alm and devops in the health industry
TRANSCRIPT
Agile/DevOps in the
Health Industry
Olivier Robert @XwaldRob
Software development for the health industry. Is it more complicated? Any different? More challenging?
Safety- high risk - medium risk - low risk (Software is modular, in a constant flux: classification is complicated)
Regulations: constraints, approvals, …
Compliance (CE/Country laws and standards)
Overall complexity: hardware, calculations, data manipulation, …
-> Can be challenging for any software engineer -> Requirements are paramount! -> Testing, verification and validation is essential! -> Project’s success depends heavily on building the right team with the right skills
Why Agile?
Visibility
Traditional development Agile development
Adaptability
Business Value Risk
Agile
Connecting IT
Why DevOps?
Business requirements DEV QA/Test OPS/PROD Users
DevOps value chain
Feedback
DevOps
Cutrure: shift from fear of failure to fail fast, from silo to collaboration
Automation: remove human repetitive and error prone tasks
Lean: work in small batches, skim the fat that is not needed
Measure: technical metrics and business metrics
Share: success/defeat in a blameless approach
Security
Security Architecture
Identity & Management
API Security
Threat Protection
Key Management
Token ManagementCertificate Management
Policy ManagementUser Management
Authentication
AuthorisationPolicy EnforcementTraffic Management
Loging
AuditingKey Store
Policy Store
Log Store
TLSDDoS
Quota
Rate limiting
Payload Protection
Analytics
Security: reality and perception
Often: - happens at the end of the development process - doesn’t happen at all - apps are selectively and randomly selected - security report or veto has little to no consequences - when security is taken a little more seriously, it might kill weeks/month of
development
Vision - it’s a black box - it’s only pen testing - it’s the last validation step - risk evaluation and perception are not shared, understood
DevOps: “Wild West” or beneficial for security
“Security by design” ethos: integrate security from the get go
- defensive coding - security focused configurations: app, network, storage - code review - pair programming - static code analysis - unit testing - integration testing - automated security testing - regulation constraints testing - infrastructure as code - automated deployment
Pluridisciplinary teams integrating network, db, security, storage, QA, sys admins …
Include security in every step of the value chain
Business life line = customer
- customer oriented - gather feedback - prioritise - incrementally deliver value - collaborate, adapt, accept change in a controlled way - protect/shield your customer/business - integrate the skill sets needed