Credit Suisse DevOps Expo 2019 - Zurich
- 3 minsTable of Contents
- Introduction
- What do we get implementing DevOps methodologies?
- What are the challenges?
- The Cloudy Shift (The GBU)
- How do we achieve a DevSecOps environment?
- Lesson Learned
Introduction
On June 5th 2019 took place the DevOps Expo at Credit Suisse’s offices in Zurich. The aim of this event was to cover different aspects of DevOps methodologies. It also focused on how a big company such as Credit Suisse can work in a more efficient way of delivering software.
It was a pleasure to be part of this expo and have the opportunity to share my experiences over the years as a DevOps Architect. I’ve been working in several projects transforming business models and creating application cycles. My presentation was named “Merging Security and Enterprise DevOps: DevSecOps” and it was focused on how we should include Security on an early stage in the Software Development Life Cycle (SDLC).
What do we get implementing DevOps methodologies?
Basically, we can reduce time and accelerate processes. At the same time, improve the performance and the profits. It helps to increase the frequency of releases so you can innovate and improve your product or service faster. This means, the quicker you can release new features and fix bugs, the faster you can respond to your customers needs and build competitive advantage.
What are the challenges?
Nowadays, IT plays an important role in every organisation by increasing the business benefits. Through IT we can provide innovation and agility, to achieve this, we need to reduce time from one cycle to another. That means, while the Development team is trying to deliver as fast as they can, Operations team try to keep the environment as more stable as they can, and on the top of these, Security team wants to keep as much secure as possible. That means we need to combine these teams efforts in a single process to make this cycle reliable.
The Cloudy Shift (The GBU)
We consider that the Cloud migration and DevOps methodologies should be aligned in order to generate possibilities for automation. This new paradigm empowers developers and increases the collaboration between Development and Operations bringing GOOD sinergy.
However, sometimes the Security team is involved late in this process causing BAD consequences and delays.
Which leads to the UGLY part where Security starts blocking releases and with this the agility goes down putting in risk the business goals.
After all these, how can we avoid the issues? Start thinking that the Security is an important ally and needs to be engaged from the first step.
How do we achieve a DevSecOps environment?
Bringing DevOps and Security teams together. It is more about an organizational change, meaning that everyone (also Managers and Heads) should include this in their agenda.
There should be a mindshift in the whole DevOps team to make Security as priority and to understand that everyone is responsible for this. Both teams should share knowledge to prevent reinventing the wheel all the time.
When we look at the Software Development Lifecycle (SDLC) this leads to a shift (of security) to the left. Instead of Security being added very late into the cycle we want security as early as possible so ideally also even in the plan and code stages
Integrating Security automation is an important aspect, also manual steps should be eliminated as much as possible to prevent human error and make the process more agile.
The Security team shall be peer reviewed when changes happen, if possible existing patterns/design
Lesson Learned
What we learned today is that Security needs to be the first priority and make it part of the DNA of your DevOps practices and also that Security needs to be automated.
Sergio Tocalini
Software Engineer / DevOps Engineer / Full-Stack Developer / SRE