Global Investment Bank in New York
Executive Summary
A top investment bank in New York City, with over 27,000 developers worldwide, successfully integrated Trustcenter into their DevOps organization, allowing for a more secure and efficient software development process while also delivering significant cost savings and freeing up resources in their Development Compliance and Audit teams to tackle more strategic tasks.
Trustcenter's ability to spot, track, and verify every artifact has streamlined the compliance process, reduced associated costs, and created a more positive work environment for engineers and compliance team members.
Trustcenter Success Story - A Global Investment Bank in New York
Well-established investment bank with a significant global presence, supported by a team of over 27,000 developers operating across all continents. The bank's software development and deployment activities are substantial, with over 50,000 software builds taking place every day, each consisting of an average of 2,500 artifacts, such as libraries, source code files, and other files.
To facilitate their extensive software development activities, the bank relies on a range of tools and platforms, including Github Enterprise, and several CD platforms like Jenkins and Azure DevOps. Additionally, the bank employs various vulnerability scanners to ensure software security and utilizes a mix of code signing methods, such as GPG, certificates, and Trustcenter notarization to maintain the integrity of their software code.
Given the globally distributed IT organization and high volume of activity, any trust and integrity platform utilized by the Bank must be available continuously with an uptime of 99.999%. The platform should also be capable of processing billions of objects every day, with peaks of several million artifact provenance verifications per minute.
This requirement for a highly scalable and reliable trust and integrity platform is vital for the Bank to maintain the integrity of their software and ensure the security of their clients' financial transactions. By utilizing a platform that can process high volumes of activity while maintaining constant uptime, the Bank can confidently perform billions of provenance verifications every day, ensuring the trust and integrity of their software and maintaining the trust of their clients.
The development compliance team of the Bank, along with the bank's auditors, mandate that a Catalog of all known and trusted DevOps artifacts be maintained.
This catalog is essential to match all observed artifacts throughout the DevOps organization against the catalog or mark them as unknown and therefore untrusted, and not to be used. . Furthermore, it is crucial that the catalog remains immutable and provides cryptographic proof at every stage of the DevOps process, ranging from source code to code scanning, building, and deployment.
The need for an immutable and secure catalog is critical to ensure the trust and integrity of the software development process at the bank. By maintaining a comprehensive and secure catalog of DevOps artifacts, the development compliance team and auditors can effectively manage the software development process and detect any unauthorized or unknown artifacts. This approach also ensures that the software development process is traceable and transparent, providing cryptographic proof of every step of the process, from source code to deployment.
Evaluation
Before adopting Trustcenter as their trust and integrity platform, our solution underwent a thorough evaluation process to ensure that it met their requirements for security, maturity, and performance.
The bank recognized that, given the scale and complexity of their software development and deployment activities, Trustcenter needed to be highly scalable and capable of securing all software creation and maintenance processes.
For example this requirement meant, no downtime for backups, exports or upgrades of the Trustcenter platform.
Moreover, the Bank required that Trustcenter integrate seamlessly with their Github Enterprise SCM platform, as well as their various build and deployment platforms, including Docker and Kubernetes on multiple hardware environments. They also required Trustcenter to recognize and extract SBOMs for applications written in Java, C, C++, Go, Python, node.js, Cobol, and .NET.
Following a successful trial period and a number of custom integrations, the bank deployed Trustcenter throughout their DevOps organization.
The implementation of Trustcenter provided the bank with a significant return on investment, delivering improved security and integrity of their software, as well as reducing costs associated with managing DevOps artifacts.
The successful adoption of Trustcenter has enabled the Bank to maintain its reputation as a trusted and reliable financial institution.
In addition to the security and cost benefits, the implementation of Trustcenter has also freed up the bank's Development Compliance team to focus on more comprehensive and strategic tasks.
By automating the tracking and verification process, the team is now able to tackle more complex compliance issues and contribute to more valuable initiatives, ultimately driving business growth.
Even more importantly, Trustcenter increased the overall integrity of their application because it makes it impossible for bad actors to infiltrate the bank with malware.
Deployment Characteristics
The bank runs an internal cloud platform which is accessible from all their various offices, and increasingly, also from work-at-home engineers. Sophisticated network and storage solutions make this a challenging environment to integrate with and effectively allow Trustcenter to spot, track and verify every artifact.
The bank insisted on Trustcenter being out-of-band to their developers, i.e. the1) developers wouldn’t need to sign any code, or to verify themselves, instead all tracking and verification work should be done transparently in the background.
As an example if a developer builds a new release of an application and Trustcenter spots a new library which was not previously vetted and approved, it will not allow the build to start.
The customer deployment journey for Trustcenter consists of the following steps:
- Set up Trustcenter and create user accounts to establish a secure foundation for the deployment process.
- Create a comprehensive baseline catalog of all existing artifacts by allowing Trustcenter to scan existing source code management systems (SCMs) and container registries. This cataloging process ensures that all artifacts are accounted for, and provides a starting point for tracking and verifying future artifacts.
- Utilize Trustcenter's automated SBOM (software bill of materials) and risk score generation capabilities to analyze the cataloged artifacts in the background. This process provides insights into potential vulnerabilities and allows for proactive measures to be taken to mitigate risks.
- Integrate Trustcenter CLI or GH Actions into the continuous integration and continuous deployment (CI/CD) pipelines to automate the artifact provenance and verification process for all future builds. This automation ensures that artifacts are consistently tracked, verified, and secured throughout the development lifecycle.
- Integrate Trustcenter into the Docker and Kubernetes runtime and policy enforcement to add an additional layer of security to the deployment process.
Conclusions and Return on Investment
Trustcenter has provided unchallenged security for all development activities since deployment. With 100% uptime, Trustcenter has demonstrated its ability to handle a very sizable volume of artifact maintenance, processing billions of artifacts with ease.
As a result, the bank has achieved a Return on Investment (ROI) of approximately 300% in the first year based on the subscription price for Trustcenter, making it a worthwhile investment for the bank.
With Trustcenter in place, the bank has been able to avoid security breaches such as those caused by log4j or SolarWinds vulnerabilities since the initial deployment. Trustcenter's proactive approach to security and its ability to automatically detect and mitigate risks have played a crucial role in maintaining the bank's security posture.