This document discusses DevSecOps principles for banks and financial institutions. It introduces DevSecOps as an evolution from DevOps that incorporates security practices like risk assessments, security testing, and compliance monitoring directly into the development lifecycle. The presentation outlines key DevSecOps principles like establishing security requirements upfront, implementing controls like access management and logging, and conducting continuous security testing. It provides an example of a Swiss bank that uses Kubernetes, Docker, and security tools from VSHN to operationalize DevSecOps and improve governance.
1. 1
DevOps & DevSecOps
In Swiss Banking
VSHN - The DevOps Company
Aarno Aukia, CTO
2021-11-18 SMIDEX Zürich
2. ● About Aarno & VSHN
● Why? From Dev to DevOps to
DevSecOps
● What? DevSecOps principles
● How? Concrete measures, team
topologies
● Who? Customer: Finnova AG Bankware
● Because? Resulting IT Governance &
Security benefits
Agenda
2
3. CTO & Co-Founder
@aarnoaukia a@vs.hn
ETH -> Google -> Atrila -> VSHN
VSHN - The DevOps Company
@vshn_ch https://vshn.ch
Since 2014, currently 48 VSHNeers in Zürich,
Switzerland
Helping developers run online businesses without
having to worry about operations and security
3
About Aarno & VSHN.ch
11. Collaboration between software developers and operations:
● Teamwork
● Continuous improvement
● Efficient and lean
● Agile: being able to react to new requirements
● Automate as much as possible (“Infrastructure as code”)
DevOps: People, Processes & Tools
11
17. ● Document “non-functional security requirements” for any new
product backlog -> objective criteria
● Support product teams with security requirements proactively
● Provide self-service tools to establish baseline quickly & scalably
○ AAI/SSO
○ LB/WAF, SSL/TLS/PKI/certificates
○ Logging
○ Scanning of code, containers, infrastructure
○ Dependency management & updates
○ (hardened) container platform
○ Configuration & secrets management (vault, HSM)
1. Increase trust & transparency
17
18. ● Proactively help product teams with data & availability risk
assessments
● Detect incidents quickly, limiting impact
2. Understand risk probability and impact
18
19. ● Which “non-functional security requirements” need to be done by
“beta” and which by “productive” launch?
● Which control (tool) scales over all applications/infrastructures,
increasing the security incrementally overall?
3. Incremental security improvement
19
20. ● “Security as code”
● Automated scanning, testing as part of the continuous delivery
pipeline
● “Shift-left” security scanning remediation from production to dev to
git-check-in
4. Continuous security in the pipeline
20
21. ● Automate dependency updates, monitor production compliance
● Work with software architecture teams to promote standardization
5. Standardize & update third-party SW
21
22. ● Automate processes -> integrity, less errors, no production access
needed
● Log changes, e.g. git commits and access logs
6. Govern with automated audit trails
22
23. ● Training & education, including practical applications
● Red teaming
7. Test preparedness with security games
23
28. ● Free & open standard, adopted by all major vendors (Google, AWS,
MSFT, Redhat, SUSE, IBM, etc)
● Available as managed service both on-premises and (private) cloud
● Provides integration in infrastructure (compute, storage,
networking)
● Provides optional integration in plattform (e.g. DBaaS, S3) services
● Infrastructure as code, automation, tools for DevOps processes
● Large ecosystem of auxiliary tooling & integration available
● Is being adopted as standard runtime by ISVs (Avaloq, Finnova,
Abacus, Adcubum, Ergon, etc)
Benefits of Kubernetes as abstraction
28
34. ● Developer and Operator of Banking Software used by ~100 Banks
● Based in Lenzburg, Switzerland
● Founded 1974
● ~400 Employees
Example: Finnova AG Bankware
34
38. ● “Full Stack Audit”
● Review design document
● Every layer was custom built
○ physical hardware
○ handcrafted servers
○ manual application deployment
● Review each layer
● Review each layer again next year...
Traditional IT governance
38
39. ● Standardized components
○ already audited, some even externally certified
○ re-used, economies of scale, CMMI level 5
○ tech controls (AAI, RBAC, logs/SIEM)
implemented once
○ financial controls implemented once
● Infrastructure: private/public cloud
● Ops: Container orchestration platform
● Review design document & platform
configuration
Cloud-native IT governance
39
40. ● prevent configuration drift through immutable infrastructure
● prevent manual errors through automation and less root access
● security by default through automation integration
● compute resources billable by project
● self-service-onboarding
● autoscaling, scale-down dev envs outside office hours
● vendor procurement/due diligence/certification management
● SLA, 24x7, service process, escalation management clearly defined
IT governance benefits
40
41. Thank you
41
41
Please get in touch with feedback @aarnoaukia a@vs.hn
https://www.linkedin.com/in/aukia/