Cybersecurity and DevSecOps to a higher level: how major banks and an insurer collaborate

“Innovation doesn’t always mean that you develop something new. The innovative aspect can also be in the way various parties cooperate with each other. This is definitely true of the way cyber security specialists of the banks ABN AMRO and ING, and insurer Achmea now exchange information with each other in the ‘Joint Practices for Security in Agile’ project.

Collaboration on this project ensures that all these parties will jointly raise the baseline of their DevSecOps to a higher level. This is at any rate the idea behind the new platform that they’ve set up within the PCSI and in which we as TNO are also closely involved,” says Mike Wilmer, who works on Data Science and Cyber Security at TNO. From his base at TNO, he has a facilitating role in the PCSI project.

Mutual trust

“The collaborative venture is still at an early stage. We’re in the proof-of-concept phase, where we are focusing mainly on the processes that are necessary to create a PCSI-DevSecOps Community. This means that we cannot yet draw any conclusions about what the new platform will actually deliver to those taking part,” Wilmer adds.

“However, the initial experience has been very positive. For example, the participants have already exchanged knowledge about very specific DevSecOps topics. In this context, they expressed their trust in TNO, saying that we’re a good party for facilitating these meetings. In addition, security is properly assured, allowing everyone to speak openly. There also appears to be strong mutual trust. During these meetings, everyone starts asking questions spontaneously and the cyber security specialists swap many experiences. In that respect, the platform seems to meet a definite need.”

Discussing together

During the pandemic, these meetings are online, in a secure environment. There are speakers who address current topics, such as the involvement of Security Champions and various techniques for testing software in CI/CD pipelines (SAST and DAST). Afterwards, the cyber security specialists can discuss the topic with each other.

A key principle is DevSecOps, which is a combination of Development, Security and Operations. This brings together the specialists’ know-how and the available technologies in processes that can accelerate software development in a secure manner. This is done in an agile fashion, that is to say in sprints, which enable new insights to be quickly included in further development. “Banks have already completely switched to a modern way of testing their security,” says Wilmer. “They’re already very advanced in that area; I was really amazed.”

Learning from colleagues

“We’re competitors, but not in the area of security relating to IT and information,” says Jeroen Verwoest, Information Security Consultant at ABN AMRO. “In the field of cyber security, we’re happy to help one another. And it’s very enlightening to hear from colleagues about how they approach particular problems. What do they do differently? Why? And does this approach help? These are questions that you’d like to have answered by colleagues who are wrestling with the same problems.”

Some subjects of discussion are, for example, what you could do to motivate Security Champions. Or what methods the participants apply and with what results. This exchange immediately provided inspiration. For instance, one of the member organisations has already had good results with an approach that had been an idea lying in a drawer for some time at another organisation. The organisations are now going to see whether they can apply that idea rapidly.

Participants are well-matched

“Cyber security plays an important role in the financial sector,” continues Verwoest. “In that area, all PCSI partners have already made great progress. The differences between them are small, so the meetings often concern details, but these are details that can make a crucial difference and save a specialist a lot of time. Based on what I’ve seen and heard up to now, I expect that we’ll be able to achieve more great things together.”

Very sensitive information

“The wonderful thing about this collaboration is that it arose in a natural way,” says Robert Wegh, IT Security Specialist at Achmea. “During a survey, PCSI invited us to think about how we as cyber security specialists could share our knowledge and experience. Together, we quickly came to the conclusion that a community platform would be a logical next step. That might sound like something that’s very easy to set up, but it naturally involves very sensitive information. For this reason, all the participating parties have concluded a Non-Disclosure Agreement. It’s good that TNO is involved, as it’s a neutral party that inspires a lot of trust.”

Secure by design

Wegh’s colleague at Achmea, Erwin Kamminga, also participates in the platform. He is a Security Specialist & IT Architect and spends most of his time ensuring the security of the insurer’s mobile apps. “We’ve now held the first meetings of the PCSI platform. By chance, one of those meetings focused on new trends in securing mobile apps. The subjects of discussion were, among others, ‘Secure by design’ and ‘Shift left’, a working method in which safety aspects are addressed earlier in the development process. That was of course right up my street. It’s of great value to talk about such things with colleagues.”

We all share the same goal

“As large companies, we naturally take security extremely seriously,” says Stefan Petrushevski, who works as a Security Expert at ING. “We are therefore constantly investing in security and we continue to work on improving standards and keeping them high. To this end, we all apply the principles of agile software development, making progress step by small step. We learn what does and does not work, and as a result, we keep advancing. In this way, we’re all trying to achieve the same goal. We’ll ultimately achieve that goal of optimal cybersecurity, but if we work together in certain areas from now on, we’ll also be able to learn from each other along the way and this will accelerate the development process. Therefore, it’s great that we now have a platform within the PCSI where we can share our various approaches and experiences.”