As VTB builds internal software development based on DevSecOps methodology

In 2018 within transformation of work of IT department of VTB the decision on gradual and primary transition to internal (in-house) development of IT systems and creation in IT of the corresponding block of development was made. It was headed by Andrey Ovsyannikov, the deputy manager of department of information technologies of VTB.

The first-priority purpose which was set before IT development, - to increase the speed of delivery and quality of the code with observance of standards and requirements of information security. It was for this purpose necessary to develop new methodology of work, to create and carry out pilots on approbation of the technology stack. Well and, of course, - to create development teams, - Andrey Ovsyannikov told TAdviser

VTB implemented the first stage of implementation DevSecOps

The methodology of DevSecOps (Development Security Operations) was selected as the most suitable set the practician and tools for flexible and continuous process of implementation of changes. It allows to improve quality of the code and capacity of development teams, to automate routine transactions, to reduce terms of conducting verification of the developed code by compliance to the stated functional and utilization properties. Cross-functional teams from business, IT and external suppliers of bank had to first of all begin to use new methodology.

In August, 2018 the first project phase which covered five IT systems belonging to the following classes started:

• RBS
• CRM
• CORE BANKING SYSTEM
• Web application
• The solution on the microservice platform

Within this phase it was necessary to lay the foundation for joint work with suppliers, to provide the subsequent replication of approaches on all own IT systems of bank. It was supposed to reduce delivery time of IT result, to reduce technology windows when installing releases of IT systems and to provide a possibility of unplanned updating of IT systems without interruption in customer service.

For the first 6 months of the project the uniform format of creation DevSecOps pipeline containing obligatory checks for each stage of IT development was approved and implemented. The team of experts on competences DevSecOps was created. Transfer of systems to internal development is started. The pilot project is successfully implemented.

From key results in the IT block of VTB select the following:

• The tools Gitlab-CI, Nexus Ansible, by SonarQube, MF Fortify are deployed Jira, Confluence
• Training of commands in work with new tools is provided
• The basis of a command is created and process of internal software development (software) with simultaneous involvement of external suppliers based on the practician of DevSecOps is started

As of July, 2019 there undergoes replication a practician on a test stage and further development in perimeter of commercial operation, specified TAdviser in VTB.

As well as it was planned, the systems of the first stage are transferred to the DevSecOps tools and internal development. We created frame of commands of internal development and connected external teams of suppliers for joint work in perimeter of bank. By us the technology stack for the DevSecOps platform purchased, pipeline regarding Continuous integration is automated (continuous integration - a comment of TAdviser). Besides, technical works on inclusion of stages of the automated analysis of the source code in pipeline are implemented. On these principles of DevSecOps the factory of production for all developers of VTB will be under construction, - Andrey Ovsyannikov emphasizes

At the same time the project team builds the target infrastructure platform based on the hyper convergent solution Nutanix. The platform provides necessary flexibility for transition to the stated frequency of releases and speed of development. For external suppliers access for work on joint projects is organized.

The main project deliverables are presented in table 1. Until the end of 2019 all development of IT systems of bank will pass to DevSecOps methodology. At the same time step-by-step implementation the practician of Continuous Delivery (continuous delivery) and Continuous Deployment (continuous deployment) begins.

Tab. 1. Main results of implementation of methodology of DevSecOps

Successful scaling of DevSecOps will accelerate implementation and transition to loosely coupled microservice IT architecture that will also increase the output speed of new solutions and products on the market. It will allow to reduce even more terms of development and testing, to increase quantity of releases, calculate in VTB.