, 25 tweets, 9 min read Read on Twitter
Jihai Zhou is going to tell us about implementing DevSecOps in large banks. #DevOpsDays
In Jihai’s experience in London, a strong concept of DevOps has developed over the last 3-4 years. He just moved to HSBC’s Technology China office and finds the awareness of DevOps is less developed there (so far!). #DevOpsDays
Now he’s started to introduce DevSecOps there too. 💪 DevOps means better, faster cooperation between teams to deliver software... but rapid development conflicts with security. So let’s remove the barrier with security too! #DevOpsDays
DevSecOps was originally called DevOpsSec (Gartner, 2012). The idea behind the name change is to ‘left-shift’ the security mindset to the dev team, before release of software. #DevOpsDays
This can make the process faster, reducing the security bottleneck at the end of the software development cycle. Building automated tools for devs to integrate security into their work can also improve outcomes. #devopsdays
There are technical and cultural challenges in DevSecOps—but the cultural ones are most important. Devs might not think security is their job, and if they do, they might not have the knowledge to take charge of fixing issues. #DevOpsDays List of tech and cultural challenges
Jihai has spent a lot of time selling Dev(Sec)Ops to teams. He says the most important people to convince are not developers but management. #DevOpsDays
Best practices for cultural DevSecOps change: first, ongoing training. Teach devs to think from the attacker’s perspective, with practical exercises; ensure standards are implemented correctly and knowledge is spread efficiently. #DevOpsDays
You need a Security Champion to coordinate and track security issues to the security advisor, and you need buy-in from management. Explain what vulnerabilities mean in biz terms.
You can run exercises between teams to practise security processes. There was a contest between HSBC’s Indian and Chinese teams just this week! Jihai wanted to include a photo of the winners but he wasn’t allowed to. :( #devopsdays
Technical and process best practices: mostly automation! Nothing will work consistently if you don’t automate it. Publish security monitoring on dashboards so that feedback loops are short and you (and managers) can’t ignore it. #devopsdays
There are three stages in Jihai’s model of adopting DevSecOps:
1) Integrate cyber security tools
2) Set up training
3) Establish a cyber security mindset: dedicate resources to it, make sure there’s an expert in every team
#DevOpsDays
After three months, Jihai reckons the dev teams in the trial have built up enough knowledge to fix the security issues they discover in their work. 💪 There are 1500 devs in the Guangzhou office: he’s rolling it out to all of them in the next six months. #DevOpsDays
Jihai recommends Checkmarx as a DevSecOps tool for vulnerability scanning and reporting. It has a Jenkins plugin so you can integrate it easily into your CI/CD. Very nice dashboard for displaying issues. #DevOpsDays
Another option is Sonatype Neuxs IQ Server. It’s FOSS and also integrates into CI/CD. :) #devopsdays
But... don’t forget the tools are just the beginning. Only people can *fix* the issues they find!

- I use Jira, I’m agile!
- I use Jenkins, I’m a DevOps!
- I use Checkmarx, I’m a DevSecOps!

🤨 You need to use the tools to improve, or it’s pointless.
#DevOpsDays
For ongoing training, the tools often have embedded study materials. :) Click on the ❓ in the dashboard and see how to fix your actual issue: limited but practical help. #devopsdays
The best overall training materials Jihai’s found are at securecodewarrior.com/training (looks like fun from the screenshots!) #DevSecOps
Q: first question to the organisers: when do we rename DevOpsDays to DevSecOpsDays?

@matemaz: well, DevOps should include DevSecOps... or we could just rename it. :)
#devopsdays #devsecopsdays?
Q: how to convince management of the value of DevSecOps?

A: you really need to go from the top. Try to find any senior management people you can, or business level, and *talk* to them about it. (Cont)
(Cont) One colleague convinced the compliance dept to get into DevOps by telling the manager, “You lose 4 million dollars a year not doing this!” Not sure how he quantified it, but that helped. That and talking to the right person. #devopsdays
Q: how is your CI/CD platform secured? A: it’s completely internal infrastructure.
Another way to get business invested in DevSecOps: set up cross-funtional teams (‘pods’) with devs and business people working together. #devopsdays
For the legacy teams/projects, Jihai focuses on helping them build up knowledge, but for new teams, they start from a DecSecOps mindset right away. #devopsdays
@threadreaderapp Please unroll, thank you!
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Rae Knowler
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!