Credit Suisse DevOps Expo 2019 - Zurich
- 3 minsTable of Contents
- Introduction
- What do we get by implementing DevOps methodologies?
- What are the challenges?
- The Cloudy Shift (The GBU)
- How do we achieve a DevSecOps environment?
- Lesson Learned
Introduction
On June 5th 2019 took place the DevOps Expo at Credit Suisse’s offices in Zurich. This event aimed to cover different aspects of DevOps methodologies. It also focused on how a big company such as Credit Suisse can work in a more efficient way of delivering software.
It was a pleasure to be part of this expo and have the opportunity to share my experiences over the years as a DevOps Architect. I’ve been working in several projects transforming business models and creating application cycles. My presentation was named “Merging Security and Enterprise DevOps: DevSecOps” and it was focused on how we should include Security at an early stage in the Software Development Life Cycle (SDLC).
What do we get by implementing DevOps methodologies?
We can reduce time and accelerate processes. At the same time, it improves performance and profits. It helps to increase the frequency of releases so you can innovate and improve your product or service faster. This means, that the quicker you can release new features and fix bugs, the faster you can respond to your customer’s needs and build a competitive advantage.
What are the challenges?
Nowadays, IT plays an important role in every organization by increasing the business benefits. Through IT we can provide innovation and agility, to achieve this, we need to reduce time from one cycle to another. That means, while the development team is trying to deliver as fast as they can, the Operations team is trying to keep the environment as more stable as they can, and on top of these, the Security team wants to keep as much secure as possible. That means we need to combine these teams’ efforts in a single process to make this cycle reliable.
The Cloudy Shift (The GBU)
We consider that the Cloud migration and DevOps methodologies should be aligned in order to generate possibilities for automation. This new paradigm empowers developers and increases the collaboration between Development and Operations bringing GOOD synergy.
However, sometimes the Security team is involved late in this process causing BAD consequences and delays.
Which leads to the UGLY part where Security starts blocking releases and with this the agility goes down putting in risk the business goals.
After all these, how can we avoid the issues? Start thinking that the Security is an important ally and needs to be engaged from the first step.
How do we achieve a DevSecOps environment?
Bringing DevOps and Security teams together. It is more about an organizational change, meaning that everyone (also Managers and Heads) should include this in their agenda.
There should be a mind shift in the whole DevOps team to make Security a priority and to understand that everyone is responsible for this. Both teams should share knowledge to prevent reinventing the wheel all the time.
When we look at the Software Development Lifecycle (SDLC) this leads to a shift (of security) to the left. Instead of Security being added very late into the cycle we want security as early as possible so ideally also even in the plan and code stages
Integrating Security automation is an important aspect, also manual steps should be eliminated as much as possible to prevent human error and make the process more agile.
The Security team shall be peer-reviewed when changes happen, if possible existing patterns/design
Lesson Learned
What we learned today is that Security needs to be the first priority and make it part of the DNA of your DevOps practices and also that Security needs to be automated.
Sergio Tocalini
Software Engineer / DevOps Engineer / Full-Stack Developer / SRE