Initially security and compliance are considered top concerns in financial services

industry and have often been considered as bottlenecks for modernizing legacy
software development and delivery practices. Scanning code for common security
vulnerabilities is just not enough, and developers need to include security testing
as part of their automated unit and integration tests: positive and negative tests
on authentication, authorization, and auditing functions and security libraries.

Standard DevOps toolchain includes tools for build management, continuous

integration, log management and analysis are being used effectively by financial
services organizations for operation and security event monitoring (SIEM) and
compliance reporting. In Secure DevOps, security needs to be brought into
development and operations, and Continuous Delivery stages, which is based on a few
key ideas:
- Bring Development and Operations teams together to solve security problems
- Shifting security controls and checks left, into design and development
- Automating security testing and security checks in Continuous Integration
and Continuous Delivery, including security checks on dependencies
- Taking advantage of Infrastructure as Code, leveraging the logging and
workflow controls to provide an audit trail of security checks for regulators
- Wiring security into application operations monitoring and feedback loops