Trinh Tran & Dennis Stötzel Are you trying to stay secure while developing and running a bunch of services and applications every day? So are we and it’s a huge pain in the… pipeline. We have been juggling these aspects while working with one of the biggest insurance companies in the world. In this talk, we will share our experiences of the last three years: Trinh, as a software engineer in Vietnam and Dennis, as a security engineer in Germany. We will present our experiences of making "dev", "sec" and "ops" coexist – without sparing any dirty details. Our goal has always been fast delivery and secure applications using pipelines, containers, orchestration, and the cloud. Let us explain which of these goals we have met and which remain goals, where we messed up and where we found glory. We will cover the following topics in our talk: * Evolution of our project, from beginning with four engineers running in one office, to expanding to fifty engineers coming from three continents and different backgrounds, * Development, delivery and security as a requirement in an agile project, * The good, the bad and the ugly in technology, architecture and infrastructure.

1. Singapore | 28 Feb - 01 Mar 2019
Can dev, sec and ops really coexist
in the wild?
A real world case study
TRÌNH ĐỨC TRẦN & DENNIS STÖTZEL

2. Singapore | 28 Feb - 01 Mar 2019
TRÌNH ĐỨC TRẦN
trinh.duc.tran@mgm-tp.com
www.linkedin.com/in/tranductrinh/
DENNIS STÖTZEL
dennis.stoetzel@mgm-sp.com
https://www.linkedin.com/in/dennis-
stötzel-669421167/

3. Singapore | 28 Feb - 01 Mar 2019
•CONTENT
Introduction & Business Case
Security in Agile Processes
Automated Testing
Architecture Decisions

4. Singapore | 28 Feb - 01 Mar 2019
•INTRODUCTION

5. Singapore | 28 Feb - 01 Mar 2019
Client Insurer employeeBroker employee

6. Singapore | 28 Feb - 01 Mar 2019

7. Singapore | 28 Feb - 01 Mar 2019
Client Broker employee
Insurer employee
Back
Office
Sales
Platform
Contract request

8. Singapore | 28 Feb - 01 Mar 2019

9. Singapore | 28 Feb - 01 Mar 2019
Hamburg Munich
1 SEC 1 BA1 PM 3 DEVs

10. Singapore | 28 Feb - 01 Mar 2019
Hamburg Munich
Đà Nẵng Berlin
15 DEVs1 PM 6 BAs

11. Singapore | 28 Feb - 01 Mar 2019

12. Singapore | 28 Feb - 01 Mar 2019
•SECURITY IN AGILE PROCESSES

13. Singapore | 28 Feb - 01 Mar 2019
Security responsible
in a software
development team

14. Singapore | 28 Feb - 01 Mar 2019
Grooming Grooming
Planning
Review
Retrospective
Discuss with
Customer
Standup Standup StandupStandupStandup
Agile Cycle

15. Singapore | 28 Feb - 01 Mar 2019
Requirements

16. Singapore | 28 Feb - 01 Mar 2019
JIRA ticketJIRA ticketJIRA ticket

17. Singapore | 28 Feb - 01 Mar 2019
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket
JIRA ticket

18. Singapore | 28 Feb - 01 Mar 2019
Scale the sec role with the dev team.
1 sec for 10-20 devs
LESSON LEARNED

19. Singapore | 28 Feb - 01 Mar 2019
Involve security as early as possible
in the process.
LESSON LEARNED

20. Singapore | 28 Feb - 01 Mar 2019
•AUTOMATED TESTING

21. Singapore | 28 Feb - 01 Mar 2019
Penetration Testing
Back Office
Sales
Platform
Penetration
Tester

22. Singapore | 28 Feb - 01 Mar 2019
Penetration Testing
Sales
Platform
Penetration
Tester
Sales
Platform
Back Office

23. Singapore | 28 Feb - 01 Mar 2019
Penetration Testing
Penetration
Tester
FrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendSales
Platform
??
?
Back Office

24. Singapore | 28 Feb - 01 Mar 2019
UI & Authorization testing
FrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendSales
Platform
Back Office
Broker employee

25. Singapore | 28 Feb - 01 Mar 2019

26. Singapore | 28 Feb - 01 Mar 2019
mgm ATLAS
burp
Automation
Static
Analysis
Automated
Authorization
Tests
Dependency
Analysis
Pipeline
Integration

27. Singapore | 28 Feb - 01 Mar 2019
Performance testing
FrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendFrontendSales
Platform
Back Office

28. Singapore | 28 Feb - 01 Mar 2019

29. Singapore | 28 Feb - 01 Mar 2019
Manual testing does not scale well.
Especially not penetration testing.
LESSON LEARNED

30. Singapore | 28 Feb - 01 Mar 2019
Devs are not the right people
to design test cases.
True for security and feature tests.
LESSON LEARNED

31. Singapore | 28 Feb - 01 Mar 2019
A good test suite needs a great integration
between dev, sec, ops and ba.
LESSON LEARNED

32. Singapore | 28 Feb - 01 Mar 2019
•ARCHITECTURE DECISIONS

33. Singapore | 28 Feb - 01 Mar 2019
Back Office
Sales
platform
Rest APIs
Broker employee
Insurer employee
Sales
platform
Sales
platform
Sales
platform
Sales
Platform

34. Singapore | 28 Feb - 01 Mar 2019
German Sales Platform
mgm A12
Insurance products

35. Singapore | 28 Feb - 01 Mar 2019

36. Singapore | 28 Feb - 01 Mar 2019
German Sales Platform
mgm A12
Insurance products

37. Singapore | 28 Feb - 01 Mar 2019

38. Singapore | 28 Feb - 01 Mar 2019

39. Singapore | 28 Feb - 01 Mar 2019
Sales Platform CORE
A12
German Sales Platform
Sales Platform CORE
Insurance products
Configuration

40. Singapore | 28 Feb - 01 Mar 2019

41. Singapore | 28 Feb - 01 Mar 2019
3rd party frameworks lead to faster
features but painfully slow fixing of
bugs and security issues.
LESSON LEARNED

42. Singapore | 28 Feb - 01 Mar 2019
The more stakeholders are involved the
more dev and sec work becomes politics.
LESSON LEARNED

43. Singapore | 28 Feb - 01 Mar 2019
Make boring dev tasks more spicy by
combining them with ops work.
LESSON LEARNED

44. Singapore | 28 Feb - 01 Mar 2019
Questions?