Open Source Summit Japan & Automotive Linux Summit 2020

Banks are very sensitive on data and therefore have a very high standard for the cyber security. Since 2018, we started to integrate Cyber Security into DevOps culture by running DevSecOps program, which aims to shift left the Cyber security mindset to the development teams through promoting DevSecOps tools combined with the relevant trainings. In this presentation, we will share how to integrate DevSecOps tools, such as Checkmarx, Contrast and Sonatype IQ into development CICD pipeline to discover vulnerability and produce reports through cyber security testing and scanning source code and 3rd party libraries. In addition, we will demonstrate three different ways to provide cyber security training to help development teams gradually grow their knowledge to have the capability to fix the vulnerability reported by DevSecOps tools, as well as establishing the new mindset over the time Finally, we build up a DevSecOps maturity model to measure the level of development teams’ cyber security ability. Based on the maturity level, the cyber security assessment before the production deployment will be simplified to benefit the development team (speed up the deliver)