The new solution features enhanced chain of custody reporting, new security risk dashboard for software releases, and a new at-a-glance compliance overviews.

According to XebiaLabs, these new features will enable enterprises to “release a chain of custody across the end-end CI/CD toolchain, from code to production”.

When teams have an effective risk and compliance management process in place, it is easier for them to identify and deal with any release failures or security early on in the software delivery cycle.

“To effectively manage software delivery at enterprise scale, DevOps teams need a way to accurately manage and report on the ‘chain of custody’ and other compliance requirements throughout the software delivery pipeline,” said Derek Langone, CEO of XebiaLabs.

“It’s also vital for them to have visibility into the risk of release failures or security issues as early in the release process as possible. That’s when development teams can address issues the quickest without impacting the business.”

According to Langone, the industry demands higher transparency and maximum visibility.

“With XebiaLabs, we can enable our DevOps pipeline to meet or exceed those demands. There are great power and comfort in being able to see the data related to each release in a centralized tool and as early as possible in the delivery process. If we have a failure or risk of failure, we want to identify it early and trace its roots rapidly. XebiaLabs allows us to achieve that goal.”

The post XebiaLabs launches new DevOps risk and compliance solution appeared first on DevOps Online North America.

Financial services are renowned for its governance and regulation over stringent information security controls due to the inherent risks associated with financial payments, stock exchange trading rules and large volumes of customer information.

“This can be a shock to developers moving from small Internet start-ups to large financial services organisations”, said Grundy. “Obviously, there is a strong desire for banks to adopt modern software development practices in order to expedite roll out new features to customers and staff and to increase their competitive edge. But striking the right balance between software development freedom, service reliability and information risk management is our main security challenge.”

DevOps pipelines

Cloud computing has championed the concepts of infrastructure-as-code, DevOps pipelines, short-lived compute instances and per-second billing. This has resulted in big gains for cloud customers in terms of time taken to build out required computing environments and the costs associated.

Grundy believes that “cloud computing, DevOps culture and agile software development have forced us to rethink how we manage information security controls in financial services. There’s a shift in focus from analysing the security of the product that drops out of the end of the pipeline to analyse the security of who can put what inside the pipeline.”

Cloud computing is ideally tailored to automated software builds due to its API-based nature. Grundy admitted: “Developers want to automate as much of their process as a possible for efficiency and error reduction reasons. It makes perfect sense for security to follow suit to ensure that integrating the necessary level of control does not introduce an unwanted manual process bottleneck.

“Wherever possible, we want software development teams to vet the quality and safety of their code themselves since they are the experts, which either means code change, manual peer review or automated tool equivalents. Security oversight thereafter can focus on areas of threat and vulnerability management, access control and accountability for pipeline involvement, all of which can make use of automated tooling to reduce laborious manual processes.”

Collapse of role separation

The merging of software development and software operations roles to form a DevOps practice is almost a given in small companies with limited headcount. But in larger financial services companies, software development and software operations roles have traditionally been separated for risk management and segregation of duties reasons.

“Segregation of duties (SoD) as a concept is important in financial services to reduce the risk of fraud, insider trading, data leakage and covering up mistakes without proper investigation. DevOps has collapsed one of the standard SoD requirements. That’s not to suggest that DevOps practices can’t be used within banks. It just means we have to satisfy the SoD requirement by other means, which can include embedded security staff within the DevOps team, automation of authentication secret assignment to services, privileged change activity monitoring, continuous compliance monitoring, etc,” he revealed.

Additionally, there has been a collapse in the number of roles involved in the build of a cloud computing environment. Traditionally, banks employ separate teams of subject matter experts (SME) tasked with designing, deploying and operating application platforms covering areas such as system administration, networks, databases, application development, middleware, cryptography, etc. The advent of DevOps culture has significantly changed this model.

Grundy commented: “The shared responsibility model associated with cloud computing has significantly changed SME role involvement. Partly, SME tasks associated with operating the underlying cloud service infrastructure have been relocated to the cloud provider. This means that DevOps teams predominantly have the skills to build and operate their applications single-handedly.

“However, I don’t believe DevOps staff would claim that they are experts in every aspect of computing that has security relevance. There still remains a security requirement for involving the bank’s SMEs to provide specialised input on security control decisions. Ultimately, the outcome of those decisions is integrated into the code that feeds the pipeline, and further in support of change management process and security compliance monitoring.”

Written by Leah Alger

The post DevOps freedom in financial services appeared first on DevOps Online North America.