DevSecOps in banking - maturing your approach to modern applications

Companies in the banking sector are undergoing a range of digital transformation initiatives, and while these projects are necessary to remain competitive, they can also bring problems. Making use of modern application design approaches and navigating cloud migrations can create intelligence gaps if not addressed, threatening the reliability and security of all digital banking services. This is particularly problematic for security.

All banks have invested heavily in their security teams and infrastructure. According to Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC), banks commit between six-to-fourteen percent of their information technology budgets to cybersecurity. This averages out to about ten percent at each bank. According to research by Kaspersky, financial services organisations spend around three times more than non-banking companies. Alongside such a heavy commitment, banks face severe consequences if any mistakes are made or customer accounts are hacked.

The dilemma here is how to manage the growth taking place around data, how to transform that data into insights for banks, and how to keep this approach secure over time. Banking IT teams have to support all their business functions to operate and collaborate around data, but they also have to create better processes and controls around all this new infrastructure while still keeping all the existing IT protected. We want the speed, the quality software improvements, and better manage these advancing, complex systems and digital services.

Implementing DevSecOps

Part of the answer is how to integrate security and development together so that everyone involved can collaborate during the development lifecycle. Integrating security into the DevOps process - commonly referred to as DevSecOps - involves more discussions around how security and compliance driven objectives can be harnessed and included across the software development lifecycle (SDLC) process.

DevSecOps is a response to the bottleneck effect of older security models around software development. To make DevSecOps work in practice involves looking at culture on your teams. This should be based on ongoing, flexible collaboration between everyone involved, from architects and site reliability engineers through to security operations teams, to create ‘security as code.’ This should see security as a necessary part of all developer activities, rather than a step for someone else to go through.

The goal is to bridge traditional gaps between IT and security while ensuring the fast and safe delivery of code. Silo tools and thinking is being replaced by democratisation around data and shared responsibility models of security processes across the SDLC.

While everyone likes the idea of ‘More Data,’ it can also mean dealing with a ‘Data Deluge.’ Security analysts at banks and financial institutions normally spend their time looking at data that provides insight into potential risks, attacks taking place and threats that attackers might look to exploit over time internally and externally. This data comes from many sources across a bank’s infrastructure and applications, as well as external sources for threat intelligence and risks. By consolidating all this information into contextual and actionable insights for security, teams can prioritise threats to resolve, prevent problems and recover faster.

All this machine data will contain logs, metrics, tracing and events, which are exactly what software developers will use for their application performance monitoring, troubleshooting and feature planning. By using this data together, developers and security analysts can collaborate on what is needed. This can also make it easier for developers to foresee potential security requirements in their applications, or see where new changes will impact compliance and performance. 

What does this mean in practice?

To implement DevSecOps across teams, there are six areas that you will need to consider:

1. Code analysis – this involves looking at modern applications and microservices code in a componentised manner, so vulnerabilities can be identified and isolated quickly. By managing telemetry in real-time, this provides greater context for developers.

2. Change management & correlation – improving this process can increase your speed and efficiency by allowing anyone to submit changes based on objectives, then determine whether the change is good or bad. By tracking delivery by objectives and observing those indicators over time, it makes it easier to manage potential problems.

3. Compliance monitoring – this helps software and security teams be ready for an audit at any time. This also means that your operations and cloud infrastructure should be in a constant state of compliance, including gathering real-time evidence of GDPR compliance, PCI, ISO compliance, and so on.

4. Threat detection & investigation – this identifies potential emerging threats to ensure that your whole team is able to respond quickly – not just security – and all unnecessary noise is removed.

5. Vulnerability assessment – this uses real-time code inspection of new vulnerabilities alongside code analysis. This can tell you how quickly problems are being responded to and patched.

6. Security framework & best practices  – this covers how you enable and onboard your software developers and IT engineers with modern, progressive guidelines and validations  for high productivity and performance across the SDLC. By leveraging modern practices in place, you can continue to improve over time.

Using these steps you can look at how to integrate DevOps and security together. This will involve greater collaboration, communication and shared responsibility for your teams. However, if you haven’t yet implemented DevSecOps, this can help you support your organisation’s digital-first banking plans.