SlideShare a Scribd company logo

Better Governance Banking on Continuous Delivery

•
Tapabrata Pal, profile picture
Tapabrata Pal

This document discusses how Capital One has transitioned from a traditional waterfall development model to a continuous delivery model over the past 5 years. It outlines Capital One's journey from outsourcing development to bringing it in-house, moving from vertical silos to product teams, and embracing practices like automated testing, deployment from public clouds, and open source. The document also discusses how Capital One ensures governance and compliance as it continuously delivers new features and changes through practices like a "software delivery clean room" where all changes are peer reviewed and tracked. It also discusses how the developer role has changed to include awareness of risks and following control best practices to ensure safety in continuous delivery.

Technology
1 of 39
Downloaded 66 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Better Governance Banking on Continuous Delivery
Tapabrata “Topo” Pal Sr. Director & Sr. Engineering Fellow tapabrata.pal@capitalone.com @TopoPal Jennifer Brady Director, Technology Governance jennifer.brady@capitalone.com ! Former Audit Director ! Current IT Governance Director ! Responsible for both a control automation and data analytics team ! Work with Data Scientists, Data Engineers, and Developers ! Developer ! DevOps Evangelist ! Product Manager of Shared Continuous Delivery Tools Platform ! Creator and core contributor of Hygieia DevOps Dashboard
Capital One ! Millions of accounts ! One of the largest Digital Banks ! #1 Information Week’s Elite 100 ! ~ 20 years old
Different DNA ! Build our own software ! Build on public cloud ! MicroServices ! Open Source ! Continuous Delivery
Better Governance Banking on Continuous Delivery
https://github.com/capitalone 25 Projects 109 developers 12 teams
• Waterfall • Manual Build • Manual Deployment • Manual Test • Data Center • Closed Source First • Agile • Automated Build • Automated Deployment • Automated Test • Public Cloud • Open Source First 5 Year Journey
Mostly Out-Sourced Mostly In-Sourced Vertical Silos Product Team Dev, Ops, QA, RM Engineers 5 Year Journey
! DOES 2014 Building out Automation steps ! DOES 2015 Scaling DevOps, Open Source, Cloud, Innovation ! DOES 2016 Measure, Improve, Mature
2017 and beyond ! #SlayTheMonolith ! #NoFearRelease ! #YouBuildItYouOwnIt
#YouBuildItYouOwnIt ! YOU Coded It, YOU Build It ! YOU Built It, YOU Test It ! YOU Tested It, You Deploy It ! YOU Deployed It, YOU Own It
#NoFearRelease ! Fear of speed ! Fear of breakdown ! Fear of being out of control ! Fear of being non-compliant
We want this…
And not this…
Safety in Continuous Delivery
Former Auditor’s Perspective Welcome to the Wild West Image Credit http://www.freepik.com Designed by Freepik
And at Capital One… Image Credit: http://dkcoin8.com
Compliance
Compliance Governance
Compliance vs Governance Compliance = Checking the box Governance = Awareness of and active management of risk
Three Lines of Defense ! 1st Line : Who Owns the Risk ! 2nd Line: Sets Policy, Monitors the Risk ! 3rd Line: Independent Assurance
What is the Developer’s Role in Governance? ! Awareness ! Risk mitigation ! Follow control best practices
Why Controls? ! Controls are there to protect you and the company ! Provide assurance around nancial reporting ! Provide comfort to investors
"Uncontrolled variation is the enemy of quality”
Minimum Set of Controls ! Two Sets of Eyes ! Least Privilege ! Unauthorized Change Monitoring
Automation is easy, almost, such as… ! Build on every commit ! Static code analysis on every build ! Scanning for open source vulnerability ! Static security scan ! Automated tests ! ….
Biggest hurdle Ensure that a single developer can not make changes to production bypassing all controls
Options ! Separate team managing pipeline ! Separate team just to perform production deployment ! Hire professional “button pushers”
Assumptions ! Enough “button pushers” available ! They cannot code ! Cannot train them to do anything else ! But, they should know if it is okay to push the button
Better Governance Banking on Continuous Delivery
“the secrets of change is to focus all your energy not on fighting the old but on building the new”
Clean Room A clean room or cleanroom is an environment, typically used in manufacturing, including of pharmaceutical products or scientic research, as well as semiconductor engineering applications with a lower level of environmental pollution such as dusts, airborne microbes, aerosol particles and chemical vapors. https://en.wikipedia.org/wiki/Cleanroom
Software Delivery Clean Room ! All product pipelines are identied and registered ! Everything is under source control ! Every change is peer-reviewed ! Production Changes occur only via code changes ! Nobody has access to production servers ! Every code change goes through various levels of testing and scanning ! Pipeline stops or alerts if things fail ! Evidences captured and evaluated at near real time ! Evidences are analyzed for discrepancies
DEVELOPMENT TEST MONITORINGIMPLEMENTATION App Code source controlled enforcing peer review and disallowing direct commits 1.1 1.2 2.1 No direct Access to the Binary Artifact 3.1 Static Code Analysis 4.1 Static Code Analysis Config reviewed 4.2 Functional Tests (Traceable to Story) 4.8 4.3 Test Automation jobs configuration peer reviewed and source controlled 4.4 Critical Business Transaction (Regression) Testing 4.5 Static Application Security Testing Infrastructure Code Security Scan Open Source Security Testing Secret Key Management Must not use production raw data for testing Prod/Non-Prod Deployments Scripts Tested 6.1 Prod Deployment and Test Results (UAT & Exploratory) approved by PO 6.3 6.2 Automated rollback process Tested in Prod/Non-prod No Connectivity b/w PROD and Non-PROD Environments 6.4 Separation between Dev/Test/Prod environments must be managed with access controls Developers will not have write access in Prod 7.1 RELEASE All Changes to pipeline code (build /deploy job scripts) must be recorded and peer reviewed Infrastructure Code source controlled enforcing peer review and disallowing direct commits Test Code source controlled enforcing peer review and disallowing direct commits Performance testing 5.1 5.2 5.45.3 4.7 4.1 Build will be successful only if it passes static code analysis 4.2 Static Code analysis configuration is reviewed by the team and approved by PO 3.1 No direct access to the binary artifact 4.3 Every testable story must have corresponding test case/scenario/ step 4.4 Test Code source controlled enforcing peer review and disallowing direct commits 4.5 Test Automation jobs configuration peer reviewed and source controlled 4.6 A core set of test cases that are considered critical (e.g regression testing) must meet the passing threshold defined by the team lead 4.8 Must not use production raw data for testing 4.7 Performance test results must meet the passing threshold defined by the team lead 5.4 Secret key Management 5.1 Static Security scan/testing results are reviewed and approved by the PO or Tech lead for App Code 6.1 Prod/Non-prod Deployment scripts/configurations tested by the team 7.1 Developers will not have write access in PROD 5.2 Security scan/testing results are reviewed and approved by the PO or Test lead for Infrastructure code 5.3 Open Source Security Testing (Build Artifact has ONLY approved libraries) 6.2 Prod Deployments and Test Results (UAT/Exploratory) must be approved by PO/Tech lead 6.3 Automated roll back process for production deployment must be tested in Prod and Non-prod 6.4 Must not have any connectivity or access between Prod and Non-Prod Environment 7.2 Separation between dev/test and prod environments enforced with access controls Source Control 1 Binary Repository and Application versioning 3 Security Checks 5 Quality Checks 4 Build 2 Deployment 6 Support 7 1.1 Application Code source controlled enforcing no direct commits to master/release without peer review 1.1 Infrastructure Code Source Controlled enforcing no direct commits to master/release without peer review 2.1 All Changes to pipeline code (build /deploy job scripts) must be recorded and peer reviewed 5.5 App Dynamic Security Scan/testing results are reviewed and approved by the PO/Tech lead 5.5 4.6 App Dynamic Security Testing 7.2 Software Delivery Clean Room
@TopoPal Result 2016 2017 # Products deploying multiple times a day ~20 ~300 Average #deployments per day ~1 ~4 Max #deployments for a product in a single day ~30 ~50
Automating Clean Room Monitoring Audit API https://github.com/capitalone/Hygieia/tree/master/api-audit
Are you well managed if you are doing Continuous Delivery?
Are you well managed if you are not doing Continuous Delivery?
Thank You!

More Related Content

PDF
Cloud Security: Attacking The Metadata Service
Puma Security, LLC
 
DOCX
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
himalya sharma
 
PDF
Introduction to QRadar
PencilData
 
PPTX
Information security for small business
BDPA Charlotte - Information Technology Thought Leaders
 
PPTX
Audit des si
SAAD Mohamed, MBA,CISA, ITIL, PMP, ISO 27001 LA, CRISC
 
PPTX
Project plan for ISO 27001
technakama
 
PPTX
Isms
penetration Tester
 
PPTX
Tietohallinnon johtamisen ja suunnittelun viitekehykset
Tommi Karttaavi
 
Cloud Security: Attacking The Metadata Service
Puma Security, LLC
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
himalya sharma
 
Introduction to QRadar
PencilData
 
Information security for small business
BDPA Charlotte - Information Technology Thought Leaders
 
Audit des si
SAAD Mohamed, MBA,CISA, ITIL, PMP, ISO 27001 LA, CRISC
 
Project plan for ISO 27001
technakama
 
Isms
penetration Tester
 
Tietohallinnon johtamisen ja suunnittelun viitekehykset
Tommi Karttaavi
 

What's hot (16)

PDF
Bpo risk management 2013
Rahul Bhan (CA, CIA, MBA)
 
PDF
EC-Council Certification Roadmap and Course Catalog
NetCom Learning
 
PDF
Cloud Security Demystified
Michael Torres
 
PPTX
IT Security DOs and DONTs
IT Tech
 
PDF
Potential Impact of Cyber Attacks on Critical Infrastructure
Unisys Corporation
 
PDF
Artificial Intelligence and Machine Learning for Cybersecurity
Dr David Probert
 
PPTX
SOC 2 presentation. Overview of SOC 2 assessment
Modu9
 
PDF
Third-party information security assessment checklist.pdf
priyanshamadhwal2
 
PPTX
Iso 27001 isms presentation
Midhun Nirmal
 
PDF
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPT
Isms awareness training
SAROJ BEHERA
 
PDF
IBM QRadar Security Intelligence Overview
Camilo FandiĂąo GĂłmez
 
PPT
Leadership session
gajananh999
 
PDF
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE - ATT&CKcon
 
PDF
Q radar architecture deep dive
Kamal Mouline
 
PPT
Information Security Management Systems(ISMS) By Dr Wafula
Discover JKUAT
 
Bpo risk management 2013
Rahul Bhan (CA, CIA, MBA)
 
EC-Council Certification Roadmap and Course Catalog
NetCom Learning
 
Cloud Security Demystified
Michael Torres
 
IT Security DOs and DONTs
IT Tech
 
Potential Impact of Cyber Attacks on Critical Infrastructure
Unisys Corporation
 
Artificial Intelligence and Machine Learning for Cybersecurity
Dr David Probert
 
SOC 2 presentation. Overview of SOC 2 assessment
Modu9
 
Third-party information security assessment checklist.pdf
priyanshamadhwal2
 
Iso 27001 isms presentation
Midhun Nirmal
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Isms awareness training
SAROJ BEHERA
 
IBM QRadar Security Intelligence Overview
Camilo FandiĂąo GĂłmez
 
Leadership session
gajananh999
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE - ATT&CKcon
 
Q radar architecture deep dive
Kamal Mouline
 
Information Security Management Systems(ISMS) By Dr Wafula
Discover JKUAT
 
Ad

Similar to Better Governance Banking on Continuous Delivery (20)

PDF
Software Security Assurance for DevOps
Black Duck by Synopsys
 
PDF
Adopting a security attitude in DevOps via DevOpsSec
Tapabrata Pal
 
PDF
Continuous delivery is more than dev ops
Agile MontrĂŠal
 
PPTX
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
PPTX
Freedom and Responsibility
Mike Ruangutai
 
PPTX
Managing Continuous Delivery of Mobile Apps - for the Enterprise
Sauce Labs
 
PPTX
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
PPTX
Secure application deployment in the age of continuous delivery
Tim Mackey
 
PPTX
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
Matt Wright
 
PDF
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
FINOS
 
PPTX
Dev{sec}ops
Steven Carlson
 
PDF
Software Analytics: Data Analytics for Software Engineering and Security
Tao Xie
 
PDF
Chaos Engineering: Why the World Needs More Resilient Systems
C4Media
 
PPTX
Software-Engineering-and-Best-Practices.
Ozias Rondon
 
PPTX
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams
 
PPTX
Agile & DevOps - It's all about project success
Adam Stephensen
 
PPTX
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Simon Storm
 
ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
PPTX
20th Anniversary - OWASP Top 10 2021.pptx
Dedy Hariyadi
 
PPTX
Software Security Assurance for Devops
Jerika Phelps
 
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Adopting a security attitude in DevOps via DevOpsSec
Tapabrata Pal
 
Continuous delivery is more than dev ops
Agile MontrĂŠal
 
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
Freedom and Responsibility
Mike Ruangutai
 
Managing Continuous Delivery of Mobile Apps - for the Enterprise
Sauce Labs
 
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Tim Mackey
 
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
Matt Wright
 
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...
FINOS
 
Dev{sec}ops
Steven Carlson
 
Software Analytics: Data Analytics for Software Engineering and Security
Tao Xie
 
Chaos Engineering: Why the World Needs More Resilient Systems
C4Media
 
Software-Engineering-and-Best-Practices.
Ozias Rondon
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams
 
Agile & DevOps - It's all about project success
Adam Stephensen
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Simon Storm
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
20th Anniversary - OWASP Top 10 2021.pptx
Dedy Hariyadi
 
Software Security Assurance for Devops
Jerika Phelps
 
Ad

More from Tapabrata Pal (7)

PPTX
From close to open - oscon 2016
Tapabrata Pal
 
PDF
Part of the pipeline-why continuous testing is essential - velocity conf
Tapabrata Pal
 
PDF
Topo pal does2016
Tapabrata Pal
 
PPTX
DevOps Measurement - DevOpsDays DC
Tapabrata Pal
 
PDF
Gartner starting and scaling dev ops
Tapabrata Pal
 
PDF
Banking on Innovation and DevOps
Tapabrata Pal
 
PDF
Security with the Speed of Continuous Delivery
Tapabrata Pal
 
From close to open - oscon 2016
Tapabrata Pal
 
Part of the pipeline-why continuous testing is essential - velocity conf
Tapabrata Pal
 
Topo pal does2016
Tapabrata Pal
 
DevOps Measurement - DevOpsDays DC
Tapabrata Pal
 
Gartner starting and scaling dev ops
Tapabrata Pal
 
Banking on Innovation and DevOps
Tapabrata Pal
 
Security with the Speed of Continuous Delivery
Tapabrata Pal
 

Recently uploaded (20)

PDF
Software Development Methodologies in 2025
KodekX
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
Software Development Methodologies in 2025
KodekX
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 

Better Governance Banking on Continuous Delivery

  • 1. Better Governance Banking on Continuous Delivery
  • 2. Tapabrata “Topo” Pal Sr. Director & Sr. Engineering Fellow [email protected] @TopoPal Jennifer Brady Director, Technology Governance [email protected] ! Former Audit Director ! Current IT Governance Director ! Responsible for both a control automation and data analytics team ! Work with Data Scientists, Data Engineers, and Developers ! Developer ! DevOps Evangelist ! Product Manager of Shared Continuous Delivery Tools Platform ! Creator and core contributor of Hygieia DevOps Dashboard
  • 3. Capital One ! Millions of accounts ! One of the largest Digital Banks ! #1 Information Week’s Elite 100 ! ~ 20 years old
  • 4. Different DNA ! Build our own software ! Build on public cloud ! MicroServices ! Open Source ! Continuous Delivery
  • 7. • Waterfall • Manual Build • Manual Deployment • Manual Test • Data Center • Closed Source First • Agile • Automated Build • Automated Deployment • Automated Test • Public Cloud • Open Source First 5 Year Journey
  • 8. Mostly Out-Sourced Mostly In-Sourced Vertical Silos Product Team Dev, Ops, QA, RM Engineers 5 Year Journey
  • 9. ! DOES 2014 Building out Automation steps ! DOES 2015 Scaling DevOps, Open Source, Cloud, Innovation ! DOES 2016 Measure, Improve, Mature
  • 10. 2017 and beyond ! #SlayTheMonolith ! #NoFearRelease ! #YouBuildItYouOwnIt
  • 11. #YouBuildItYouOwnIt ! YOU Coded It, YOU Build It ! YOU Built It, YOU Test It ! YOU Tested It, You Deploy It ! YOU Deployed It, YOU Own It
  • 12. #NoFearRelease ! Fear of speed ! Fear of breakdown ! Fear of being out of control ! Fear of being non-compliant
  • 16. Former Auditor’s Perspective Welcome to the Wild West Image Credit http://www.freepik.com Designed by Freepik
  • 17. And at Capital One… Image Credit: http://dkcoin8.com
  • 20. Compliance vs Governance Compliance = Checking the box Governance = Awareness of and active management of risk
  • 21. Three Lines of Defense ! 1st Line : Who Owns the Risk ! 2nd Line: Sets Policy, Monitors the Risk ! 3rd Line: Independent Assurance
  • 22. What is the Developer’s Role in Governance? ! Awareness ! Risk mitigation ! Follow control best practices
  • 23. Why Controls? ! Controls are there to protect you and the company ! Provide assurance around nancial reporting ! Provide comfort to investors
  • 24. "Uncontrolled variation is the enemy of quality”
  • 25. Minimum Set of Controls ! Two Sets of Eyes ! Least Privilege ! Unauthorized Change Monitoring
  • 26. Automation is easy, almost, such as… ! Build on every commit ! Static code analysis on every build ! Scanning for open source vulnerability ! Static security scan ! Automated tests ! ….
  • 27. Biggest hurdle Ensure that a single developer can not make changes to production bypassing all controls
  • 28. Options ! Separate team managing pipeline ! Separate team just to perform production deployment ! Hire professional “button pushers”
  • 29. Assumptions ! Enough “button pushers” available ! They cannot code ! Cannot train them to do anything else ! But, they should know if it is okay to push the button
  • 31. “the secrets of change is to focus all your energy not on ghting the old but on building the new”
  • 32. Clean Room A clean room or cleanroom is an environment, typically used in manufacturing, including of pharmaceutical products or scientic research, as well as semiconductor engineering applications with a lower level of environmental pollution such as dusts, airborne microbes, aerosol particles and chemical vapors. https://en.wikipedia.org/wiki/Cleanroom
  • 33. Software Delivery Clean Room ! All product pipelines are identied and registered ! Everything is under source control ! Every change is peer-reviewed ! Production Changes occur only via code changes ! Nobody has access to production servers ! Every code change goes through various levels of testing and scanning ! Pipeline stops or alerts if things fail ! Evidences captured and evaluated at near real time ! Evidences are analyzed for discrepancies
  • 34. DEVELOPMENT TEST MONITORINGIMPLEMENTATION App Code source controlled enforcing peer review and disallowing direct commits 1.1 1.2 2.1 No direct Access to the Binary Artifact 3.1 Static Code Analysis 4.1 Static Code Analysis Config reviewed 4.2 Functional Tests (Traceable to Story) 4.8 4.3 Test Automation jobs configuration peer reviewed and source controlled 4.4 Critical Business Transaction (Regression) Testing 4.5 Static Application Security Testing Infrastructure Code Security Scan Open Source Security Testing Secret Key Management Must not use production raw data for testing Prod/Non-Prod Deployments Scripts Tested 6.1 Prod Deployment and Test Results (UAT & Exploratory) approved by PO 6.3 6.2 Automated rollback process Tested in Prod/Non-prod No Connectivity b/w PROD and Non-PROD Environments 6.4 Separation between Dev/Test/Prod environments must be managed with access controls Developers will not have write access in Prod 7.1 RELEASE All Changes to pipeline code (build /deploy job scripts) must be recorded and peer reviewed Infrastructure Code source controlled enforcing peer review and disallowing direct commits Test Code source controlled enforcing peer review and disallowing direct commits Performance testing 5.1 5.2 5.45.3 4.7 4.1 Build will be successful only if it passes static code analysis 4.2 Static Code analysis configuration is reviewed by the team and approved by PO 3.1 No direct access to the binary artifact 4.3 Every testable story must have corresponding test case/scenario/ step 4.4 Test Code source controlled enforcing peer review and disallowing direct commits 4.5 Test Automation jobs configuration peer reviewed and source controlled 4.6 A core set of test cases that are considered critical (e.g regression testing) must meet the passing threshold defined by the team lead 4.8 Must not use production raw data for testing 4.7 Performance test results must meet the passing threshold defined by the team lead 5.4 Secret key Management 5.1 Static Security scan/testing results are reviewed and approved by the PO or Tech lead for App Code 6.1 Prod/Non-prod Deployment scripts/configurations tested by the team 7.1 Developers will not have write access in PROD 5.2 Security scan/testing results are reviewed and approved by the PO or Test lead for Infrastructure code 5.3 Open Source Security Testing (Build Artifact has ONLY approved libraries) 6.2 Prod Deployments and Test Results (UAT/Exploratory) must be approved by PO/Tech lead 6.3 Automated roll back process for production deployment must be tested in Prod and Non-prod 6.4 Must not have any connectivity or access between Prod and Non-Prod Environment 7.2 Separation between dev/test and prod environments enforced with access controls Source Control 1 Binary Repository and Application versioning 3 Security Checks 5 Quality Checks 4 Build 2 Deployment 6 Support 7 1.1 Application Code source controlled enforcing no direct commits to master/release without peer review 1.1 Infrastructure Code Source Controlled enforcing no direct commits to master/release without peer review 2.1 All Changes to pipeline code (build /deploy job scripts) must be recorded and peer reviewed 5.5 App Dynamic Security Scan/testing results are reviewed and approved by the PO/Tech lead 5.5 4.6 App Dynamic Security Testing 7.2 Software Delivery Clean Room
  • 35. @TopoPal Result 2016 2017 # Products deploying multiple times a day ~20 ~300 Average #deployments per day ~1 ~4 Max #deployments for a product in a single day ~30 ~50
  • 36. Automating Clean Room Monitoring Audit API https://github.com/capitalone/Hygieia/tree/master/api-audit
  • 37. Are you well managed if you are doing Continuous Delivery?
  • 38. Are you well managed if you are not doing Continuous Delivery?