JRI combines DevSecOps with secure delivery and cloud agility

The Japan Research Institute (JRI) set up its digital team in 2020 to promote the organization’s transformation and embrace cloud-based platforms and architectures. From the outset, the digital team adopted a policy of shift-left testing and DevSecOps to ensure the security of its applications and platforms across the development cycle and to avoid roadblocks and delays to production and release schedules. Red Hat® OpenShift® Dedicated is now a key element of the development environment at JRI, providing a fully managed platform supported by Red Hat site reliability engineering (SRE), with all of the necessary tools for application development, deployment, monitoring, auto-scaling, and backup, along with security and compliance certifications. The resulting high levels of stability and security ensure smooth and on-time releases to production.

Takdir Chowdhury, Chief Digital Strategist, DX Systems Division at The Japan Research Institute: Our agile development and delivery process incorporates scrum methodology and can be categorized into 2 main activities: Sprint and Release. Sprint activity follows 2-week development cycles that start with application design, followed by coding and unit tests, which are common practices in agile development. As part of shift-left testing and security, we also carry out application security and integration testing during Sprint. Release activities focus on user acceptance and nonfunctional tests, such as penetration, recovery, and performance testing. We also carry out change management and release reviews to ensure a smooth, successful release to production. We set a policy to adopt DevSecOps from the outset, as that is far more effective than trying to add it to standard development processes; the change is often difficult to implement. When we established the digital team, we set out to follow the right processes in delivering digital services, and DevSecOps is a critical part of that.

Chowdhury: Public cloud platforms are not seen as reliable and secure by many financial institutions in Japan, so most use traditional datacenters. Also, most financial institutions in Japan, especially the larger ones, do not have in-house development operations. IT is typically seen as a cost center that does not contribute directly to growth, so development tasks are often outsourced to system integrators, with institutions’ IT departments acting as project managers, overseeing a project’s quality, cost, and delivery schedule. System integrators often then outsource work on larger projects to multiple subcontractors, leading to increased complexity. 

The results of this approach include slow time to market, lack of ownership and commitment, vendor locking, and high total cost of ownership. That is why, in 2020, senior managers at JRI decided to break from the norm, embrace transformation and the cloud, and establish a digital team.

Chowdhury: The team’s initial strategy included adopting public cloud platforms to build, run, and monitor cloud-native applications. We knew that public cloud platforms and managed services would be key enablers for the delivery of stable, scalable, secure, and resilient digital services. We also adopted a container-based Platform-as-a-Service (PaaS) platform for web applications and a Mobile Backend-as-a-Service (MBaaS) platform for our mobile applications.

For our PaaS platform, we decided to adopt Red Hat OpenShift Dedicated, which is a fully managed platform supported by Red Hat SREs 24x7. It is not just a container platform: It provides all of the necessary tools for application development, deployment, monitoring, auto-scaling, and backup, plus a wide range of security and compliance certifications. This enables our engineers to focus on designing robust architecture, writing high-quality code, and automating application, deployment, and monitoring. All of this helps to ensure stability, security, scalability, and resilience in our digital applications.

Chowdhury: I started my career as a software engineer and have used open source products from day one—and I am a great fan. Why open source? Because it gives you freedom, and software engineers like freedom. You can use the software as is, or you can enhance and modify it if you need to. It also gives you a high level of confidence because you know that people in the community will help if you have any issues, and you can share information with them. That is not something you get with proprietary software. 

With Red Hat, of course, we get the freedom of open source but also with full support. That is obviously very important if we are building a tool or platform that will become core to our operation. Red Hat SREs monitors the platform 24x7 and respond very quickly if an issue arises. That high-level support from very professional people is something we really appreciate.

Chowdhury: Our initial aim was to promote the message that security is not solely the responsibility of the security team but a shared concern for everyone involved in delivering digital services. We now have 9 defined roles in our digital team, and security is an important part of their responsibilities. 

Before we release any services to production, the security officers, including me, review vulnerability statuses to determine that the application is ready for production and that vulnerabilities—especially those of high severity—are addressed appropriately.

Chowdhury: Before we adopted DevSecOps, several critical and high-severity vulnerabilities were detected during the penetration test phase, which is usually in the later stages of the development cycle. In some cases, we had to delay the release schedule by a few weeks to address and fix those vulnerabilities.

After integrating application security testing and DevSecOps tools in the early development process, no showstopper vulnerabilities have been detected during penetration testing. The CI/CD pipeline also has integrated security checkpoints, which ensures additional stability. As a result, we can ensure high levels of stability and security before we deliver it to Red Hat OpenShift and on to a smooth release to production.

The Japan Research Institute (JRI) is a “knowledge engineering” company that offers comprehensive, high-value-added information services through the coordinated application of three functions: information systems, consulting, and think-tank. 

As a systems integrator, JRI offers services in IT strategy planning, implementation, and outsourcing for a broad range of industries and activities. It has a particularly strong reputation in the development of financial systems services.