BFI’s Journey in Digital Transformation: A Fireside Chat on Elevating Application Security and Developer Experience
On December 3, 2024, at CISO Indonesia 2024 in Jakarta, Snyk’s Senior Technical Success Manager, Didik Achmadi, moderated a panel discussion featuring Justinus Okky Munindra Permana, Head of Enterprise Architecture at BFI Finance Indonesia, and Yusuf Herbiono, Head of Site Reliability Engineering (SRE) at BFI Finance Indonesia. The session, titled ‘BFI’s Journey in Digital Transformation: A Fireside Chat on Elevating Application Security and Developer Experience,’ shared valuable insights into BFI’s journey toward a secure software development lifecycle (SDLC). (Photo from right: Yusuf Herbiono, Head of Site Reliability Engineering (SRE) at BFI Finance Indonesia, Justinus Okky Munindra Permana, Head of Enterprise Architecture at BFI Finance Indonesia, Didik Achmadi, Snyk’s Senior Technical Success Manager) From Reactive to Proactive Security Practices BFI began its journey with a reactive approach to security, relying heavily on pen tests and container scans after deployment. However, they recognized the need to shift-left and embed security earlier in their development lifecycle. With Snyk as their primary tool, BFI transitioned to a proactive strategy that includes: Pull Request Scans: Identifying vulnerabilities in open source and code dependencies early. Code Scans During Development: Ensuring issues are resolved before merging. IaC Scans for Infrastructure: Proactively securing Terraform files before deployment. Container Scans for Production: Maintaining security integrity post-deployment. Key Results with Snyk Improved Compliance: * Zero critical or high issues in production, achieved through Snyk’s integration into app and infrastructure workflows. * Defined patch grace periods based on vulnerability severity. Better Developer Experience: * Easy integration into existing workflows, with clear issue definitions and actionable recommendations. * Improved productivity through seamless IDE and CI/CD pipeline integration. Enhanced Reporting: * Customizable and squad-specific reports, helping leadership track key metrics like issue resolution progress and squad velocity. Lessons Learned: Collaboration and Culture Drive Success BFI emphasized that implementing secure development practices requires collaboration and a culture shift: Cross-Team Efforts: Working with IT Governance, Technical Program Managers (often referred to as Scrum Masters), and Digital Product Owners (also known as Product Managers/Owners) was critical to embedding security as a standard part of deployments. Cultural Transformation: Providing security training and setting clear metrics (KPI/OKR) encouraged adoption and accountability. Elevating Standards: Snyk also enabled BFI to raise security expectations for their vendors, ensuring alignment with organizational goals. Setting the Standard for Secure Development The panel concluded with this takeaway: building a secure SDLC is about more than just tools - it’s about setting clear standards, fostering collaboration, and prioritizing speed and visibility in handling security issues. These practices ensure application and infrastructure security are maintained across the entire lifecycle. Tonton Demo Video Kami dalam Bahasa Indonesia!Pelajari lebih lanjut tentang bagaimana Snyk dapat membantu Anda mengamankan proses pengembangan aplikasi dengan menonton video demo kami di tautan berikut: Lihat Demo Bahasa Indonesia di Sini Check out BFI Finance’s LinkedIn post to read more about their digital transformation journey and the lessons they’ve learned along the way: BFI Finance LinkedIn Post
On December 3, 2024, at CISO Indonesia 2024 in Jakarta, Snyk’s Senior Technical Success Manager, Didik Achmadi, moderated a panel discussion featuring Justinus Okky Munindra Permana, Head of Enterprise Architecture at BFI Finance Indonesia, and Yusuf Herbiono, Head of Site Reliability Engineering (SRE) at BFI Finance Indonesia. The session, titled ‘BFI’s Journey in Digital Transformation: A Fireside Chat on Elevating Application Security and Developer Experience,’ shared valuable insights into BFI’s journey toward a secure software development lifecycle (SDLC).
(Photo from right: Yusuf Herbiono, Head of Site Reliability Engineering (SRE) at BFI Finance Indonesia, Justinus Okky Munindra Permana, Head of Enterprise Architecture at BFI Finance Indonesia, Didik Achmadi, Snyk’s Senior Technical Success Manager)
From Reactive to Proactive Security Practices
BFI began its journey with a reactive approach to security, relying heavily on pen tests and container scans after deployment. However, they recognized the need to shift-left and embed security earlier in their development lifecycle. With Snyk as their primary tool, BFI transitioned to a proactive strategy that includes:
- Pull Request Scans: Identifying vulnerabilities in open source and code dependencies early.
- Code Scans During Development: Ensuring issues are resolved before merging.
- IaC Scans for Infrastructure: Proactively securing Terraform files before deployment.
- Container Scans for Production: Maintaining security integrity post-deployment.
Key Results with Snyk
- Improved Compliance:
* Zero critical or high issues in production, achieved through Snyk’s integration into app and infrastructure workflows.
* Defined patch grace periods based on vulnerability severity.
- Better Developer Experience:
* Easy integration into existing workflows, with clear issue definitions and actionable recommendations.
* Improved productivity through seamless IDE and CI/CD pipeline integration.
- Enhanced Reporting:
* Customizable and squad-specific reports, helping leadership track key metrics like issue resolution progress and squad velocity.
Lessons Learned: Collaboration and Culture Drive Success
BFI emphasized that implementing secure development practices requires collaboration and a culture shift:
- Cross-Team Efforts: Working with IT Governance, Technical Program Managers (often referred to as Scrum Masters), and Digital Product Owners (also known as Product Managers/Owners) was critical to embedding security as a standard part of deployments.
- Cultural Transformation: Providing security training and setting clear metrics (KPI/OKR) encouraged adoption and accountability.
- Elevating Standards: Snyk also enabled BFI to raise security expectations for their vendors, ensuring alignment with organizational goals.
Setting the Standard for Secure Development
The panel concluded with this takeaway: building a secure SDLC is about more than just tools - it’s about setting clear standards, fostering collaboration, and prioritizing speed and visibility in handling security issues. These practices ensure application and infrastructure security are maintained across the entire lifecycle.
Tonton Demo Video Kami dalam Bahasa Indonesia!Pelajari lebih lanjut tentang bagaimana Snyk dapat membantu Anda mengamankan proses pengembangan aplikasi dengan menonton video demo kami di tautan berikut: Lihat Demo Bahasa Indonesia di Sini
Check out BFI Finance’s LinkedIn post to read more about their digital transformation journey and the lessons they’ve learned along the way: BFI Finance LinkedIn Post
