on the creation and development of a new domestic community of specialists in the field of secure development

Secure development is an important component of the technological landscape of any company. This is especially relevant for companies in the financial sector, which require increased attention to the security of their clients' finances and personal data. In order to unite the efforts of participants in the financial and related sectors to develop secure development and open source solutions in 2023, the Association of FinTech (AFT) a community was created FinDevSecOps.

Today, as one of the founders of the community, together with colleagues from the AFT, we will tell you how FinDevSecOps appeared, what it does and what it has managed to achieve.

2023: idea and search for partners

In 2023, the AFT platform hosted a discussion of the problems of using open source solutions and organizing secure development with representatives of AFT participants, including RSHB. It turned out that the companies face similar challenges and difficulties, and the developments of each of them are of interest to other market participants. This is how the idea of ​​creating a community emerged, which would unite specialists in this field and become a platform for exchanging experience and jointly developing solutions. The main goals of forming the community were: accelerating and simplifying the processes of implementing secure development practices, increasing the level of security of the entire life cycle of fintech solutions, interacting with regulators on issues of secure development and implementation of solutions based on open source.

FinDevSecOps Manifesto

During the formation and development of the community, a manifesto was developed that described in detail the problems, mission and objectives of the community.

Existing problems in the development of IT solutions in companies in the financial and related sectors:

  1. The widespread use of open source libraries with a significant amount of code, complicating the procedures for checking and verifying this code.

  2. Inefficient use of resources of organizations in the financial and related sectors to conduct disparate duplicate checks of identical open source solutions, and the lack of exchange of information on the results of these checks between organizations.

  3. Lack of support for open source solutions, or support from an untrusted party, which leads to increased risks of backdoors and vulnerabilities.

  4. The presence of a “gray zone” in the area of ​​regulating the use of open source solutions in organizations in the financial and related industries.

  5. High demands on the speed of releasing new versions of IT solutions, as a competitive advantage of the company, as well as the constantly increasing volume of code, require the use of new approaches to checking and verifying code integrated into development processes, as well as the use of new tools to automate these procedures.

The mission of the FinDevSecOps community is to achieve a synergistic effect from combining the efforts of parties interested in the development of secure software development and open source solutions for the financial and related sectors.

Community goals:

  1. Acceleration of the processes of introduction and implementation of DevSecOps practices and open source solutions.

  2. Increasing the level of security of IT solutions at all stages of their life cycle.

  3. Communicating the financial industry's position to regulators.

  4. Analysis of risks and opportunities for using IT solutions based on open source code.

  5. Identification of promising IT solutions based on open source code.

  6. Formulation of proposals and recommendations for improving the processes of development and regulation of the use of IT solutions based on open source code.

  7. Formulation of proposals and recommendations for improving the regulation of safe development processes.

  8. Conducting joint testing and evaluation of individual technologies and elements of the technological landscape using IT solutions based on open source code.

  9. Organization and support of joint projects of AFT participants for the development of IT solutions based on open source code.

The manifesto also outlines the main areas of activity of the FinDevSecOps community:

  1. Recommendations for applying DevSecOps practices in the financial sector:

    1. Organization of processes for the secure development of fintech products: security gates, methodology, regulation;

    2. Monitoring information security events during the operation of fintech products;

    3. Storing secrets and configurations of fintech products;

    4. DevSecOps tools and platforms.

  2. Joint verification and development of open source solutions by the community:

    1. Community code development on a trusted platform;

    2. A trusted repository of source codes, images, libraries, build artifacts, and information about the results of testing and verification of open source solutions.

  3. Culture and Teams. Employee training and dissemination of DevSecOps competencies:

    1. Analysis and clarification of the regulatory framework affecting the application of DevSecOps in financial organizations;

    2. Training courses;

    3. Testing and surveying specialists.

Community Meetups

Community meetings are held in online and offline formats. Two FinDevSecOps community meetups have been held so far. First took place in October 2023, and it formally became the starting point in the history of FinDevSecOps.

The following topics were discussed:

  • Organization of processes for the safe development of fintech products: regulation and methodology;

  • Testing and analysis of open source solutions;

  • Monitoring information security events during the operation of fintech products;

  • Storing secrets and configurations of fintech products;

  • DevSecOps tools and platforms;

  • Culture and teams. Employee training and dissemination of DevSecOps competencies.

Second The meetup took place on April 25, 2024. This time, the central topics were: the mutual influence of DevSecOps and the information security development strategy of a financial organization, as well as the personnel shortage in DevSecOps specialists. Participants discussed the influence of DevSecOps on the information security development strategy of a financial organization, new technologies (AI, clouds, etc.) and new types of information security threats, DevSecOps regulation, import substitution in DevSecOps, roles and competencies for the implementation of DevSecOps practices.

In addition, two workshops were held within the framework of the meetup:

  • Workshop “Practice of conducting checks on ISP RAS and CodeScoring products”;

  • Workshop “Pre-commit security checks: plugin in the developer's IDE”.

During the workshops, participants were able to test the use of such products as Svace, Natch, Crusher, Sydr-fuzz, PT Application Inspector, independently launch checks and process the reports issued by the products.

Results and plans

On third The meetup organizers summed up the community's activities since its founding in October last year and shared plans for 2024.

Among the community development plans are: organizing thematic groups, continuing work on new regulatory documents on the secure development of IT solutions in financial organizations, planning practical events in the format of workshops and hackathons.

Own repository

The AFT platform has its own trusted repository of source codes, images, libraries, assembly artifacts, as well as information on the results of testing and verification of open source solutions. Thanks to this, the following is already in operation:

  1. Uploading source code, IT solution artifacts to GitLab, Yandex Container Registry;

  2. End-to-end authorization for access to hosted source code of IT solutions in Yandex Managed Service for GitLab;

  3. Signing the source code of IT solutions (hash generation, signature creation using SHA 256, RSA algorithms);

  4. Checking the source code and artifacts of IT solutions with an antivirus (Kaspersky), static analyzer (Sonar), service docker image scanner (Yandex Container Registry), dependency analyzer (OWASP Dependency Check).

In 2024 the following will be implemented:

  1. Collaboration with the source code of IT solutions;

  2. CI/CD pipeline;

  3. Integration with external repositories of source code and IT solution artifacts;

  4. Analysis of vulnerabilities of IT solutions based on the FSTEC database;

  5. Checking source code, IT solution artifacts against current vulnerability and signature databases;

  6. Implementation of automatic scanning and verification of the source code of IT solutions.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *