduce our OS patching frequency from quarterly to every two weeks A finding from our penetration testing exercise is added to the next sprint which means it is in production in just over two weeks A change in our process is added and adopted by the feature team by redefining the definition of “done”
  • #14: WHAT IT ALL COMES DOWN TO IS MANAGING RISK A quarterly release cycle contains months and months of code. This is harder to test, harder to perform a proper code review, and significant amount of change to the application is introduced at one time. Changes performed in small batches reduces the risk of any one release. Even if the entire release needs to be backed out, only two weeks of work is lost which reduces the company’s financial risk Schedule risk can also be mitigated by reducing feature creep, gold-plating and by keeping stakeholders aware of progress
  • #15: At this point, you may have shown some good insights about Agile, but chances are, your auditor already knew about it. CD is a different story. There are LOTS of levels of maturity
  • #16: Going back to the Bible We regularly found ourselves falling behind in signing off on documents even though the work was done and already in production. With automated processes every step can be tracked so the need to manually say it was done is no longer needed. Log files and reports can show that all the appropriate work was completed.
  • #17: Auditors and Examiners regularly want to understand how environments are kept in sync. This is complicated for endless reasons like history, culture, funding, etc. It becomes exponentially more complicated if you have multiple development environments, multiple QA environments, etc. However, a CD Pipeline which performs the exact same deployment in every environment forces a team to have consistent environments.
  • #18: Infrastructure as code will overwrite any non-standard changes. Changes need to be made in Development and then they are migrated through the environments. When you get to the point where your entire server is managed by a configuration management tool like Puppet or Chef, it will mean that the server will be rebuilt to the standard with every release.
  • #20: MANAGEMENT OVETSIGHT It is important to note that a little while back we changed our rule set which resulted in more critical issue Static Code Analysis Tools brings constant awareness of code quality to management. This is a fantastic tool to demonstrate maturity and constant improvement. We use Sonar, but the key is to have a tool in place and to take action on the results.
  • #24: RESULTED IN A SURPRISE Automated tests are key to any Continuous Delivery Pipeline otherwise it is simply not possible to have regular deployments due to the time needed for manual regression testing. However, test automation is also very helpful for auditors and examiners to see because it helps explain how code can be deployed faster but the team still has the same (or greater) level of confidence It is important to show that your pipeline will STOP until any failed automated test is corrected.
  • #26: Another important tool in any Continuous Delivery Pipeline is a Repository Management Tool like Nexus. This tool is used to hold binary files for deployments as well as all of the dependencies that the application and infrastructure pipelines may need.
  • #28: Probably one of the more unpopular changes is to switch to an electronic board like Jira. Many teams are very fond of have note cards and post-its on walls, but digital boards are more auditable. Once you make the switch, you will have lots of unexpected benefits….here are some more!
  • #29: We use a Jira plugin called Group Sign-Off for Jira. It allows a story to capture key sign-offs from management, security, and compliance. We include a sign-off story in every sprint and now no longer need to print and get manual signatures. Using permissions in Jira, I can only sign-off as myself.
  • #30: This was one of those dreams that I never thought would come true, but with the Xporter Plugin for Jira we are able to perform a mail merge into our SDLC template. We capture the stories and sign-offs for every release to fulfill auditor and examiners requests for documentation. We do still have the manual step of maintaining master requirements documents for major pieces of functionality.
  • #32: Using the logs captured by Jenkins, we created a report to show when each step in the pipeline occurred and who initiated it. The report is the last step in our Pipeline. It emails a copy of the report to all interested parties and places a copy in Nexus for archival purposes.
  • #33: All of the activity logging is beneficial as it shows that all the steps were performed and who performed them. However, they are also rich with information about your own processes. Graphing the metrics from various points in your development process will again show that management is involved in the process and providing proper oversight.
  • #34: With a self managing team that is making small changes every two weeks, it is easy for management to not know exactly what is going on. We added a Sprint Planning Review Meeting after every sprint planning session. This was facilitated by our ScrumMaster and was found to be very helpful to bring Security, Compliance and anyone else into the process. Not only was this meeting helpful, but it also demonstrated to auditors and examiners that we were thoughtful about the process and made improvements when needed.
  • #36: ACTIVE DIRECTORY - NEED TO HAVE A PERIODIC REVIEW OF WHO IS IN GROUPS Our QA Team performs and important check to ensure that a quality product is deployed. They are also a critical team to maintaining separation of duties. They don’t write the code and they also have the best understanding of how the applications should work. We found they were best suited to facilitate the deployment. They control:
  • #37: We have four Operations Teams: System Engineers, Application Engineers, Network Engineers and Database Administrators. The System and Application Engineering teams are very interested in deployments so they can be extra vigilant in their monitoring during and after deployments. To keep them involved we added steps in Jenkins to allow:
  • #38: The rapid deployments still resulted in the occasional incident where someone was caught off guard. We addressed this by adding an email step before Staging and before Production to notify all interested parties that a deployment was coming through.
  • #41: Only a select number of senior developers and architects have the ability to merge code into the development branch
  • #42: Users ended up with Local Admin and Regular User Local Admin users are only allowed to MERGE - by policy Wrote custom code to only allow ACTIVE DIRECTORY USERS to check in and approve PULL REQUESTS
  • #44: The number one concern that an Auditor will raise is how can they be sure that all the wonderful tools that we are using are properly managed. One examiner quickly realized that an administrator of Jenkins would have tremendous power in our environment
  • #45: AGILE TEAMS NEED TO POST THEIR DEFINITIONS OF DONE IN CONFLUENCE (WIKI) REGULARLY AUDIT USER LISTS - ACTIVE DIRECTORY - In a recent exam, I was very impressed how quickly the examiner recognized the power of some of the tools like GIT, Stash, Jenkins and Puppet. He immediately wanted to know how we ensure that the appropriate permissions are in place. Also, think through how you will manage the environment of CD tools. Typically, one doesn’t have a migration path for making changes to Jenkins, Sonar, etc.