From Continuous Delivery To Continuous Compliance

location_city Washington DC schedule Oct 16th 03:15 - 04:00 PM place Executive Boardroom people 16 Interested

Continuous Delivery (CD) and regulatory compliance are two critically important ingredients in today’s connected organizations. CD enables you to move quickly and respond to change in an era where change is increasing at an exponential rate with no sign of slowing down. Regulatory compliance ensures that your organization takes the appropriate steps to follow applicable laws and appear to require adding burdensome processes and controls to your software development lifecycle. While they appear to be at odds with one another at first, they actually complement each other well. While maintaining, analyzing, confirming, and reporting on the status of required information security, compliance, and privacy controls can be difficult, integrating these tasks within your CD pipeline is easier than you think. Using examples from real-world projects in organizations just like yours, Brandon explains how to integrate compliance and reporting into your CD pipeline using tools you already know such as pair programming, Jenkins, Chef, Metasploit, and others, leading you to the regulatory promised land known as “Continuous Compliance”.

 
 

Outline/Structure of the Talk

I start the talk off with a story about getting audited. Asking the audience to describe their experiences. Most of these stories the audience shares are nightmares.

Next I tell them about an experience I had that went really well. The best audit I have ever participated in and how easy it is to get there.

We discuss the myths and facts surrounding compliance and how much work we already do that satisfies regulatory requirements.

Next we discuss how you can integrate compliance into your Agile process including your CI/CD pipeline.

Finally we wrap up and close with questions.

Learning Outcome

Basic compliance myths and facts

How you can immediately start to integrate security and compliance into your process

Things you can integrate into your CI/CD pipeline that automate compliance

Target Audience

Anyone who works with or for an organization that want's to move fast but does so within a regulated environment such as NIST, SOX, etc.

Prerequisites for Attendees

Understand the basics of Test-Driven Development, Acceptance Test-Driven Development, Agile and DevOps.

schedule Submitted 3 years ago

  • Gene Gotimer
    keyboard_arrow_down

    Gene Gotimer - Experiences Bringing Continuous Delivery to a DoD Project

    Gene Gotimer
    Gene Gotimer
    Principal Consultant
    Coveros, Inc.
    schedule 3 years ago
    Sold Out!
    45 Mins
    Experience Report
    Beginner

    Not every continuous delivery initiative starts with someone saying "drop everything. Let's do DevOps." Sometimes you have grow your practice incrementally. And sometimes, you don’t set out to grow a practice at all-- you are just fixing problems with your process, trying to make things better.

    I'll walk through a case study of how our team worked on an exemplar project for the Department of Defense to show that agile could work in a decidedly waterfall culture. I’ll also discuss techniques and tools we used to bring a DevOps mindset and continuous delivery practices into an environment that wasn't already Agile.

    I'll talk about how we were able to start in development, where we had the most control, with a "let's starting being Agile" initiative and working on "why is continuous integration important?" From there, we tackled one problem after another, each time making the release a little easier and a little less risky. We incrementally brought our practices through other environments until the project was confidently delivering working, QA-tested, security-tested releases that were ready for production every two weeks. I’ll discuss the journey we took and the tools we used to get to build quality into our product, our releases, and our release process.

  • Phillip Manketo
    keyboard_arrow_down

    Phillip Manketo / Dave McMunn - Building Strong Foundations…. Underwriting Fannie Mae’s Agile Transformation

    45 Mins
    Experience Report
    Advanced

    Over the course of the last two and one-half years, Fannie Mae has worked aggressively to transform itself from a heavily silo’d and firmly entrenched command and control culture, following a gated workflow, with long release cycles, to an Agile organization.  Today, Fannie Mae is a more dynamic value oriented organization that is responsive to stakeholders, focused on achieving greater efficiency by enabling fast-feedback loops, as well as using empirical data to optimize mature and persistent agile values and practices.  

     

    Within the larger context of the transformation to enterprise agility, this Experience Report will focus on the case for change, Fannie Mae’s journey and the corresponding challenges, benefits and key learnings realized.  Our conclusion, while it is important to build bridges with business stakeholders, mature agile teams, leverage automation and embrace the values and principles of the agile manifesto… a successful and longstanding transformation is dependent upon the unrelenting focus on changing the ecosystem supporting the organization’s change at the outset.

  • Brian Sjoberg
    keyboard_arrow_down

    Brian Sjoberg / Julie Wyman - Why Are We Going So Slow? ... Time to Get Your Productivity Game On!

    45 Mins
    Workshop
    Beginner

    Are you struggling with delivering a potentially releasable working product every iteration? Ever wonder what one of biggest reasons we have difficulty getting things done at the individual, team and organizational level are? Do you keep doing something even though you know it reduces your productivity and lowers quality? We are going to run an exercise that highlights one of the major culprits that you have all experienced and probably continue to experience. The exercise will likely ignite a little (or big) fire in your belly that will help you become more productive and improve the quality of your work. From this, we will discuss ways to improve this at the individual, team and organization levels.

  • Ben Morris
    keyboard_arrow_down

    Ben Morris - The 12 Factor App, a primer on the 'manifesto' for DevOps & cloud-native apps

    Ben Morris
    Ben Morris
    Consultant
    STSI
    schedule 3 years ago
    Sold Out!
    10 Mins
    Talk
    Beginner

    If you haven't heard of The 12 Factor App, you probably will soon. Think of it as "the agile manifesto for DevOps." This talk helps you quickly become familiar with the basics of the 12 Factors that make applications cloud ready or "cloud native."

    This talk allows you to trade 10 minutes of your time in order to get a bit smarter. Learn *just* enough to be dangerous, and use that knowledge to impress developers by spewing buzzwords like persistence, disposability, statelessness, and port binding. At least be able to push back intelligently when someone is telling you the app can't be put on the cloud. Learn what is meant by "livestock, not pets" and where to find out more if the talk sparks your imagination.

  • Leland Newsom
    keyboard_arrow_down

    Leland Newsom - Comparing Scaling Frameworks - LeSS and SAFe

    45 Mins
    Talk
    Beginner

    Scaling Agile is easily misunderstood. Scaling is the term we often hear used to describe using Agile methods with large enterprises.  Larger enterprises often deal with bigger and more complex problems than small ones. They have more employees, subcontracting companies, different business units, more processes and a strong culture that defines how things are done. At the same time, they need to be able to deliver results in an ever-changing business environment. They need to be Agile but the bigger the company, the bigger the challenges are for scaling Agile. 

     

    Scaling frameworks available in the market today are maturing quickly and provide a variety of choices. Like the Agile Manifesto, these frameworks are based on principles, and they vary widely in the specificity of the recommended approach.

     

    In this session, we will compare how two scaling frameworks, LeSS and SAFe, address the challenges of agility at scale.  We will talk about how these two frameworks align, coordinate, and manage dependencies across multiple teams to maintain consistency and agility at scale. 

     

  • Manjit Singh
    keyboard_arrow_down

    Manjit Singh - What Effective Agile Contracts Look Like

    45 Mins
    Talk
    Intermediate

    The Agile Manifesto has been around for over 16 years. That seems like enough time for organizations to adapt to Agile processes and get the hang of writing Agile contracts. Yet, when it comes time for US Federal Agencies to enter into a contract about Agile work processes and deliverables, we're still seeing Waterfall language persist.

    If we want to see Agile software development contracts that are truly aligned for the best interests of all parties involved, there are a few steps that we need to take. Learn what these steps are in this presentation.

  • 45 Mins
    Talk
    Intermediate

    As we have seen from recent reports in the news and elsewhere, cyberattacks come many sources. How can we use Agile practices to improve organization's information security posture?

    In this session, Dan and Paul will discuss techniques that can help make information security an important part of software development and speed your response to threats. The use of hardening pipelines, dark stories, and user stories/acceptance criteria that map to policy guidance based on NIST 800-53 controls will be discussed and how each approaches improving your security posture from a different angle.

  • 45 Mins
    Talk
    Beginner

    Agile in the Department of Defense is frustratingly difficult to implement. Acquisition regulations and cyber security policies impact successful agile development endeavors for the Navy. During this session, I will detail the successes and failures of agile development as it is being applied to the My Navy Portal program which is the single point of entry, self-service portal for sailors to manage their careers from hire to retire. I will discuss the acquisition, systems engineering process, and cyber security issues encountered during this agile development endeavor and how we were either successful or failed to resolve.