DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. Deployment
  4. ABN AMRO Embraced CI/CD to Accelerate Innovation, Improve Security

ABN AMRO Embraced CI/CD to Accelerate Innovation, Improve Security

In this post, we look at how a leading FinTech organization used DevSecOps processes to build better, more secure software.

Derek Weeks user avatar by
Derek Weeks
·
Mar. 30, 18 · Analysis
Like (4)
Save
Tweet
Share
4.32K Views

Join the DZone community and get the full member experience.

Join For Free

ABN AMRO is one of the largest banks in the Netherlands. It is a large enterprise that is heavily regulated. They employ 22,000 employees and 5,000 of them work in IT. After a major transformation journey from Waterfall to Agile, they now have over 300 Agile teams.

Many organizations would have shied away from the transformation, but ABN AMRO saw FinTech companies nipping at their heels. The transformation was imperative to survival. They couldn’t be the technological equivalent of the stereotypical fat cat, cigar smoking, short-work-day bankers who refuse to adapt.

Stefan Simenon was in the middle of the transformation when it began three years ago, and he recently shared his experience about the journey. His talk, ABN AMRO Transforms with CI/CD to Accelerate Software Delivery and Improve Security, focuses on explaining how the bank implemented in CI/CD pipelines to accelerate innovation while maintaining strong governance and security standards.

You don’t implement - or even think about implementing - a cultural shift like this in an organization this size because it is the latest trend or you watched some inspiring talks during a recent conference. You have to feel the burden of the status quo. For ABN AMRO, several challenges were staring them in the face:

  • Long lead times for software delivery.
  • Software quality issues found at a late stage.
  • Many manual handovers and approvals.
  • Code merges happening late in the dev lifecycle.
  • Inefficient cooperation between Dev and Ops.
  • Big, non-frequent releases to production.

Screen Shot 2018-03-15 at 4.23.43 PM.png

Admitting you have a problem is the first step, but there are many more. As they agreed to move forward with CI/CD, they recognized that CI/CD is about changing the mindset, behaviors, processes, and the “Way of Work” first. The right tool choices would come later.

To proceed, they set up the project organization into a cluster with central and decentralized orientations. The centralized part paved the way by setting up the conditions for the teams to get working. The decentralized parts moved forward by implementing CI/CD within the teams.

Once the teams were in place, they determined they would start with the technologies they had and wait for other tools. They also ensured there was strong alignment between Development, Operations, and Security.

Recognizing that other large organizations often take 3-8 years to implement this level of change and change course along the way, they plan for small milestones at three-month intervals while keeping the overall transformation journey in mind. This allowed them to learn and improve as they progress.

One interesting approach they have taken is called “build breakers.” That is, once a developer triggers a build and the unit testing is complete, three separate scans are run: a code quality scan with SonarQube; a secure source coding scan with Fortify; and, an open source dependency scan with Nexus Lifecycle. A break in any one of these will send the build back to the developer to be fixed.

Screen Shot 2018-03-15 at 4.24.30 PM.png

They also set up an IT for IT organization (IT4IT) to enable CI/CD implementation. The IT4IT organization:

  • Implements tooling upgrades.
  • Implements new tools.
  • Enhances and improve CI/CD pipelines.
  • Implements new CI/CD pipelines.
  • Handles user management.
  • Supports Agile teams.
  • Conducts incident and problem management.

A lot has happened since they began three years ago. Here are just some of the benefits have they seen so far:

  • Test environment uptime improved.
  • Improved code quality and secure coding.
  • Improved cooperation across stakeholders.
  • Improved time to market.
  • Improved development processes.

There is still more to do. As they move forward, they want to further transform to DevOps by improving collaboration between Dev and Ops. They also want to automate and improve tooling pipelines, enhance the IT4IT landscape, implement a hybrid cloud strategy with a mix of internal and AWS clouds, and move toward a service-oriented architecture. They also realize that improving the Way of Working, mindsets, and behaviors has to stay top of mind throughout their journey -- it is the foundation all of this is built upon.

Screen Shot 2018-03-15 at 4.25.25 PM.png

At the conclusion of his talk, Stefan offered some takeaways:

  • Ensure you have senior management and involvement.
  • Invest in reducing technical debt.
  • Create a safe environment so people know that failing is okay.
  • Do not focus just on tooling.
  • Do not underestimate the journey and complexity.
  • Do not focus on the long-term but rather on small improvements.

Stefan’s full talk, available for free here, digs deeper into the specifics and the results to date. You can watch any of the 100 All Day DevOps practitioner-led sessions free-of-charge here.

All Day DevOps 2018

All Day DevOps 2018 is just around the corner! Registration is available here.

The free, online conference goes live on October 17th, offering 100 different practitioner-led sessions, each one 30-minutes long. With 5 separate tracks: CI/CD, Cloud-Native Infrastructure, DevSecOps, Cultural Transformations, & Site Reliability Engineering, and 100 speakers, there's sure to be something for everyone.

And speaking of everyone, if you're part of an organization with 20+ people that want to attend the conference (again, it's free!) then you should consider joining the Club 20 program so that you might get your company logo added to the ADDO site. Check out some of the Club 20 participants here and consider joining them.

Hope to see you online at the show!

Continuous Integration/Deployment security

Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • RabbitMQ vs. Memphis.dev
  • Three SQL Keywords in QuestDB for Finding Missing Data
  • Handling Virtual Threads
  • A Beginner's Guide to Back-End Development

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: