From Continuous Delivery To Continuous Compliance

Continuous Delivery (CD) and regulatory compliance are two critically important ingredients in today’s connected organizations. CD enables you to move quickly and respond to change in an era where change is increasing at an exponential rate with no sign of slowing down. Regulatory compliance ensures that your organization takes the appropriate steps to follow applicable laws and appear to require adding burdensome processes and controls to your software development lifecycle. While they appear to be at odds with one another at first, they actually complement each other well. While maintaining, analyzing, confirming, and reporting on the status of required information security, compliance, and privacy controls can be difficult, integrating these tasks within your CD pipeline is easier than you think. Using examples from real-world projects in organizations just like yours, Brandon explains how to integrate compliance and reporting into your CD pipeline using tools you already know such as pair programming, Jenkins, Chef, Metasploit, and others, leading you to the regulatory promised land known as “Continuous Compliance”.

 
2 favorite thumb_down thumb_up 0 comments visibility_off  Remove from Watchlist visibility  Add to Watchlist
 

Outline/structure of the Session

I start the talk off with a story about getting audited. Asking the audience to describe their experiences. Most of these stories the audience shares are nightmares.

Next I tell them about an experience I had that went really well. The best audit I have ever participated in and how easy it is to get there.

We discuss the myths and facts surrounding compliance and how much work we already do that satisfies regulatory requirements.

Next we discuss how you can integrate compliance into your Agile process including your CI/CD pipeline.

Finally we wrap up and close with questions.

Learning Outcome

Basic compliance myths and facts

How you can immediately start to integrate security and compliance into your process

Things you can integrate into your CI/CD pipeline that automate compliance

Target Audience

Anyone who works with or for an organization that want's to move fast but does so within a regulated environment such as NIST, SOX, etc.

Prerequisite

Understand the basics of Test-Driven Development, Acceptance Test-Driven Development, Agile and DevOps.

schedule Submitted 2 months ago

Comments Subscribe to Comments

comment Comment on this Proposal

  • Liked PHILLIP MANKETO
    keyboard_arrow_down

    PHILLIP MANKETO - Building Strong Foundations…. Underwriting Fannie Mae’s Agile Transformation

    45 mins
    Experience Report
    Advanced

    Over the course of the last two and one-half years, Fannie Mae has worked aggressively to transform itself from a heavily silo’d and firmly entrenched command and control culture, following a gated workflow, with long release cycles, to an Agile organization.  Today, Fannie Mae is a more dynamic value oriented organization that is responsive to stakeholders, focused on achieving greater efficiency by enabling fast-feedback loops, as well as using empirical data to optimize mature and persistent agile values and practices.  

     

    Within the larger context of the transformation to enterprise agility, this Experience Report will focus on the case for change, Fannie Mae’s journey and the corresponding challenges, benefits and key learnings realized.  Our conclusion, while it is important to build bridges with business stakeholders, mature agile teams, leverage automation and embrace the values and principles of the agile manifesto… a successful and longstanding transformation is dependent upon the unrelenting focus on changing the ecosystem supporting the organization’s change at the outset.

  • Liked Gene Gotimer
    keyboard_arrow_down

    Gene Gotimer - Experiences Bringing Continuous Delivery to a DoD Project

    Gene Gotimer
    Gene Gotimer
    Technical Manager
    Coveros, Inc.
    schedule 3 weeks ago
    Sold Out!
    45 mins
    Experience Report
    Beginner

    Not every continuous delivery initiative starts with someone saying "drop everything. Let's do DevOps." Sometimes you have grow your practice incrementally. And sometimes, you don’t set out to grow a practice at all-- you are just fixing problems with your process, trying to make things better.

    I'll walk through a case study of how our team worked on an exemplar project for the Department of Defense to show that agile could work in a decidedly waterfall culture. I’ll also discuss techniques and tools we used to bring a DevOps mindset and continuous delivery practices into an environment that wasn't already Agile.

    I'll talk about how we were able to start in development, where we had the most control, with a "let's starting being Agile" initiative and working on "why is continuous integration important?" From there, we tackled one problem after another, each time making the release a little easier and a little less risky. We incrementally brought our practices through other environments until the project was confidently delivering working, QA-tested, security-tested releases that were ready for production every two weeks. I’ll discuss the journey we took and the tools we used to get to build quality into our product, our releases, and our release process.

  • Liked Brian Sjoberg
    keyboard_arrow_down

    Brian Sjoberg - Why Are We Going So Slow? ... Time to Get Your Productivity Game On!

    45 mins
    Workshop
    Beginner

    Are you struggling with delivering a potentially releasable working product every iteration? Ever wonder what one of biggest reasons we have difficulty getting things done at the individual, team and organizational level are? Do you keep doing something even though you know it reduces your productivity and lowers quality? We are going to run an exercise that highlights one of the major culprits that you have all experienced and probably continue to experience. The exercise will likely ignite a little (or big) fire in your belly that will help you become more productive and improve the quality of your work. From this, we will discuss ways to improve this at the individual, team and organization levels.

  • Liked Leland Newsom
    keyboard_arrow_down

    Leland Newsom - Comparing Scaling Frameworks - LeSS and SAFe

    Leland Newsom
    Leland Newsom
    Agile Coach
    CapTech Ventures
    schedule 2 months ago
    Sold Out!
    45 mins
    Talk
    Beginner

    Scaling Agile is easily misunderstood. Scaling is the term we often hear used to describe using Agile methods with large enterprises.  Larger enterprises often deal with bigger and more complex problems than small ones. They have more employees, subcontracting companies, different business units, more processes and a strong culture that defines how things are done. At the same time, they need to be able to deliver results in an ever-changing business environment. They need to be Agile but the bigger the company, the bigger the challenges are for scaling Agile. 

     

    Scaling frameworks available in the market today are maturing quickly and provide a variety of choices. Like the Agile Manifesto, these frameworks are based on principles, and they vary widely in the specificity of the recommended approach.

     

    In this session, we will compare how two scaling frameworks, LeSS and SAFe, address the challenges of agility at scale.  We will talk about how these two frameworks align, coordinate, and manage dependencies across multiple teams to maintain consistency and agility at scale. 

     

  • Liked Manjit Singh
    keyboard_arrow_down

    Manjit Singh - What Effective Agile Contracts Look Like

    45 mins
    Talk
    Intermediate

    The Agile Manifesto has been around for over 16 years. That seems like enough time for organizations to adapt to Agile processes and get the hang of writing Agile contracts. Yet, when it comes time for US Federal Agencies to enter into a contract about Agile work processes and deliverables, we're still seeing Waterfall language persist.

    If we want to see Agile software development contracts that are truly aligned for the best interests of all parties involved, there are a few steps that we need to take. Learn what these steps are in this presentation.

     

  • Liked Ben Morris
    keyboard_arrow_down

    Ben Morris - The 12 Factor App, a primer on the 'manifesto' for DevOps & cloud-native apps

    Ben Morris
    Ben Morris
    Consultant
    STSI
    schedule 2 months ago
    Sold Out!
    10 mins
    Talk
    Beginner

    If you haven't heard of The 12 Factor App, you probably will soon. Think of it as "the agile manifesto for DevOps." This talk helps you quickly become familiar with the basics of the 12 Factors that make applications cloud ready or "cloud native."

    This talk allows you to trade 10 minutes of your time in order to get a bit smarter. Learn *just* enough to be dangerous, and use that knowledge to impress developers by spewing buzzwords like persistence, disposability, statelessness, and port binding. At least be able to push back intelligently when someone is telling you the app can't be put on the cloud. Learn what is meant by "livestock, not pets" and where to find out more if the talk sparks your imagination.

  • 45 mins
    Talk
    Intermediate

    As we have seen from recent reports in the news and elsewhere, cyberattacks come many sources. How can we use Agile practices to improve organization's information security posture?

    In this session, Dan and Paul will discuss techniques that can help make information security an important part of software development and speed your response to threats. The use of hardening pipelines, dark stories, and user stories/acceptance criteria that map to policy guidance based on NIST 800-53 controls will be discussed and how each approaches improving your security posture from a different angle.

  • Liked Kevin Burnett
    keyboard_arrow_down

    Kevin Burnett - Navy Agile Roadblocks and How to Overcome....or Not

    45 mins
    Talk
    Beginner

    Agile in the Department of Defense is frustratingly difficult to implement. Acquisition regulations and cyber security policies impact successful agile development endeavors for the Navy. During this session, I will detail the successes and failures of agile development as it is being applied to the My Navy Portal program which is the single point of entry, self-service portal for sailors to manage their careers from hire to retire. I will discuss the acquisition, systems engineering process, and cyber security issues encountered during this agile development endeavor and how we were either successful or failed to resolve.