ABN AMRO and Sonatype Lifecycle

ABN AMRO serves retail, private and corporate banking clients with a primary focus on the Netherlands. Counting all major and smaller banks that over the years have been the current bank’s predecessors, ABN AMRO’s roots go back 300 years. The organization currently has 22,000 internal employees, 5,000 IT associates and more than 300 agile teams in IT.

The internal IT Tooling & Software Development group at ABN AMRO is responsible for selecting, implementing and integrating the tools within the bank, with a focus on software quality and supporting agile teams. Their main concentration is on implementing continuous integration/continuous delivery (CI/CD) pipelines as a major part of that support. Sonatype Nexus Repository and Sonatype Lifecycle are included within the CI/CD pipeline.

The development teams use Sonatype Nexus Repository as a single source for storing components. Sonatype Lifecycle is used to automate security processes, and to manage the consumption and usage of open source components.

“We wanted fast solutions, but also wanted those to be secure solutions. We shouldn’t have to discuss whether software should be secure. That’s why we chose Sonatype Lifecycle.”

STEFAN SIMENON
Head of Centre of Expertise Software Development & Tooling

The Challenge: Shifting From a Waterfall to a DevOps Culture

The development shop at ABN AMRO was a waterfall organization before making the transition to a DevOps culture. It took an inordinate amount of time to put software into the environment, to make software available to their end clients. A check was done to determine how long it would take to deploy the simplest “Hello World!” program into production. The multi-step waterfall process took five to six months because of multiple manual approval processes and waiting time.

Software security was managed through manual procedures. Code quality checks, based upon Service Levels Agreements with the development suppliers, were completed after production deployments.

Of major concern were the manual approval processes and the closed open source repository. Often requests to add new components were done late in development, with the problem compounded by a long approval process. Once a component was used, it was never questioned again.

The bottleneck of the waterfall processes hindered the company’s ability to provide timely solutions to their clients. A cultural transformation within the company was needed to accelerate software delivery and improve software quality.

The Solution: Embracing CI/CD Using Nexus Lifecycle for Open Source Monitoring and Tracking

ABN AMRO chose to set up a CI/CD initiative, where multiple tooling pipelines were created. In addition, an initiative was launched to focus on cultural and change management aspects. The transition became formalized during reorganization in the bank. The objectives were less project management, less overhead, new agile roles defined, pre-funded agile teams and increased focus on software delivery.

Stefan Simenon is responsible for integrating the tools within the bank. His responsibilities include overseeing software quality and secure coding, while supporting agile teams within the bank to implement CI/CD. The basic pipeline included Jenkins, BitBucket, Maven, SonarQube and Sonatype Nexus Repository. As teams started working with the pipeline, senior management saw the benefits of the change and encouraged the expansion of the pipeline to other development teams.

Sonatype Lifecycle was added for open source software monitoring and tracking, Fortify for security code quality, and JIRA for backlog management. Governance oversight was created to ensure correct usage of tools and pipelines.

Using Sonatype Nexus Repository and Sonatype Lifecycle

ABN AMRO uses Sonatype Nexus Repository as a binary artifact store. A deployable archive in Sonatype Nexus is the end of the CI process (triggered by Jenkins) and the beginning of the CD process (triggered by XL Release). Sonatype Nexus acts as the basic store house for all components, such as COTS packages that enter ABN AMRO.

"Sonatype Nexus is being used as a handover between CI and CD,” explains Simenon. “We output the entire CI process as a deployment archive, then store it in Sonatype Nexus. We strive to standardize our development processes as much as possible and Sonatype Nexus Repository is crucial for this.”

There were extended discussions on monitoring and tracking of open source components.

"We wanted fast solutions, but also wanted those to be secure solutions. We didn't need to look very far. With Sonatype Lifecycle, we can help programmers make the right decisions and make their software more secure. That's why we chose Lifecycle.”

ABN AMRO is implementing quality gates and build breakers to improve code quality and security awareness. Sonatype Lifecycle is used to verify that developers are using safe open source libraries as opposed to ‘illegal’ libraries. It monitors and verifies that people are updating their libraries and using the most appropriate versions, while displaying the security consequences of those selections.

“Currently we have implemented a set of build breakers based upon SonarQube, Fortify and Sonatype Lifecycle. Because of this we see lots of increased quality awareness and less useless discussions with regards to quality. We will strengthen the build breaker criteria in the future. In the beginning there used to be resistance in the organization against the build breakers but this is currently no longer the case. Without the toolsets, including Sonatype Lifecycle and CI pipelines, we would never have been able to improve the software quality.”

The CICD initiative has led to following improvements:

The Outcome: Increased Build Time Without Sacrificing Quality or Security

Velocity and Lead Time

• Velocity has increased by a factor 2 – 2.5
• Decreased time to deployment (Internet/mobile banking had four releases to production per year; with the automated pipeline, releases are now every two weeks)
• More and more teams are able to deliver software to production in 1 sprint
• Test lead times are decreasing

Quality, Security and Stability

• Software quality and security has significantly improved
• Test environments have become more stable because of automated rollbacks

Conclusion

Simenon talks proudly about what has been accomplished at ABN AMRO.  "We’re much more focused on delivering software instead of managing procedures around the software.

“Our aim is to create an optimal working environment for our development community. Usage of best-in-class tools and interactions with specialists help in this regard. We are very happy with the tools provided by Sonatype and appreciate the cooperation between our teams.

“I like to have a partnership with my tool providers. We organize regular face-to-face sessions with our most important tool suppliers, like Sonatype. By doing this we create a win-win situation; we learn from the supplier’s advice about future functionalities and the supplier understands how to improve their product based upon our needs.”