The World Bank Group’s Cloud Journey With DevSecOps

Editor’s Note: We are hosting DevSecOps Leadership Forum virtual events. Register to hear directly from leaders in London and North America

In this post, we cover what William Zhang, Andy Gao, and Srini Kasturi shared about their DevSecOps journey at the World Bank Group. Watch their entire AllDay DevOps presentation, linked below.


As an overview, the World Bank Group is made up of several organizations that work towards ending extreme poverty across the world and boosting shared prosperity. They work on many fronts, including water and transportation improvements. Much of their work includes processing financial transactions and handling sensitive data, and they therefore saw a need to move towards DevSecOps.

To begin the DevSecOps journey, they first moved to SaaS solutions, like Office 365 and SharePoint Online. They then began including other SaaS solutions like Saba for training. And then finally, they moved into infrastructure-as-a-service from providers like AWS and Microsoft Azure.

Why was this necessary? Well, previously they needed to wait for months if not years to get necessary upgrades to their software and infrastructure. Cloud-based platforms gave them the agility they needed to stay ahead. Now when the service provider has an update, it can easily be upgraded in their systems.

Next up, they needed to start looking at applications, in addition to their infrastructure and cloud software. So where did they start on the application side? Back around 2008 or 2009, the World Bank Group embraced the idea that security fix can cost you more money when it’s done at the end of the SDLC, like with a typical waterfall model.

flow chart showing approaches to project phases from Zhang, Gao, Kasturi's


Screenshot from Zhang, Gao, Kasturi’s “The World Bank Group’s Cloud Journey With DevSecOps” presentation

The traditional approach wouldn’t work. Security was looked at near the end. Because of that, there’s always a desire (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Sylvia Fronczak. Read the original post at: