As one of the largest banks in the world, we have run a few years DevOps program in HSBC Technology to establish DevOps culture and mindset between teams. Recently, DevSecOps starts to become more and more popular, especially for banking industry, which is very sensitive on data and therefore has a very high standard for the cyber security. However, there are still a lot of challenge to promote DevSecOps culture, especially in a large bank.

Since 2018, we starts to integrate Cyber Security into DevOps culture by running DevSecOps program. We aim to shift left the Cyber security mindset to the development teams through promoting DevSecOps tools combined with the relevant trainings.

In this presentation, we will share how to integrate DevSecOps tools, such as Checkmarx, Contrast and Sonatype IQ into development CICD pipeline to produce vulnerability reports through cyber security testing and scanning source code and 3rd party libraries.

In addition, we will demonstrate three different ways to provide cyber security training to help development teams gradually grow their knowledge to have the capability to fix the vulnerability reported by DevSecOps tools, as well as establishing the brand new mindset over the time