CODING DevSecOps helps financial enterprises run out of digital acceleration

Financial digitization keeps pace, and R&D efficiency continues to upgrade

Adhering to the trend of "dual district" construction and the ambition to serve the Greater Bay Area, a large bank in Shenzhen (hereinafter referred to as "Bank A") will fully start a new journey of the second five-year development strategy planning in the direction of digital transformation in 2022 . "Retail + Technology + Ecology" is driven by the driving force. Bank A insists on promoting business agility with technological agility, and continuously promotes digital transformation and scenario operations.

However, with the gradual deepening of Bank A's digital transformation, the rapidly expanding IT construction team has brought new challenges to multi-team management and cross-team collaboration, and the ever-changing business needs have also affected the security management and control of R&D assets and R&D delivery. Efficiency and quality put forward higher requirements.

In order to allow the IT construction team to respond to the business needs of the digital age with more agile collaboration and more efficient and high-quality delivery, Bank A finally chose to introduce the CODING one-stop research and efficiency platform from a number of manufacturers to accelerate its digitalization from the upgrade of research and development efficiency. pace.

CODING Disaster Recovery Heterogeneous Solution to Ensure Bank Business Continuity

For the financial industry, ensuring user data security and business continuity is a top priority. For this reason, Bank A has strict data disaster tolerance requirements: the hardware level meets three copies of data storage, the downtime of any physical node will not affect the normal operation and use of the platform, and it also needs to meet the heterogeneous backup of different platforms.

In order to help Bank A complete the infrastructure upgrade and realize its disaster recovery requirements, CODING's expert team went deep into the customer site, and finally formulated a disaster recovery and heterogeneous backup construction plan based on CODING. At the application level, Luohu (main)-Wuhan (backup) two places are used to synchronize incremental data on a daily basis, and the master nodes of the K8S clusters in the two places are mounted with independent backup storage to realize full data backup of the platform for 7 consecutive days . At the same time, the original GitLab in the industry uses the CODING continuous integration pipeline to automatically realize timing-triggered backups to meet heterogeneous demands; the backup results are pushed and reported to the IM communication platform every day, and managers can perceive them in time.

CODING's Disaster Recovery and Heterogeneous Backup Construction Solution for Bank A

In the process of formulating a disaster recovery plan for Bank A, if real-time synchronization is selected, there will be the following two acute problems:

1. Real-time synchronization will lead to frequent reads and writes, network stability and platform stability are difficult to guarantee, and the database is easy to lock.
2. After switching from the disaster recovery environment to the production environment, data consistency is difficult to guarantee.

Therefore, the CODING expert team finally decided to choose Bank A for regular synchronous backup, daily full and incremental backup of the backup machine, and incremental synchronization of the disaster recovery environment; when switching to the disaster recovery environment, full data and incremental data backup, and switch production again. The environment is refreshed incrementally, and the backup of the disaster recovery environment is stopped.

After rigorous switching drills and data consistency verification, the CODING platform meets the high-availability construction requirements of Bank A, which can greatly reduce the risk of data loss of source code assets and ensure the security of code assets in extreme cases . This also lays a solid foundation for the development center of Bank A to promote each team to use the CODING platform to host the source code.

CODING DevSecOps, realizing the closed loop of continuous security delivery process

In addition to meeting the bank's strict disaster recovery requirements, the one-stop CODING R&D efficiency platform brings more value to Bank A than that. Bank A pays more attention to the experience of the overall R&D process, and has always expected to better manage its R&D process and make full use of the convenience brought by automation. Through CODING, Bank A successfully implemented the end-to-end DevSecOps process , realized unified security management and control of code, created a closed loop of agile, standardized and automated continuous security delivery , greatly improved the quality and speed of software delivery, reduced R&D costs, and completed R&D. Efficiency upgrade.

A Bank's DevSecOps R&D workflow based on CODING

Unified management of R&D core assets

For the management of code warehouses, Bank A originally used code version control management tools such as Git and SVN. The source codes are scattered in various project groups, and there is no unified management entry. The code warehouse function provided by CODING not only supports Git, SVN warehouse types, but also supports the import of mainstream types of code warehouses such as GitLab and GitHub, and provides warehouse grouping , team-project-warehouse level refined permission control , code review , version management and other functions, which strongly supports Bank A to smoothly migrate all the codes scattered in various tools to CODING, and realize the unified and distributed management of the organization's code assets.

In addition to code assets, Bank A has unified access to the CODING platform for management of documents, products and construction resources of different business lines. CODING has opened up the asset management link of development, testing, operation and maintenance and other R&D links , and successfully helped Bank A to achieve resource integration by taking advantage of the one-stop advantage to solve the problem of decentralized software asset management.

Unified implementation of R&D management standards

Before CODING was not used, there was a lack of branch management specifications within Bank A. Some staff developed directly in the main branch, and some would pull branch development, resulting in confusion in branch and version management. With the help of the CODING team, Bank A has successively formulated Git branch and tag management strategies adapted to traditional monolithic applications and microservice applications in the bank, established a unified code merge review process and retrospective audit mechanism, and finally formed the master trunk branch release , The process branch management mode of feature branch development .

Bank A regulates the cross-organizational R&D process through a trunk-branch model

Trunk environment: Deploy a stable version of the trunk code, complete dependencies, release at any time, and continuously protect and maintain.

Branch environment: contains a single/multiple services involved in an iterative branch, used for joint debugging and testing (the test environment is not separately reflected here, it is not recommended to maintain the test branch, the master trunk is used for daily build, and the environment can be deployed at any time for Integrate or jointly debug the test environment to find problems in advance)

In addition, Bank A found that the R&D norms often depended on the conscious compliance of R&D personnel, and lacked certain binding. The R&D specification mechanism provided by the CODING platform provides real-time feedback on the implementation of the specification , automatically intercepts R&D activities that do not meet the requirements , and restrains and urges the R&D personnel to follow the R&D specification "without feeling" . Combined with the actual R&D demands in the bank, Bank A has configured corresponding binding rules in terms of code, branch, version, etc., and by adding audit links, it can achieve quality control and reduce the cost of collaboration and communication.

Integration of security activities into automated CI/CD pipelines

The IT team of Bank A has long faced the double pressure of external competition and financial supervision. By integrating code scanning and product scanning security capabilities into the automated CI/CD pipeline , CODING helps Bank A improve business efficiency while building a code security and quality moat.

As shown in the figure below, Bank A incorporates a series of automated security activities in the CODING CI pipeline. When the code is checked out, the system will automatically scan the code , and then perform unit testing . After the image is pushed to the CODING product library, the product will be scanned . The security activities are supported layer by layer, eliminating most of the defects and risks before the business is released.

CODING code scanning supports scanning schemes in 16 mainstream development languages. After setting the scanning language scheme and quality access control, the source code will be automatically scanned when the code is checked out, and a list of problems will be automatically generated with modification suggestions .

Through the problem overview, R&D personnel can clearly understand the number of code problems , the complexity of the code circle , the repetition rate , etc., which greatly helps Bank A to discover hidden code defects, security loopholes and irregular codes in time, and improve the maintainability and stability of the code. sex.

In the process of image building and pushing to the product library, the CODING product scanning capability will be automatically triggered. The system will analyze the dependencies of the product, parse out the open source components referenced by the product, and then identify the vulnerabilities in the open source components referenced by the product through the " Tencent Security Open Source Component Vulnerability Feature Library ", and output vulnerability reports and repair suggestions. The R&D staff of Bank A can judge the quality of the product through the preset quality red line , and can also view the specific scanning results on the details page.

One-click reuse of DevSecOps pipelines

The rapid promotion of DevSecOps, it is naturally not feasible to rely on repeated manual replication. Benefiting from the configurable and reusable advantages of the CODING pipeline, Bank A combined the original scripts with the R&D languages commonly used in the bank to output a pipeline template common to the team, greatly reducing the threshold for accessing DevSecOps for existing systems. Members of different business groups can reuse automated pipelines with one click , improving the efficiency of construction and release in the daily R&D process.

The R&D efficiency has been comprehensively improved to help promote the digital transformation of banks

The biggest advantage of the one-stop CODING DevOps platform is that it provides a unified R&D portal for Bank A, which opens up the whole link of R&D management from project management, code hosting, code construction, testing, application delivery to system operation and maintenance. At the same time, it meets the strict heterogeneous requirements of the bank for disaster recovery, and provides a strong basic guarantee for Bank A to deliver business value efficiently and with high quality. In the future, Bank A will comprehensively promote and apply the new DevSecOps-based one-stop CODING platform in the bank, and make full use of the advanced DevSecOps concept to make the R&D link run more smoothly, efficiently and securely . The CODING DevSecOps solution, as a powerful engine for Bank A in the process of digital transformation, will continue to empower Bank A to optimize the R&D process experience, focus on improving R&D efficiency, and lead the new digital business track.