From Continuous Delivery To Continuous Compliance

schedule Oct 16th 03:15 PM - 04:00 PM place Executive Boardroom people 16 Attending

Continuous Delivery (CD) and regulatory compliance are two critically important ingredients in today’s connected organizations. CD enables you to move quickly and respond to change in an era where change is increasing at an exponential rate with no sign of slowing down. Regulatory compliance ensures that your organization takes the appropriate steps to follow applicable laws and appear to require adding burdensome processes and controls to your software development lifecycle. While they appear to be at odds with one another at first, they actually complement each other well. While maintaining, analyzing, confirming, and reporting on the status of required information security, compliance, and privacy controls can be difficult, integrating these tasks within your CD pipeline is easier than you think. Using examples from real-world projects in organizations just like yours, Brandon explains how to integrate compliance and reporting into your CD pipeline using tools you already know such as pair programming, Jenkins, Chef, Metasploit, and others, leading you to the regulatory promised land known as “Continuous Compliance”.

 
3 favorite thumb_down thumb_up 0 comments visibility_off  Remove from Watchlist visibility  Add to Watchlist
 

Outline/structure of the Session

I start the talk off with a story about getting audited. Asking the audience to describe their experiences. Most of these stories the audience shares are nightmares.

Next I tell them about an experience I had that went really well. The best audit I have ever participated in and how easy it is to get there.

We discuss the myths and facts surrounding compliance and how much work we already do that satisfies regulatory requirements.

Next we discuss how you can integrate compliance into your Agile process including your CI/CD pipeline.

Finally we wrap up and close with questions.

Learning Outcome

Basic compliance myths and facts

How you can immediately start to integrate security and compliance into your process

Things you can integrate into your CI/CD pipeline that automate compliance

Target Audience

Anyone who works with or for an organization that want's to move fast but does so within a regulated environment such as NIST, SOX, etc.

Prerequisite

Understand the basics of Test-Driven Development, Acceptance Test-Driven Development, Agile and DevOps.

schedule Submitted 6 months ago

Comments Subscribe to Comments

comment Comment on this Proposal

  • Liked Gene Gotimer
    keyboard_arrow_down

    Gene Gotimer - Experiences Bringing Continuous Delivery to a DoD Project

    Gene Gotimer
    Gene Gotimer
    Technical Manager
    Coveros, Inc.
    schedule 4 months ago
    Sold Out!
    45 Mins
    Experience Report
    Beginner

    Not every continuous delivery initiative starts with someone saying "drop everything. Let's do DevOps." Sometimes you have grow your practice incrementally. And sometimes, you don’t set out to grow a practice at all-- you are just fixing problems with your process, trying to make things better.

    I'll walk through a case study of how our team worked on an exemplar project for the Department of Defense to show that agile could work in a decidedly waterfall culture. I’ll also discuss techniques and tools we used to bring a DevOps mindset and continuous delivery practices into an environment that wasn't already Agile.

    I'll talk about how we were able to start in development, where we had the most control, with a "let's starting being Agile" initiative and working on "why is continuous integration important?" From there, we tackled one problem after another, each time making the release a little easier and a little less risky. We incrementally brought our practices through other environments until the project was confidently delivering working, QA-tested, security-tested releases that were ready for production every two weeks. I’ll discuss the journey we took and the tools we used to get to build quality into our product, our releases, and our release process.

  • Liked Mike Cottmeyer
    keyboard_arrow_down

    Mike Cottmeyer - Agile Transformations Explained

    Mike Cottmeyer
    Mike Cottmeyer
    CEO & President
    LeadingAgile
    schedule 4 months ago
    Sold Out!
    45 Mins
    Talk
    Intermediate

    Leading a large-scale agile transformation isn’t about adopting a new set of attitudes, processes, and behaviors at the team level… it’s about helping your company deliver faster to market, and developing the ability to respond to a rapidly-changing competitive landscape. First and foremost, it’s about achieving business agility. Business agility comes from people having clarity of purpose, a willingness to be held accountable, and the ability to achieve measurable outcomes. Unfortunately, almost everything in modern organizations gets in the way of teams acting with any sort of autonomy. In most companies, achieving business agility requires significant organizational change.
    Agile transformation necessitates a fundamental rethinking of how your company organizes for delivery, how it delivers value to its customers, and how it plans and measures outcomes. Agile transformation is about building enabling structures, aligning the flow of work, and measuring for outcomes based progress. It's about breaking dependencies. The reality is that this kind of change can only be led from the top. This talk will explore how executives can define an idealized end-state for the transformation, build a fiscally responsible iterative and incremental plan to realize that end-state, as well as techniques for tracking progress and managing change.

  • Liked James Gifford
    keyboard_arrow_down

    James Gifford - 5 Metrics to Create Safety and High Performing Teams

    45 Mins
    Tutorial
    Intermediate

    Description:

    I see that a lot of organizations use metrics in inappropriate ways to measure teams. At the heart of these metrics, nine times out of ten, are velocity and story points. These metrics lead to a lot of mistrust, fear, and bad technical practices. This talk will focus on shifting the focus to diagnostic metrics.

     Before shifting focus to diagnostic metrics, we need to understand what inappropriate metrics are. When questioning teams about why their velocity was lower from one sprint to another, teams are more likely to inflate their estimates to avoid questions in the future. This is one of my scenarios. We will explore this case and my other top-ten based on the 165 teams I have interacted with. Focusing on one metric does not provide a balanced view of the team.

    For balance, I promote five metrics. The combination of metrics balances each other. These five metrics are lead time, quality, happiness, agile maturity, and business value. Focusing on these five metric areas can be used as a diagnostic tool to help teams grow and support coaching. During the session, we will use my Excel-based tool and visual model to simulate this balance.

    When you push shorter lead times (how fast) on a team with a lower agile maturity, the first thing to change is quality, followed by happiness and then the delivery of value. Conversely, if a team focuses on TDD, the first thing to change is quality, followed by agile maturity, reduction in lead time, and increased delivery of value.  

    Teaching teams to harness data in a positive way will help them to flourish.

  • Liked Phillip Manketo
    keyboard_arrow_down

    Phillip Manketo / Dave McMunn - Building Strong Foundations…. Underwriting Fannie Mae’s Agile Transformation

    45 Mins
    Experience Report
    Advanced

    Over the course of the last two and one-half years, Fannie Mae has worked aggressively to transform itself from a heavily silo’d and firmly entrenched command and control culture, following a gated workflow, with long release cycles, to an Agile organization.  Today, Fannie Mae is a more dynamic value oriented organization that is responsive to stakeholders, focused on achieving greater efficiency by enabling fast-feedback loops, as well as using empirical data to optimize mature and persistent agile values and practices.  

     

    Within the larger context of the transformation to enterprise agility, this Experience Report will focus on the case for change, Fannie Mae’s journey and the corresponding challenges, benefits and key learnings realized.  Our conclusion, while it is important to build bridges with business stakeholders, mature agile teams, leverage automation and embrace the values and principles of the agile manifesto… a successful and longstanding transformation is dependent upon the unrelenting focus on changing the ecosystem supporting the organization’s change at the outset.

  • Liked Brian Sjoberg
    keyboard_arrow_down

    Brian Sjoberg / Julie Wyman - Why Are We Going So Slow? ... Time to Get Your Productivity Game On!

    45 Mins
    Workshop
    Beginner

    Are you struggling with delivering a potentially releasable working product every iteration? Ever wonder what one of biggest reasons we have difficulty getting things done at the individual, team and organizational level are? Do you keep doing something even though you know it reduces your productivity and lowers quality? We are going to run an exercise that highlights one of the major culprits that you have all experienced and probably continue to experience. The exercise will likely ignite a little (or big) fire in your belly that will help you become more productive and improve the quality of your work. From this, we will discuss ways to improve this at the individual, team and organization levels.

  • Liked James Gifford
    keyboard_arrow_down

    James Gifford - Descaling the Enterprise Instead of Scaling Agility

    45 Mins
    Workshop
    Intermediate

    In spite of all of the nuanced discussions, debates and frequent diatribes, scaling agile is about one thing: getting large groups of teams to deliver value in an organized fashion while maintaining empathy, rapport, trust, safety, and ownership across the enterprise. During this session, we will explore the case study of the Value Steam Container, looking at organization design, challenges and success. Focusing in on topics ranging from

    • Organization designs used by WL Gore, The Dunbar number

    • Delivery Triads - Product, Delivery, Technical Excellence

    • Venture capital style funding

    • Focusing on business value

    The second half of the session is a workshop focused on creating a Value Stream Container and resource based on team funding 

  • Liked Ben Morris
    keyboard_arrow_down

    Ben Morris - The 12 Factor App, a primer on the 'manifesto' for DevOps & cloud-native apps

    Ben Morris
    Ben Morris
    Consultant
    STSI
    schedule 5 months ago
    Sold Out!
    10 Mins
    Talk
    Beginner

    If you haven't heard of The 12 Factor App, you probably will soon. Think of it as "the agile manifesto for DevOps." This talk helps you quickly become familiar with the basics of the 12 Factors that make applications cloud ready or "cloud native."

    This talk allows you to trade 10 minutes of your time in order to get a bit smarter. Learn *just* enough to be dangerous, and use that knowledge to impress developers by spewing buzzwords like persistence, disposability, statelessness, and port binding. At least be able to push back intelligently when someone is telling you the app can't be put on the cloud. Learn what is meant by "livestock, not pets" and where to find out more if the talk sparks your imagination.

  • Liked Leland Newsom
    keyboard_arrow_down

    Leland Newsom - Comparing Scaling Frameworks - LeSS and SAFe

    Leland Newsom
    Leland Newsom
    Agile Coach
    CapTech Ventures
    schedule 6 months ago
    Sold Out!
    45 Mins
    Talk
    Beginner

    Scaling Agile is easily misunderstood. Scaling is the term we often hear used to describe using Agile methods with large enterprises.  Larger enterprises often deal with bigger and more complex problems than small ones. They have more employees, subcontracting companies, different business units, more processes and a strong culture that defines how things are done. At the same time, they need to be able to deliver results in an ever-changing business environment. They need to be Agile but the bigger the company, the bigger the challenges are for scaling Agile. 

     

    Scaling frameworks available in the market today are maturing quickly and provide a variety of choices. Like the Agile Manifesto, these frameworks are based on principles, and they vary widely in the specificity of the recommended approach.

     

    In this session, we will compare how two scaling frameworks, LeSS and SAFe, address the challenges of agility at scale.  We will talk about how these two frameworks align, coordinate, and manage dependencies across multiple teams to maintain consistency and agility at scale. 

     

  • Liked Manjit Singh
    keyboard_arrow_down

    Manjit Singh - What Effective Agile Contracts Look Like

    45 Mins
    Talk
    Intermediate

    The Agile Manifesto has been around for over 16 years. That seems like enough time for organizations to adapt to Agile processes and get the hang of writing Agile contracts. Yet, when it comes time for US Federal Agencies to enter into a contract about Agile work processes and deliverables, we're still seeing Waterfall language persist.

    If we want to see Agile software development contracts that are truly aligned for the best interests of all parties involved, there are a few steps that we need to take. Learn what these steps are in this presentation.

  • 45 Mins
    Talk
    Intermediate

    As we have seen from recent reports in the news and elsewhere, cyberattacks come many sources. How can we use Agile practices to improve organization's information security posture?

    In this session, Dan and Paul will discuss techniques that can help make information security an important part of software development and speed your response to threats. The use of hardening pipelines, dark stories, and user stories/acceptance criteria that map to policy guidance based on NIST 800-53 controls will be discussed and how each approaches improving your security posture from a different angle.

  • Liked Jess Long
    keyboard_arrow_down

    Jess Long - Kaizen Land - Gamifying Stand Up and Overcoming Anti Patterns

    Jess Long
    Jess Long
    Agile Coach
    Barclaycard US
    schedule 6 months ago
    Sold Out!
    45 Mins
    Experience Report
    Intermediate

    Learn how the gingerbread men are taking over the daily Stand Up and forever changing the mornings of teams everywhere.

    Have your Daily Stand-Ups become stale? We’ll talk through the evolution of an idea that ended up demolishing monotony, obliterating anti-patterns and spawning smiles… and to think, it all started when my daughter and I were playing Candy Land!

    We’ll talk through the implementation of a game board during one team’s stand up through the infectious adoption and evolution of its existence. You’ll hear how teams tackled some of their greatest impediments and helped build a zone of psychological safety all while having fun.

    By the end of this session, you’ll be prepared to bring this back to your team and create your own success stories.

  • Liked Kevin Burnett
    keyboard_arrow_down

    Kevin Burnett - Navy Agile Roadblocks and How to Overcome....or Not

    45 Mins
    Talk
    Beginner

    Agile in the Department of Defense is frustratingly difficult to implement. Acquisition regulations and cyber security policies impact successful agile development endeavors for the Navy. During this session, I will detail the successes and failures of agile development as it is being applied to the My Navy Portal program which is the single point of entry, self-service portal for sailors to manage their careers from hire to retire. I will discuss the acquisition, systems engineering process, and cyber security issues encountered during this agile development endeavor and how we were either successful or failed to resolve.

  • Liked Jess Long
    keyboard_arrow_down

    Jess Long - Empowering Performance Through Servant Leadership

    Jess Long
    Jess Long
    Agile Coach
    Barclaycard US
    schedule 6 months ago
    Sold Out!
    45 Mins
    Tutorial
    Intermediate

    This session is focused around leading your teammates toward success over managing them off a cliff.

    Most of us who have had the pleasure of coaching a scrum team have adopted the mindset of servant leadership. But what about directors and middle management?!

    Do you have teammates reporting to you who work on Scrum teams that you’re not part of?

    Do you report to a manager that might as well be on another planet?

    If you answered YES to either of these questions, this session is for you. We’ll talk through the shift of leading over managing and how we can use the framework of the retrospective as a tool to bridge gaps, manage performance and promote transparency. Whether you’re in a position of leadership or individual contribution, the values and mechanisms we review can be brought back to your organization.

  • Liked Manisha Sharma
    keyboard_arrow_down

    Manisha Sharma - SAFe deliver business result

    Manisha Sharma
    Manisha Sharma
    Scrum Master
    Barclays
    schedule 6 months ago
    Sold Out!
    45 Mins
    Talk
    Intermediate

    How Safe is SAFe , is it too safe ,  does it deviate from core Agile principles ,  this session is about How to successfully implement SAFe .  It also talks about how to implement Dev Ops in SAFe environment and can achieve the maximum business benefit out of it.

  • Liked Manisha Sharma
    keyboard_arrow_down

    Manisha Sharma - World where Dev and ops becomes Devops

    Manisha Sharma
    Manisha Sharma
    Scrum Master
    Barclays
    schedule 6 months ago
    Sold Out!
    45 Mins
    Talk
    Beginner

    This session is focused around basics of dev ops,

    Most of us has heard about buzz word Dev ops and when we googled it there are many definition of word dev ops , but what exactly is dev ops

    is it a movement ?

    a new process?

    A new technology ?

    A job title?

    or just a thinking ?

    if you want to know the answer , then this session is for you . We’ll talk about DevOps in depth , it’s principles , methods and practice , we will also talk about its benefit and anti patterns.