Challenge
A leading financial services company required assessment and unification of all software development lifecycle (SDLC) activities and the use and deployment of open source software (OSS) across the enterprise. These projects had to balance the needs of DevOps and maintain the company’s risk posture in a heavily regulated industry.
Solution
Defined, unified, and simplified the client’s SDLC and ensured it met OSS internal use policies and standards, which included:
- Analyzing essential requirements to measure compliance, effectiveness, development team burden, and risk mitigation to determine if changes were required
- Reviewing all technology policies, standards, risks, and controls, including a detailed assessment comparing the company to industry standards
- Interviewing stakeholders across lines of businesses and the enterprise to assess and measure whether policies and standards were effective
- Meeting with DevOps and development teams to understand their detailed experience and pain points and identify ineffective controls and processes
- Documenting the current state policy, s, and control structures of the SDLC, including more than 70 unique requirements
- Creating a value stream map showing current state requirements by product delivery phase, control status, completion time, effectiveness, associated metrics, and policy area
- Building a process and controls for secure downloading and uploading of OSS to the GitHub community
Outcome
Enhanced the company’s risk posture and improved the DevOps team experience by:
- Developing a new unified software development value stream inclusive of controls, documentation, and metrics to gauge compliance and impact
- Enhancing the developer experience, utilize technology and data to measure impact, and increase participation in the open source community while decreasing the level of non-compliance with cybersecurity policies, standards, and procedures
- Documenting the SDLC governance process and all affiliated requirements, allowing for more efficient internal and external audits
- Developing options to automate Continuous Integration/Continuous Delivery (CI/CD) processes and lessen the burden on developers
Published December, 2022