DevOps Awards winner Boa Vista Services on securing the software supply chain
Luis Asensio Alves Garcia
Chief information security officer, Boa Vista Serviços
Romulo Domingos
Cloud engineering manager, Boa Vista Serviços
In this blog post, we’re highlighting Boa Vista for the DevOps achievements that earned them the ‘Securing the software supply chain’ award in the 2022 DevOps Awards. If you want to learn more about the winners and how they used DORA metrics and practices to grow their businesses, start here.
Boa Vista Serviços — originally established over 60 years ago — has distinguished itself as a major contributor to the development of credit activity in Brazil. We first helped the nation establish a more balanced relationship between companies and consumers. Now, we help customers transform data into solutions by combining analytical intelligence with technology.
With access to massive volumes of sensitive information — including Brazilian citizens’ credit scorecards — data security is key to Boa Vista’s success. Initially, our core technologies were based on Mainframe and AS400 workloads, but as technology evolved, we needed to evolve as well — both our processes and our technologies. After discussing it internally, we found that migrating to the cloud, and more specifically, to Google Cloud, was the strategic choice for our future.
The issue that we discovered early on in migration planning was that our legacy infrastructure had grown too complex — especially among the most system-critical areas. Our architecture was monolithic, with each software component representing a product with different access channels and a high coupling of business rules. This meant that migration came with a new concept for how data is treated, which could introduce unique security risks.
Goals
To create a better developer journey to the cloud with new products and services for financial and consumer business units, the stability, scalability, and resilience of a cloud-native stack was crucial. Not only that, but the cloud solution we chose would need to ensure:
Standardization
Improved code quality
Security in the software development life cycle (SDLC)
Development, implementation, and adoption of cloud best practices
The Stargate Project
To modernize, we started working with Google Cloud on its digital transformation in 2019, beginning with a full migration of our on-premises workloads to the cloud. We worked with Google Cloud to learn about our migration options, while also discussing how to instill a generative culture in the company, as recommended by the DevOps Research and Assessment (DORA) research. Professor Ron Westrum coined the term “generative culture” to describe organizations that are performance-oriented, with high degrees of cooperation, where risks are shared and novel approaches rewarded. The report found that a generative culture led to increased organizational performance.
Together, we explored how to improve efficiency and business value through accelerated innovation with a focus on automation, toil reduction, and operational excellence. We decided that the best path forward was through modern CI/CD pipelines and DevSecOps strategies based on Kubernetes, GitOps, and Static Application Security Testing (SAST)/ Dynamic Application Security Testing (DAST) to add an agile mindset to our legacy modernization, product design, and reliability engineer methodologies. This was the basis of our “Stargate Project.”
The Stargate Project is our core initiative that focuses on defining a cross-company developer experience journey, starting with a solid CI/CD pipeline including a packet registry, with a strong "shift left” security approach. This included:
Automated versioning control using semantic versioning
Unit tests in all merge requests
Test coverage analysis and repos
Static application security testing with secrets detection by default
We leveraged a number of Google Cloud tools and services to maximize our security and productivity. Here’s how we used some of them to drive the Stargate’s mission:
Shifting from SVN to Git to meet service deployment demands in GKE with full Google Cloud integration offered more security earlier in the SDLC process by segregating passwords and settings into different projects and branches with single-click deployment.
Coordinating microservice communications with Istio Service Mesh allowed +30 teams to run reports with much more information that previously would have caused delayed response times of up to 10 seconds.
Deploying the API Gateway to add provider agnosticism to the pipeline opened up the ability to use multiple providers — one for internal flows and another for external flows.
Implementing our Security Lighthouse for security maturity based on Security by Design (SAMM 2.0).
Security meets speed
In the six months since the development of the Stargate Project, we have already seen massive improvements. With our new dedication to CI/CD, we have managed:
400%+ faster deployments - over 1000 packages deployed
More than 25+ development teams using the system
A 30% increase in security maturity for all products
Five security validations in all pipelines
Not only have we seen immense improvements in accelerated processes, but these and other modernization efforts have driven growth in DORA’s four key metrics:
Change failure rate: By the end of 2022, our products had a 99.98% availability
Deployment frequency: The rate at which we released new products led to over four times more changes than before the migration
Lead time for changes: We’ve seen a 30% reduction in lead time
Time to restore service: Less than one day
And, most importantly, by ensuring a stable migration and a dedication to DORA’s research-backed recommendations, we were able to do all of this while ensuring there was no threat to the security of our customers’ data.
Stay tuned for the rest of the series highlighting the DevOps Award Winners and read the 2022 State of DevOps report to dive deeper into the DORA research.