Agile/DevOps in the

Health Industry

Olivier Robert @XwaldRob

Software development for the health industry. Is it more complicated? Any different? More challenging?

Safety- high risk - medium risk - low risk (Software is modular, in a constant flux: classification is complicated)

Regulations: constraints, approvals, …

Compliance (CE/Country laws and standards)

Overall complexity: hardware, calculations, data manipulation, …

-> Can be challenging for any software engineer -> Requirements are paramount! -> Testing, verification and validation is essential! -> Project’s success depends heavily on building the right team with the right skills

Why Agile?

Visibility

Traditional development Agile development

Adaptability

Business Value Risk

Agile

Connecting IT

Why DevOps?

Business requirements DEV QA/Test OPS/PROD Users

DevOps value chain

Feedback

DevOps

Cutrure: shift from fear of failure to fail fast, from silo to collaboration

Automation: remove human repetitive and error prone tasks

Lean: work in small batches, skim the fat that is not needed

Measure: technical metrics and business metrics

Share: success/defeat in a blameless approach

Security

Security Architecture

Identity & Management

API Security

Threat Protection

Key Management

Token ManagementCertificate Management

Policy ManagementUser Management

Authentication

AuthorisationPolicy EnforcementTraffic Management

Loging

AuditingKey Store

Policy Store

Log Store

TLSDDoS

Quota

Rate limiting

Payload Protection

Analytics

Security: reality and perception

Often: - happens at the end of the development process - doesn’t happen at all - apps are selectively and randomly selected - security report or veto has little to no consequences - when security is taken a little more seriously, it might kill weeks/month of

development

Vision - it’s a black box - it’s only pen testing - it’s the last validation step - risk evaluation and perception are not shared, understood

DevOps: “Wild West” or beneficial for security

“Security by design” ethos: integrate security from the get go

- defensive coding - security focused configurations: app, network, storage - code review - pair programming - static code analysis - unit testing - integration testing - automated security testing - regulation constraints testing - infrastructure as code - automated deployment

Pluridisciplinary teams integrating network, db, security, storage, QA, sys admins …

Include security in every step of the value chain

Business life line = customer

- customer oriented - gather feedback - prioritise - incrementally deliver value - collaborate, adapt, accept change in a controlled way - protect/shield your customer/business - integrate the skill sets needed