Protecting data and intellectual property is critical to any business, but especially to those, like financial services, that are essentially information processors. Cybersecurity often focuses on data theft, ransomware, and other attacks directed at that valuable information. However, protecting the code that operates on the data is at least as important—both to protect the data from another potential attack vector and to ensure that the proprietary models and analytics that give the firm its competitive advantage are not disclosed or compromised.
DevSecOps (Development, Security, Operations) is a combination of culture, processes, and technologies that form a continuous cycle of security awareness and a secure software development lifecycle (SDLC). Surrounded by a secure development environment and augmented with appropriate tools, the result is a set of clearly defined workflows and process automation aimed at consistently delivering secure, quality code.
The best part is that many of these tools and techniques are built into Beacon Platform, providing customers with the capabilities to secure any proprietary extensions and additions that they build on top of Beacon’s transparent, licensed source code.
Secure Development Environment
Building and operating a secure development environment starts with continuous monitoring, evaluation, and strengthening of the operating conditions for Beacon staff. We operate under zero-trust and least-privilege principles, identifying and authorizing the assets, individuals, and processes that can access each area of responsibility.
Beacon developers and our customers use the integrated development environment (IDE) that is part of Beacon Core, based on Visual Studio Code (VSCode), that makes it faster and easier to build, review, test, and deploy secure code. This tool, with powerful collaboration and debugging features, delivers a standardized working environment that facilitates DevSecOps methodologies. Many automated workflows enhance productivity and compliance with DevSecOps best practices, company controls, and regulatory requirements.
Plan, Code, Build, Test
The DevSecOps cycle begins with planning and training, including regular security refreshers on security coding practices. Risk identification and assessments provide foundational information that help the company understand key issues facing the industry and develop practical solutions to enhance the security posture of Beacon and our customers. Security by design is a central element of our coding practices, including secure code analysis, dependency checks, vulnerability scans, and mandatory code reviews that can be integrated and automated with Beacon’s IDE. Standardized build configurations and processes are also automated, reducing the potential for manual errors or omissions that can introduce vulnerabilities. Testing stages use a mix of manual and automated techniques to evaluate both functionality and security, including penetration testing and vulnerability scans. Version controls maintain an immutable pipeline from code to release.
Release, Deploy, Operate, Monitor
Tested and verified code is initially released to Beacon’s production runtime environment, before being made available to customers to pull into their operating environment. All components run in separate containers with minimal privileges and reduced footprints, to contain the potential attack surface. Each Beacon instance is isolated and installed directly into a customer’s own cloud account or virtual private cloud, and automated updates and patches keep operating systems up to date. Orchestration tools manage resource allocation and scaling independently for each and every customer, and defend against network attacks. Automated backup and data protection processes are run regularly to maintain business continuity. Finally, Beacon continuously measures and monitors the performance and usage patterns of the system, to identify any emerging areas of concern and feed them back into the planning stage.
Part of Secure Cloud Operations
DevSecOps is one part of Beacon’s security model that spans product planning through customer operations, to deliver the future of financial markets on the cloud. The other essential component is the shared responsibility model for securing cloud infrastructure and separation of duties for cloud providers, customers, and Beacon Platform, which we will cover in a separate blog.
To learn more about Beacon’s secure software development lifecycle, download the white paper: Building Secure Systems with DevSecOps.