Growing Security in Devops at Rabobank

Rabobank’s Retail NL Tech division delivers and operates applications that customers interact with to take care of their digital banking needs. Inside the division, tens of Devops squads are working on hundreds of services and applications, building and pushing new features every hour of the day. Rabobank prides itself on taking security seriously, and one of the initiatives that underlines this attitude was where Booleans came into the picture.

About Rabobank

Rabobank is a cooperative bank with a mission. Together with their stakeholders, they are committed for over 125 years to a sustainable society and major societal challenges. Nowadays, they are active with more than 43.000 employees in 37 countries. In the Netherlands, they serve private and corporate customers with a wide range of financial products and services. They focus worldwide on entrepreneurs and companies in the food and agri industry.

Security throughout the Software Development Lifecycle

At Rabobank, Devops squads are expected to be as autonomous as possible and carry most of the responsibility for delivering functionally correct, stable, performant and secure applications. When it comes to security, they are not on their own in this. For example, before new features see the light of day, these will be extensively tested by Security Specialists inside Rabobank.

Apart from security testing, Rabobank strives to integrate security throughout the entire Software Development Lifecycle. To accomplish that, a high degree of security awareness and empowerment within Devops squads is crucial.

Creating Security Awareness and Empowerment

In 2021 Rabobank formed a new team of specialists to bring the security posture of Devops squads to a next level. A Senior Digital Security Specialist of Booleans also joined this team with his expertise.

The team started by designing a Security Maturity Model, loosely defined on OWASP’s DSOMM model, but heavily customized for the context of Rabobank. This model is used by Devops squads to assess their own security maturity and plan for further growth. It also provides insights to the security team on where to help squads across the board. For example, in different tooling for security scanning.

Specific training was developed in-house to increase knowledge among engineers, in the areas of API security, threat modeling, hands on hacking, and much more. This led to a much higher awareness of security best practices, which helped engineers in deeper understanding of security issues, in addressing security concerns in peer reviews, and in being more proactive in implementing security mitigations. These training sessions, because of the interactive way they were taught and the focus on both offensive and defensive security, grew quite popular.

The team also heavily scrutinized the tools that were already being used to aid in detecting vulnerabilities in software, and any shortcomings or inefficiencies were addressed by either fixing, complementing, or even replacing security tooling.

Because of this hands on approach, and the high visibility of this new security team, the team quickly became the go-to place whenever engineers were fighting emerging security vulnerabilities (such as Log4Shell), when they needed security assistance with their application designs, or when an extra pair of eyes on their implementation or production alerts was desired.

While forming this new security team it had been a pilot project at Rabobank initially. Nowadays the presence of the team is simply a given and considered a proven concept.

By bringing security further in reach of squads, it becomes much more fun, engaging to embrace and effective in the delivery of secure software!

Maarten Bovy
IT Lead Online at Rabobank