Constantinople, a startup in the financial services space, is using GitLab’s DevSecOps Platform to incorporate security into their software development lifecycle from the very beginning, while also fostering critical, long-term collaboration across the business.
“Security is a non-negotiable in our industry, and something neither we nor our clients will compromise on,” says Jeremy Smith, Vice President of Engineering at Constantinople, which has fewer than 70 employees and is based in Sydney, Australia. “By building in best practices through use of the DevSecOps platform from day zero, we are building a platform with security baked in. Trying to retrofit it in the future would not only leave us exposed until then, it also would result in a lesser end product.”
Before diving further into Constantinople’s story, here's a snapshot of what they’re doing and achieving with GitLab:
- They’ve used GitLab to create a cloud-native backend platform, comprising six interconnected services, along with a mobile banking customer app.
- Developers are deploying code 20 to 30 times per day.
- The company is using automation built into the platform for more than a dozen processes, including testing, security scanning, and updating hosted API documentation.
- The platform’s analytics and dashboards are continually displayed on a TV in the office for company-wide visibility.
For Macgregor Duncan, co-founder and co-CEO of Constantinople, it’s all about making sure security is at the forefront of everything they do.
“Our customers entrust us to handle their most sensitive financial data and mission-critical operations. There is no margin for error,” he says. “As a result, we have treated security as a top priority from day one, building it into every aspect of our software lifecycle. GitLab’s DevSecOps Platform has been a key part of ensuring this. And as we continue to scale our business, we are placing more reliance on other platform features, like visibility, measurability, and collaboration.”
Starting out with a DevSecOps platform
Constantinople delivers fully managed digital banking services to financial institutions. The venture capital-backed business, which was founded in 2022, is building a cloud-native operating platform and operational service software, along with customer-facing applications that each client bank can configure as its own.
By hosting customers directly on their platform and managing all operational aspects for their client banks, Constantinople is looking to radically simplify how banks operate.
All of this is being built with GitLab, using the DevSecOps Platform to create mission-critical software for everything from customer experience to transaction and lending products, digital servicing, and compliance solutions.
For Constantinople, security needs to be part of every aspect of their software lifecycle now so they don’t have to go back and fix vulnerabilities when it’s more costly and time-consuming. Using GitLab’s DevSecOps Platform from the very beginning has been a key part of their startup strategy. They also want visibility, measurability, and collaboration to be part of their process at the earliest stages of their company.
Beginning with a security focus
Constantinople, which uses the AWS cloud, is creating software and a multi-tenant platform that a number of banks will use, so strong security must be foundational. Moving security earlier in the software development lifecycle — all the way to the planning stages — is crucial. So is using automated security testing to catch vulnerabilities when they’re created, instead of when software is about to be deployed. Gaining those abilities inside a single, end-to-end platform is the best way for Constantinople developers to make sure all of this happens.
“Security is always front of mind for all of our developers, especially since we are working within a high-security industry,” says Smith. “A critical part of our secure software lifecycle is making it as easy as possible for developers to build secure code, and make sure any issues are quickly fixed, long before merge and release. By shortening our security feedback cycle, we have both happier developers, and a cleaner and more secure codebase.”
It’s key for Constantinople to not only offer its customers software that is compliant with industry and government regulations, but to ease the process for becoming and remaining compliant.
“Compliance is obviously vital to any business operating within the regulated perimeter, especially financial services,” says Smith. “Automated compliance capabilities in the DevSecOps platform are a key differentiator for us, precisely because it makes the process easy, reliable, and repeatable.”
Creating an atmosphere of collaboration
The leadership team also is focused on building into their company — in development teams and across the entire business — an atmosphere of collaboration. They don’t want to wait until the number of employees has expanded from tens to hundreds or thousands, and then begin to try to convince people to work together. They want that happening right now, from the very beginning, so the collaboration mentality is part of the Constantinople experience that scales with the company.
“Collaboration is absolutely critical,” says Smith, noting that about 80% of the company is directly responsible for delivering software products. “Without developers being able to collaborate, no complex system could be built because developers would tread on each other's toes and break each other’s work. While the software we build is at the heart of what we do, we’re so much more than just a software provider. With operations, compliance, and a multitude of other functions layered on top of the software, enabling multiple features to work together is key to us.”
He adds, “Having a group of self-driven developers each contributing seamlessly is like seeing a piece of art come together. Collaboration is the difference between a team that works and one that doesn’t.”
Getting started with GitLab’s platform
Constantinople didn’t want to start with a complicated and costly bunch of DevOps tools strung together into an unwieldy toolchain. Developers and leaders wanted to launch the company using a full DevSecOps platform. They evaluated BitBucket, GitHub, and Snyk, but decided to go with GitLab Ultimate. This was largely because of its feature maturity as well as its security and CI/CD capabilities. Using a single application also means that they aren’t building a toolchain that would have their developers and engineers spending time integrating, updating, and maintaining a plethora of tools, instead of focusing on creating products, according to Smith.
“We’ve been able to do all of our technical tooling within GitLab,” says Smith. “For a startup, especially, using a DevSecOps platform allows us to focus on building our product without all the overhead and risk that comes with trying to manage development and security in isolation. We can maximize the efficiency of, and minimize the rework for, both software and DevOps engineers.”
And it’s working well for the company’s team of developers. Smith notes that everyone surveyed said they either “liked” or “loved” GitLab’s DevSecOps Platform.
Next: GitLab CISO Josh Lemos shares advice for addressing the root cause of common security frustrations.