In this paper:

1. What is DevSecOps?

2. Why is it important for the financial services industry?

3. Key considerations

4. Case Study Summary

5. How Gen Advisory can support

6. References

What is DevSecOps

DevOps represents an important and recent cultural shift that removes previous siloes and aligns software development and IT operations teams. DevOps refers to the ongoing, intentional integration into one team, of developers and IT operations. Its purpose is to automate and integrate software development and IT operations in order that the single DevOps team can build, test, and release software quickly and reliably.

DevSecOps is an attempt to extend the DevOps idea to include Security-related development and operations. DevSecOps is an extension of DevOps to include a “security” component as well. The practice of integrating security controls, tools, and processes in an automated fashion results in a DevSecOps pipeline that automatically scans all new code for potential vulnerabilities leaving time to focus on developing value-adding functionalities.

DevSecOps goes beyond merely deploying security tooling. DevSecOps requires knowledge and expertise in the use of those tools and evolving development and operations culture to the point where everyone feels responsible for security. This represents a further breaking down of pre-existing siloes. Historically the Cyber Security team has been at times been seen as aloof and unhelpful.

The transformation of DevOps to DevSecOps requires the formal application of the following four ‘pillars’: Governance, People, Process, and Technology. Formal focus on the four pillars enables appropriate levels of effort and oversight to be applied across an organisation’s transformation journey from DevOps to DevSecOps. The four pillars are interconnected and build on each other’s strengths. Governance is about applying the appropriate level of oversight across the security framework and specifying the roles and responsibilities required. The ‘people’ pillar emphasises that DevSecOps requires both a cultural and a capability shift from the enlarged team. People will need to change their way of working, acknowledge and accept the benefits of the DevSecOps approach, and be trained in new skills.

New processes (pillar 3) will align development, test, and security early in the process, rather than applying security as an add-on before a solution goes live. Employees will work with new processes and technology (fourth pillar) that will increase the effectiveness and efficiency of the development pipeline, supported by lean processes to glue everything together. DevSecOps is the early integration of the development, IT operations, and security and compliance parts of your organisation into a single process flow. It extends the core principles of DevOps (which emphasise constant collaboration between developers and IT operations admins) to include the cybersecurity and compliance team, too. The goal of DevSecOps is to ensure that your organisation’s security experts are constantly plugged into the development, test, and ongoing IT operations within your business. DevSecOps minimises barriers to communication and maximises opportunities to share ideas and collaborate in solving problems related to compliance security that could exist at any part of your software delivery chain.

Why is it important for the financial services industry? suggests approaching DevOps, and by extension DevSecOps, by means of the following three stages: ‘Run the Bank (RTB)’, ‘Change the Bank (CTB)’ and ‘Transform the Bank (TTB).’ From the point of view of an ADI or a Fintech, it is important to adopt a holistic view of DevSecOps. The core idea of the holistic approach is to remove the historic barriers and cultural rivalries between developers, IT operations and the CyberSecurity teams. For ADIs and FinTechs, the benefits arise in an enhanced ability to reduce non-discretionary spending and simplify previously ignored maintenance, operations and infrastructure silos. By adopting DevSecOps, the cost of maintenance can be reduced considerably, therefore releasing funds from the ‘Run the Bank’ stage for discretionary use in the ‘Change the Bank’ and ‘Transform the Bank’ stages.

The ultimate goal for a DevSecOps-led transformation is “full automation” with “zero maintenance”. As the technology and approach evolve, improved return on investment (ROI) is expected to justify the cost and effort required to make that happen. DevSecOps can enable a business shift in focus from effort delivered to value delivered. The business value of digital transformation of an application or suite of applications will be more easily seen.

The core repeatable activities of DevSecOps-led process simplification will surface through improvement cycles and the setup of feedback loops at each stage.

· Security is crucial in the process of DevSecOps-led simplification. The increase in automation, cloud adoption, pipeline creation, IoT adoption and more is surfacing many new security concerns, which in turn, is driving an increased focus on DevSecOps.

· Security processes will potentially need to move their execution to earlier points in the pipeline and be divided into stages based on iterations sizes and deployment cycles.

· Focus on bringing the application and role-based security into the process earlier.

Banks need to focus on how they remain compliant within the letter of the law while operating in a fast-changing regulatory landscape, and how they can stay compliant in a cost-efficient way. Banks and their fintech partners will pay ever closer attention to changes in regulatory law. Fintech’s can augment core banking skills by ensuring that changes in regulations are implemented in the DevSecOps process in a timely manner and that legal expertise on hand to help interpret new regulatory information as it is released or whenever a new policy is introduced, to stay ahead of the competition, cut costs and mitigate regulatory risk. ADI’s should also adopt and develop their internal DevSecOps capabilities.

There is an opportunity for partnership between fintechs and ADIs in the area of DevSecOps. Regulatory change is coming thick and fast, so maximising the number of eyes focused on regulatory challenges makes sense. Left to their own devices, internal developers and IT Ops may not pay sufficient attention to regulatory policy and regulatory change. That has not, historically, been a core part of their role. All that is changing. It is necessary for DevSecOps teams to be in constant communication with the corporate security and compliance team. The core corporate team will educate DevSecOps about new regulatory issues enabling them to make changes to software delivery workflows accordingly.

It is essential to ensure that software coming down the pipeline is ready to meet new regulatory requirements. The apps or features that you designed a week or a year ago may no longer meet compliance requirements. DevSecOps helps to avoid that situation by ensuring that compliance challenges are a part of the thought process at an early stage in the delivery pipeline. The approach allows teams to embed compliance within IT policies. At the heart of DevSecOps is the idea that security and compliance should not exist in silos. Instead, they should be integrated into IT operations across the entire organisation. Doing this ensures concern for compliance is a regular, consistent practice that becomes the default for the software development process and teams. That’s much safer than treating compliance as something that you tack onto your IT processes by allowing compliance experts to review software after it is complete. Lastly, saving time and money while increasing security and quality is an obvious advantage. Integrating compliance review directly into a software delivery process saves everyone time. If compliance reviews take place on a continuous basis as the software is updated, compliance experts can deliver value in real-time. Working closely with software teams also helps to translate new regulatory needs into action quickly, which also saves time. And with more efficient use of time, of course, come monetary savings, too.

Key challenges

· Identity and access control Organizations struggle to provision and control access consistently across IaaS, PaaS and SaaS services due to the lack of centrally managed identities and access rights

· Monitoring and response Organizations need visibility and control of access to data and services, regardless of location, and they must respond rapidly to any emerging threat or vulnerability.

· Data leakage How do you protect sensitive data from leaking out of cloud storage services and code repositories, where the cost of leakage can be huge in terms of both reputational damage, loss of intellectual property, and subsequent non-compliance penalties?

· Governance Ownership of strategy and risk is not always defined, leading to a lack of control, with little agreement on how to secure ways of working

· Skills shortages Cloud skills are at a premium, while cloud security skills are even rarer

· Defence in Depth Code scanning tools and ‘writing secure code’, the two security functions most readily absorbed within a DevSecOps framework, only cover a portion of the security landscape and do not cover the gamut of ‘Security in Depth’. The challenge for DevSecOps going forward will be to integrate security in-depth into the team process.


To sum it up, Customers expect strong security, and that requires taking DevOps practices to the next level – DevSecOps. Using existing security models and practices, which "bolt-on" security at the end stage of development, doesn’t suit an environment that is defined by frequent change across a growing set of digital touchpoints, thereby increasing the opportunity for breaches. Hence the need for a delivery process that builds in and automates security from the very start. A DevSecOps approach can facilitate this, removing boundaries that previously existed between information security and DevOps teams. Rather than treating security as an afterthought, delivering secure code is integrated into the full life cycle.