Our customer is a large European bank providing financial services to individuals and businesses in Europe and Asia with over $100 billion assets under management.
In the last three years, the bank adopted DevOps software engineering processes and implemented multiple tools. They use Nexus Repository, Bitbucket, TeamCity, Ansible, and Jira.
The bank also started introducing application security tools to support continuous security testing for each release. They use Checkmarx SAST to discover vulnerabilities in the source code proactively, Sonatype Nexus IQ to manage security in used open-source components, and Netsparker to test the application security in their staging and UAT environments.
The bank has over 150 applications, including front-end systems, applications for core banking, credit risks platforms, payment cards processing systems, and digital omnichannel services used by both businesses and consumers. Software engineering has over 1,000 application builds and more than 100 application releases going into production every week. Multiple internal and outsourced software engineering teams are involved in application development.
The software engineering organization made several attempts to implement DevSecOps by building custom integrations and writing proprietary scripts. However, these attempts to integrate application security testing tools with their DevOps tools and processes did not produce expected results.