“By failing to prepare, you are preparing to fail.” That is the timeless wisdom shared by Wiebe de Ross and Dominik de Smit at the end of their All Day DevOps presentation. Wiebe and Dominik both work for ABN-AMRO, a bank headquartered in the Netherlands. They walked through the DevSecOps journey at ABN-AMRO. They focused on how ABN-AMRO made teams more autonomous and helped enterprise security stay more secure.
For context, ABN-AMRO is the leading bank in the Netherlands, with 22,000 employees and 350 Agile teams. The scale presents a lot of opportunities for unintentional holes in the security systems. And, being a bank, all the more essential to keep their data secure. That is exactly why they embraced DevSecOps principles and began implementing them in early 2017.
ABN-AMRO started the DevSecOps journey with static analysis. The overarching goal was to make sure security was not a bottleneck in the process, so they automated team onboarding. Teams could specify their application and onboard directly into Fortify. They also automated the review process. When a false positive is found, a Jira ticket is automatically created and handled very quickly.
Next up: address the open source components breaking builds because issues were not getting fixed.
At this point, the pair had developed a standard tool pipeline. They implemented dynamic application security testing using OWASP ZAP since not everything can be covered in static analysis. In January 2018, they began implementing mobile pipelines. This is still ongoing.
When they implemented DevSecOps in the cloud, they provided training for both AWS and Azure, the two platforms they use. They also shared this "application security triangle" with teams to share knowledge and gain feedback. At this point in their journey, they reviewed their static analysis, asking, Do we have a good process? Are we meeting our requirements?
Since then, they are now using Docker for security and standard pipelines, Splunk to make key metrics visible to management, secure coding training hacking demos, and Docker runtime security and secrets management.
Next, they drilled down into secrets management. They understood that organizations need to have centralized secrets management so people don’t create their own approaches. It needs to be easy to use, too, or it won’t be used. They use a dynamic approach. When a container needs a secret, it is dynamically generated, not manually created and stored. This provides a detailed audit trail. This is more visible to the organization than a manual process, and is more consistently used.
While they generally recommend a dynamic approach, they note it can be better to start with static secrets, especially in legacy systems.
The point they really want to leave you with is that greater team autonomy makes your enterprise more secure. Again, they don’t want security to be a bottleneck, because then people start trying to find ways to work around security. Team autonomy is not the norm for many large organizations. Usually, there are lots of centralized teams that others are dependent on. By creating a number of self-organized teams that offer services and systems, the teams address problems without friction.
What are some practical steps?
- Provide every team with their own virtual private cloud with templates in AWS or Azure
- Utilize Terraform to propagate the reuse of modules and code
- Ensure they pass a “quality gate” before being allowed to utilize the cloud to make security part of intake process
Other benefits include increased innovation and experimentation. Best practices are shared, and it is easier to recruit tech talent. Together, this means a faster time to market.
In the end, they have 5 DevSecOps challenges for the enterprise:
- Onboard all teams to centralized tools
- Get rid of the old way of working
- Automate review processes for all tools
- Choose the best tools
- Focus management on the right activities with the right information
To hear more about their journey, secrets management, tools, and “Dockerizing the Enterprise,” watch their full presentation below.
Register now for the next All DayDevOps, November 6, 2019.