In this session, get to know how the a highly regulated government agency started on their journey towards a true DevSecOps culture, enabled by the adoption of collaborative tools, people and culture. Hear from the heads of DevOps, and Security to get a deeper perspective from each discipline on how they viewed and embarked upon their goal of modernizing the agency's culture, its people, its processes, and its tools to better meet the its mission. You'll learn about where they began, challenges faced, successes realized, and the strategies they used to overcome common organizational hurdles in the process towards container adoption and a DevSecOps culture.

We hope you can take away some of the lessons learned from our work building DevSecOps multi-tenant platforms. We will discuss changes in organization structure, focus on service, integrations required (human and technical) and the supply chain. Folks looking to introduce and automate security into a new or built workflow will appreciate the challenges we overcame.

 
 

Outline/Structure of the Talk

General Talk with co-presenters sharing experiences. Speakers will engage audience to share.

General Overview of DevSecOps

What is a Highly regulated environment?

Challenges of integrating security into value streams

How moving towards multi-tenant platforms and supply chains promote DevSecOps

Lessons learned and a high level playbook

Learning Outcome

Participants will understand the term DevSecOps.

Participants will be able identify challenges with integrating security into development and operational processes.

Participants will be able to demonstrate the use of some common DevSecOps patterns.

Target Audience

Folks interested in learning some common DevSecOps patterns in a highly regulated environment.

schedule Submitted 3 years ago

Public Feedback


    • Gene Gotimer
      keyboard_arrow_down

      Gene Gotimer - Experiences Bringing Continuous Delivery to a DoD Project

      Gene Gotimer
      Gene Gotimer
      Principal Consultant
      Coveros, Inc.
      schedule 3 years ago
      Sold Out!
      45 Mins
      Experience Report
      Beginner

      Not every continuous delivery initiative starts with someone saying "drop everything. Let's do DevOps." Sometimes you have grow your practice incrementally. And sometimes, you don’t set out to grow a practice at all-- you are just fixing problems with your process, trying to make things better.

      I'll walk through a case study of how our team worked on an exemplar project for the Department of Defense to show that agile could work in a decidedly waterfall culture. I’ll also discuss techniques and tools we used to bring a DevOps mindset and continuous delivery practices into an environment that wasn't already Agile.

      I'll talk about how we were able to start in development, where we had the most control, with a "let's starting being Agile" initiative and working on "why is continuous integration important?" From there, we tackled one problem after another, each time making the release a little easier and a little less risky. We incrementally brought our practices through other environments until the project was confidently delivering working, QA-tested, security-tested releases that were ready for production every two weeks. I’ll discuss the journey we took and the tools we used to get to build quality into our product, our releases, and our release process.

    • Gene Gotimer
      keyboard_arrow_down

      Gene Gotimer - Tests Your Pipeline Might be Missing

      Gene Gotimer
      Gene Gotimer
      Principal Consultant
      Coveros, Inc.
      schedule 3 years ago
      Sold Out!
      10 Mins
      Talk
      Beginner

      Developing a delivery pipeline means more than just adding automated deploys to the development cycle. To be successful, tests of all types must be incorporated throughout the process in order to be sure that problems aren’t slipping through. Most pipelines include unit tests, functional tests, and acceptance tests, but those aren’t always enough. I’ll present some types of testing you might not have considered, or at least might not have considered the importance of. Some types will address code quality, others code security, and some the health and security of the pipeline itself.

      I’ll talk about specific tools we used to supplement our pipeline testing. I won’t get into how to use each tool-- this is more of a series of teasers to encourage people to look into the tools, and even letting them know what types of tools and testing opportunities are out there.

    • Gene Gotimer
      keyboard_arrow_down

      Gene Gotimer / Ryan Kenney - Creative Solutions to Already Solved Problems

      10 Mins
      Experience Report
      Beginner

      Almost everyone has to deal with bad legacy code at some point. Not just legacy code that you inherited and obviously would have been better if you had written it, but legacy code so ugly and ill-conceived that it makes you want to hunt down the person responsible just so you can scream at them (or worse). And then replace it with a one-line library function that does the same thing.

      We'll show some examples of the worst code I've seen, and we'll have a chuckle or a groan. The names, projects, and check-in comments have been changed to protect the guilty, but, unfortunately, these examples are all too real.

    • Jonathan Kauffman
      keyboard_arrow_down

      Jonathan Kauffman - Current State of BDD Testing Tools

      Jonathan Kauffman
      Jonathan Kauffman
      Consultant
      Coveros, Inc.
      schedule 3 years ago
      Sold Out!
      10 Mins
      Talk
      Beginner

      Have you heard about BDD and want to start using it, but don't know what BDD is and which tool you should use? In this presentation I address both of those concerns -- I start by providing an overview of BDD and then compare five tools that can be used for BDD testing. I conclude by discussing the pros/cons and popularity of these tools so that you can make an informed decision as to which tool would work best within your organization.

    • Glenn Buckholz
      keyboard_arrow_down

      Glenn Buckholz - Improving Your Testing Methodology Using Docker

      Glenn Buckholz
      Glenn Buckholz
      Technical Manager
      Coveros
      schedule 3 years ago
      Sold Out!
      45 Mins
      Tutorial
      Beginner

      Wonder how you can make your testing more efficient? Join Glenn Buckholz as he explores Docker, a technology that allows rapid development and deployment via containers. First, he explains exactly what composes a container, and discusses the differences between a container and an image. Once this is clear, Glenn demonstrates how Docker solves the problem of what he calls the state capture problem. When a test case produces a failure, the developer and testers often expend significant effort reproducing the issue so the developer can see the issue and fix it. Glenn demonstrates how Docker enables succinct, accurate, and quick communication between testers and developers, helping mitigate the state capture problem. In addition, testers can use Docker to load data, efficiently insert testing tools into a running system, set system state, and aid in test reproducibility. After you look at the inner workings of Docker and run through a few practical examples, you’ll find that Docker will hold an important place in your testing toolbox.

    • Gene Gotimer
      keyboard_arrow_down

      Gene Gotimer - Which Development Metrics Should I Watch?

      Gene Gotimer
      Gene Gotimer
      Principal Consultant
      Coveros, Inc.
      schedule 3 years ago
      Sold Out!
      45 Mins
      Talk
      Intermediate

      W. Edwards Deming noted that “people with targets and jobs dependent upon meeting them will probably meet the targets – even if they have to destroy the enterprise to do it.” While metrics can be a great tool for evaluating performance and software quality, becoming beholden to reaching metrics goals, especially the wrong ones, can be detrimental to the project. Each team needs to take care and understand what targets are appropriate for their project. They also need to consider the current and desired states of the source code and product and the capabilities and constraints of the team.

      As one of the lead architects working with a huge codebase on a government project, I often have the opportunity to influence the teams around me into watching or ignoring various metrics. I will walk through some measures that are available to most projects and discuss what they really mean, various misconceptions about their meaning, the tools that can be used to collect them, and how you can use them to help your team. I’ll discuss experiences and lessons learned (often the hard way) about using the wrong metrics and the damage they can do.

    • Rahul Sharma
      keyboard_arrow_down

      Rahul Sharma - Building and Testing Secure Mobile Applications

      Rahul Sharma
      Rahul Sharma
      IT Consultant
      Coveros
      schedule 3 years ago
      Sold Out!
      45 Mins
      Tutorial
      Intermediate

      Mobile application development has been on the rise lately because of the convenience mobile apps have to offer. Despite the recent occurrence of security breaches on mobile devices, security testing is not as emphasized as other forms of testing such as user acceptance or functional testing. An application can consist of the greatest features but will be considered unusable if hackers can exploit it. The exponential rise in the use of mobile applications for different purposes puts mobile devices in significant danger of being hacked or compromised. In today’s world, mobile applications are used for various purposes and store Personally Identifiable Information (PII) and financial information. Due to the sensitivity of customer data, mobile applications should be built and tested with security in mind. Strategies that cover how to properly test mobile apps for security issues will be discussed.

    • Marco Corona
      Marco Corona
      Consultant
      Coveros
      schedule 3 years ago
      Sold Out!
      45 Mins
      Experience Report
      Beginner

      Housing and Urban Development (HUD), a federal agency committed to creating affordable homes for all Americans, has a history of systems development steeped in waterfall practices, a history of failed IT programs, and a culture that ran in direct opposition to Agile/DevOps. It often took weeks to provision a virtual machine and years for an application to get into Production.

      In a little over a year, a small team of DevOps engineers has helped modernize the agency’s legacy infrastructure in an effort to prove Agile and DevOps can work across the organization. I will present a case study that discusses how we were able to bring 10 new applications into Production in a few months time using the Cloud and DevOps. I will discuss the challenges we encountered along the way and walk through how we were able to create a culture of shared code, infrastructure and shared purpose across multiple programs and contractor teams. In addition, I will explain how to leverage Jenkins, Chef and Azure to create a repeatable, iterable DevOps pipeline that made this transformation possible.

    • Thomas Stiehm
      Thomas Stiehm
      CTO
      Coveros, Inc.
      schedule 3 years ago
      Sold Out!
      45 Mins
      Experience Report
      Intermediate

      A large part of the success of agile adoptions is due to the automated testing approach used in agile projects. Because many of these techniques were pioneered in the development of web applications it can be hard to see how these techniques can be leveraged for a project where the software being built is for an embedded application. Discover ways to leverage agile testing techniques for embedded systems. Whether you are building a medical device, embedded controller, or Internet of Things device learn how to leverage these testing practices to create fully automated tests that fit into a DevOps build pipeline and help your team create higher quality, more reliable software. Test automation is the best way to maintain and execute a comprehensive suite of regression tests that allows you to take back control of your testing process while increasing test coverage. Learn how to be in control of your test process by stepping up your test automation to the next level.

      Embedded development and Internet of Things development is often done on platforms that lack modern software development and test automation tools. The more esoteric or the smaller the target audience, the less likely tool vendors are to create products that directly support the deployment environment. This can make getting started with test automation using older tools that are not as actively supported by vendors can be a challenge that has to be overcome by a team that wants to move toward a Continuous Deployment process.

      This session is aimed at people that are trying to adopt agile and continuous delivery with embedded technology, but might be worried that it can’t work in their particular environment due to their industry, technology stack, culture, or regulatory environment.

    • Jonathan Kauffman
      keyboard_arrow_down

      Jonathan Kauffman - Leveraging Zephyr and Behave for Test Case Management

      Jonathan Kauffman
      Jonathan Kauffman
      Consultant
      Coveros, Inc.
      schedule 3 years ago
      Sold Out!
      45 Mins
      Talk
      Intermediate

      Zephyr is a tool for managing manually-executed test cases, and Behave is a Python framework for writing BDD-style automated test cases. Is it possible to leverage the benefits of both Zephyr and Behave? This presentation will describe how a bio-medical device company, as part of their Agile adoption, underwent the following evolution in their test management practice:

      • Managing test cases with monolithic Word documents.
      • Managing those same test cases in Zephyr.
      • Writing those same test cases using the Behave framework.
      • Maintaining a master copy of the test cases in Zephyr while storing the implementation of each test step in version control.

      This presentation will also discuss a tool that was used to generate Behave feature files from Zephyr test cases and how that tool was integrated into both testers' workflows and the CI/CD pipeline.

    • Ben Morris
      keyboard_arrow_down

      Ben Morris - The 12 Factor App, a primer on the 'manifesto' for DevOps & cloud-native apps

      Ben Morris
      Ben Morris
      Consultant
      STSI
      schedule 3 years ago
      Sold Out!
      10 Mins
      Talk
      Beginner

      If you haven't heard of The 12 Factor App, you probably will soon. Think of it as "the agile manifesto for DevOps." This talk helps you quickly become familiar with the basics of the 12 Factors that make applications cloud ready or "cloud native."

      This talk allows you to trade 10 minutes of your time in order to get a bit smarter. Learn *just* enough to be dangerous, and use that knowledge to impress developers by spewing buzzwords like persistence, disposability, statelessness, and port binding. At least be able to push back intelligently when someone is telling you the app can't be put on the cloud. Learn what is meant by "livestock, not pets" and where to find out more if the talk sparks your imagination.

    • Ben Pick
      keyboard_arrow_down

      Ben Pick - How to test for the new OWASP Top 10 Vulnerabilities

      10 Mins
      Talk
      Beginner

      The latest version of the OWASP Top 10 Vulnerabilities is about to be finalized. This talk discusses how to use these guidelines, both old and new, to perform security testing. In too many instances, security is the last phase of the SDLC. Using the OWASP Top 10 list, developers and testers can become more aware of potential vulnerabilities. This will improve their coding and testing skills, allowing them to build more robust code.

      This presentation discusses each of the latest vulnerabilities defined in the 2017 version of the OWASP Top 10. It includes testing strategies or failure scenarios which lead to exploitation. Best practices are discussed, all within the condensed time frame of a 10 minute firetalk.

    • 45 Mins
      Talk
      Intermediate

      I have interviewed 14 of the 17 Agile Manifesto authors for a special podcast project. Originally the intent was to capture the intent of authors and to chronicle the manifesto story. What emerged was much more. The story of why the event was needed, what the vision was, and what we have ruined in agile we all artifacts of the project. One beautiful outcome was the emergence of 3 themes in all 14 conversations. This talk covers the real story behind the rise and fall of Business Agile in industry and what we can do to reclaim it.

    • Alden Hinds
      keyboard_arrow_down

      Alden Hinds / Jerry Frese - Agile Transformation at the IRS: What Ken Schwaber didn’t teach us

      45 Mins
      Case Study
      Intermediate

      In the 1040 environment of strict compliance, frequent audits and heavy penalties, the IRS has been pursuing the adoption of agile practices in order to realize faster project delivery that also result in better quality products. We now have bright spots throughout the enterprise, but getting here was a journey in which we had to adapt the traditional teachings of Scrum to the IRS culture. In this presentation, we will discuss the agile transformation journey of the IRS and provide the audience with a transformation framework that accounts for our lessons learned in a bureaucratic organization. The IRS is by no means the pinnacle of Scrum, we have a lot to learn. We hope that by sharing our challenges, other agencies undergoing transformation efforts will be able to avoid our missteps and learn from our actions.

    • David Fogel
      keyboard_arrow_down

      David Fogel / Yogita dhond - TAS'mania! Successes (and failures) at TSA Agile Services

      45 Mins
      Case Study
      Intermediate

      TSA Agile Services (TAS) began on January 4th, 2017 after extensive collaboration with contracting officials, various bids, and the Agile community. Come hear the aspects that have enabled successful delivery within a government agency. TAS encompasses over 65 applications supported by a team of 80+ people. Also - because transparency is a large key to our success - we will cover the failures we have experienced and the struggles we are still working on. Lastly - it is important for contractors and government to work closely together - this presentation will be co-presented by two Agile Coaches: one is a federal employee and the other a contractor.

    • Max Saperstone
      keyboard_arrow_down

      Max Saperstone - Importance of Testing Planning for DevOps

      10 Mins
      Lightning Talk
      Beginner

      In the agile world, it's important to remember that planning and documentation is still important and serves a purpose. While agile promotes “working software over comprehensive documentation,” it doesn’t say ignore documentation as much as we’d all often like to think. When developing a working DevOps pipeline, it is important to understand what your quality gates are, what thresholds you expect, and where you expect these to be. A well documented test plan should inform the pipeline, and provide information and details as to what constitutes a working code. Too often this DevOps work is done out of sync with Testers, which then either means quality definitions don't line up, or additional re-work has to be put in to align software confidence goals.

    • Max Saperstone
      keyboard_arrow_down

      Max Saperstone - Testing with a Rooted Mobile Device

      45 Mins
      Talk
      Advanced

      Traditional applications are tested through the GUI and through all exposed APIs. However, typical mobile app testing is only done through the front-end GUI. In addition, performance and security details are not readily available from the mobile device. Max Saperstone demonstrates some benefits of testing a native mobile application on a rooted device—one with privileged access control. Although Max does not describe how to root a device, he shares how to access back-end processes and test at this detailed level. He discusses the technical controls made available through a rooted device—together with its auditing, logging, and monitoring—and describes the gathering of additional metrics. Max demonstrates tools for penetration testing, sniffing, and network hacking; shares how to access application data directly; and shows how data security is implemented for the application. Learn how to use the admin rights associated with a rooted device to examine device performance and to simulate interrupts and system faults.

       

    • Richard Mills
      keyboard_arrow_down

      Richard Mills - Accelerating Agile with CI/CD Success Patterns in the Real World

      45 Mins
      Experience Report
      Intermediate

      I've worked with many customers over the years introducing various aspects of continuous integration and continuous delivery (CI/CD) into their Agile development processes. Everyone starts from a different place, sees different benefits, and ultimately follows a different journey. In this session, I'll talk about my experiences with a few recent troubled clients who gained significant benefits around quality and delivery speed with some less-than-obvious improvements.

      You don't have to be perfect to see some of the benefits of modern DevOps practices. The guiding principles are around software delivery pipeline design and DevOps engineering. The software delivery pipeline is critical to delivering working software in any Agile development process and, as such, even small improvements can have marked impact on your ability to deliver software to your customers. Furthermore, the DevOps delivery pipeline must be engineered for success -- just like the software we produce with it. It's important to provide incremental DevOps capability, treat everything as code, account for usability of your pipeline, and use automation to incorporate assurance activities are far left in the process as possible.

      By applying some proven success patterns in CI/CD and DevOps engineering, I'll show how we were able to improve team involvement with the entire delivery process, reduce defects, and improve the team's ability to rapidly deploy and test changes.

    • Aleksandra Derkacheva
      keyboard_arrow_down

      Aleksandra Derkacheva / Aleksandra Derkacheva / Ben Morris / Joshua Seckel / Trey White - What the FLASH? Moving toward agile government contracts.

      45 Mins
      Case Study
      Intermediate

      DHS FLASH was a grand experiment to develop a truly agile software development contract for all of the Department of Homeland Security. It was impressive in scale ($1.5b) and its innovative prototype-based competition model. 111 firms put in proposals and 11 were successful.

      Unfortunately, the contract was cancelled after a protest process. However, procurement and contracting are perhaps the biggest constraint to improving IT delivery for government.

      This panel examines this experience to discuss what happened, what went well, and what could be improved. Members of successful FLASH awardee teams will discuss the experience and process, then facilitate a discussion of how to make this model work.

      Note: the panel members will be refined in prep for the session. At a minimum, we can get some diversity of vendor participants from winning teams - and would welcome government-side participants as well.

    • Ryan Kenney
      keyboard_arrow_down

      Ryan Kenney - Learning from Agile in the Army

      Ryan Kenney
      Ryan Kenney
      Consultant
      Coveros, Inc.
      schedule 3 years ago
      Sold Out!
      45 Mins
      Talk
      Beginner

      The military has a crucial place in the origins of the IT industry, but is there more we could learn from the world’s most effective fighting force? The military is focused on delivering results, and has been doing so for hundreds of years. That being said, it is not without its pitfalls, and not every practice will translate over well into an Agile environment. During this talk, I will use both my military and Agile experience to show you how you can improve your Agile process, or even start the transition to Agile. I’ll cover topics such as valuing role over rank, driving success from quantitative results, improved retrospective formats, and more.