DevSecOps

What does DevSecOps look like in large, highly-regulated organizations? We brought together security experts from private and public organizations to share their real-world stories of implementing DevSecOps in a the enterprise. 

Scroll down for synopses of talks by:

  • Chris Rutter, HSBC: Building Security into an Agile Cloud Transformation Project
  • Jon Allen and Mark Vodden: Journey to DevSecOps at Allianz
  • Mahbubel Islam: DevSecOps at the Department of Work and Pensions
  • Brendan Foxen: The Why and How of DevSecOps

Chris Rutter, HSBC: Building Security into an Agile Cloud Transformation Project

Mid to large enterprises find themselves needing to adopt agile transformation projects in order to keep up with the wave of startups that are nipping at their heels.

In this presentation, Chris walks us through a fictional 12-week ‘Transformation Alpha Project’ typical of an enterprise that is looking to prove the concept of DevOps in the cloud. He explores, on the one hand, the classic mistakes that he has seen time and again that result in massive delays and global hatred of security teams and, on the other, how restructuring teams around DevSecOps ways of working can result in a massive reduction in unplanned security work and the feeling that the security team are experts feeding into the project, rather than blocking it.

He covers:

  • What is the problem? Leaving 1 week for security at the end of a 12-week Agile sprint!

  • Understanding the problem: why security isn’t seen as a feature worthy of inclusion and why everyone hates security

  • What tools do we have? Why engagement is key to organizational change

  • Who does what? How to structure cross-functional teams

  • What is a DevSecOps Engineer? What does the person look like who can reduce ‘compliance lead time’?

  • Case study: example of how building security into an agile cloud transformation project works in practice!

Jon Allen and Mark Vodden, Allianz: Journey to DevSecOps at Alllianz

Allianz, the 34th largest company in the world, needed to change how it delivered software. They are struggling to go quickly and cost-effectively enough to see off the many new, more agile entrants into the insurance market.

In this presentation, Jon and Mark discuss their journey to DevSecOps in Allianz. They explore the reasons why Allianz needed to change, the pilot project they chose to prove the DevSecOps concept, what they learned from the implementation, and how it positively impacted the business.

In-depth they cover:

  • Challenges at Allianz: slow release management; process-driven project management; security not being seen as a major responsibility
  • Objective of DevSecOps project: create a new Quote and Buy website in 16 weeks – do it well, do it quickly, do it securely
  • Story of Approach: what was crucial to the engagement?
    • Having everyone in one room for training and building internal capability
    • The importance of building trust
    • Educating about cloud security responsibility – it’s not the Wild West!
    • How to be the Z-shaped security guy (combining business/security/tech understanding)
    • The importance of not being a pain in the arse
    • Stakeholder management: talk to lots of people!
  • Results: how did they get on?
    • 20% increase in sales in the first week
    • Shifted testing and remediation left with massive decrease in time to fix vulnerabilities
    • Data classification built into the app from the beginning
  • Summary: what worked?
    • They wanted to be there, to enable the business
    • They made decisions as a team
    • It was always about business risk and business impact.

Brendan Foxen, Technical Principal, Contino: The Why and the How of DevSecOps

In this presentation, Brendan talks about the challenges that arise when delivering software at high speed and high frequency and how to go about introducing DevSecOps best practice into your organization.

He highlights why security is the most important part of software delivery. Mistakes in this domain can cost jobs, have huge financial ramifications for the company and significantly impact people’s lives (e.g. through how their personal data is treated).

The content covers:

  • Enterprise security challenges: why it’s difficult to get things done, unclear responsibility and isolated teams

  • What DevOps/cloud brings: clearer responsibility and accelerated software delivery

  • Why DevSecOps: embeds security/compliance into SDLC, creates reusable artefacts, addresses the threats that arise from having “some” DevOps

  • Challenges delivering security at speed: old methods don’t scale, but still need to reassure stakeholders that risks are known

  • How to deliver DevSecOps: embed security in each layer

    • Process/roles/responsibility

      • Seeding DevSecOps guiding principals

      • Building a platform engineering team

    • Identity/secrets management

      • How to use HashiCorp Vault

    • Infrastructure design

      • What does the platform look like?

      • What do good stacks look like?

    • Software delivery

    • Best practice

Mahbubel Islam - Head of Secure Design: DevSecOps at the Department of Work and Pensions

The Department of Work and Pensions is the largest public sector department in the UK with over 100,000 employees looking after welfare, work and pensions for Britain’s citizens. The role of Mahbubul’s team is to provide DevSecOps support. They’re the ‘driving instructors’ for the organization in terms of DevOps, teaching people how to drive the vehicle of security and agile software delivery.

In this presentation, Mahbubel answers the following key questions:

  • How has the service DWP provides changed over the last 5-10 years?

  • As the Department creates more digital services, how do you ensure they are secure?

  • How do you balance responsive, agile software delivery with assurance and security?

  • What are some of the most significant challenges the Department faces in terms of security?

  • The department is driven by policy and compliance to legislation which presumably this factors into development activities. How does that work?

  • What are the DevSecOps principles and practices that you use to stay secure whilst innovating?

  • What does day-to-day DevSecOps look like in the DWP?

  • What does the future look like for service delivery in the Department?


  • Brendan Foxen

    Technical Principal