How Lunar shifted security left while building a cloud native bank

At SnykCon 2021, there were a number of insightful talks from companies that were able to build successful AppSec programs. As the Lead Platform Architect at Lunar and a Cloud Native Computing Foundation (CNCF) ambassador, Kasper Nissen’s presentation was no exception.

In this post, we’ll recap Nissen’s talk about how his security team at Lunar was able to shift security left while building a cloud native bank. He covers what it means to shift left, how to ensure ownership over a microservices architecture, how to empower developers through security tooling, and more.

Shifting from a fintech startup to a cloud native bank

Lunar began as a fintech startup that offered a mobile banking app built atop an existing bank in the Nordic area. In 2020, however, Lunar made the transition to becoming an official bank with its own banking license. That means Lunar is now a fully cloud native bank, serving customers in Denmark, Norway, and Sweden.

The challenge when we started was, how can we actually build a bank in the 21st century. That’s why we choose to run everything using cloud native technologies and a fully autonomous microservices architecture.

Agile cloud native security

Along with adopting a cloud native architecture using containers, infrastructure as code (IaC), and other modern technologies, Lunar recognized the need for a better approach to application security. According to Nissen, the company needed a way to be secure and agile at the same time, so that Lunar could be competitive as a bank without introducing security risks.

Shifting security left — or implementing security earlier in the software development lifecycle (SDLC) — has enabled Lunar to improve the security of its microservices without slowing development. Prioritizing security was fundamental to Lunar’s transition from a fintech startup to a legitimate bank.

We shift security left, so we take things from the old waterfall model and do them earlier. Security is a thing that we constantly do, and get feedback on, and adapt and correct as necessary.

Transparent ownership over microservices

Since Lunar’s developers now take on more responsibility for the cloud infrastructure, the security team knew they needed to clarify who had ownership over each microservice. Using the Single Team Owned Service Architecture (STOSA), every microservice is managed by a development team, including its design, development, testing, security, deployment, monitoring, and more.

In a STOSA organization, the team that owns that service is ultimately 100% responsible for all aspects of that service. At Lunar, we’ve been using this paradigm to build our infrastructure and platform because we’re empowering our development teams to take on this ownership.

Empowering developers through security tools

Lunar recognized that delivering secure software fast requires empowering its developers to handle application security within their existing workflows. That’s why Lunar ensures every developer is onboarded to security tooling that makes it easy to do the right thing by default.

Our developers are responsible for vulnerabilities within their services and the dependencies they use. We need to help them handle that responsibility, so we provide actionable advice, automation, and try to integrate with all the day-to-day monitoring tools.

For example, Lunar uses Snyk to automatically scan for security issues in dependencies and containers. By seamlessly integrating vulnerability scanning into the development process, Lunar is empowering its developers to take control of application security. That means each microservice is now secure by default.

In addition, Lunar uses the Snyk plugin with Backstage, a developer portal that provides visibility into cloud native software projects across the organization. Through Snyk, Backstage, and other tools, Lunar now has a clear audit trail into every change to the source code or configurations. This is critical for complying with the security requirements in the financial services industry.

Speed and security together

Since adopting the shift left security approach, Lunar has integrated security into a fast-paced development lifecycle. In fact, the bank releases on average 25 production releases in a day. The developers own their releases and ensure they’re following security standards with each new build. This streamlined approach has been instrumental in helping Lunar meet the compliance requirements for a licensed bank.

Make it easy to do the right thing and try to build in security wherever it’s possible. And when you shift left, provide actionable information to your developers so they can actually take on that responsibility and ownership.

Want to learn more about securing your fintech software? Learn how Snyk can help you disrupt the finance industry, not your developers.