[{"data":1,"prerenderedAt":493},["ShallowReactive",2],{"/en-us/the-source/security/finserv-startup-constantinople-uses-devsecops-to-build-in-security":3,"footer-en-us":34,"the-source-banner-en-us":368,"the-source-navigation-en-us":374,"article-site-categories-en-us":397,"the-source-newsletter-en-us":399,"finserv-startup-constantinople-uses-devsecops-to-build-in-security-the-source-source-cta-en-us":6,"finserv-startup-constantinople-uses-devsecops-to-build-in-security-article-hero-category-en-us":406,"finserv-startup-constantinople-uses-devsecops-to-build-in-security-category-en-us":432,"finserv-startup-constantinople-uses-devsecops-to-build-in-security-article-hero-author-en-us":445,"finserv-startup-constantinople-uses-devsecops-to-build-in-security-the-source-resources-en-us":464},{"id":4,"title":5,"body":6,"category":7,"config":8,"content":13,"description":6,"extension":24,"meta":25,"navigation":26,"path":27,"seo":28,"slug":30,"stem":31,"type":32,"__hash__":33},"theSource/en-us/the-source/security/finserv-startup-constantinople-uses-devsecops-to-build-in-security.yml","Finserv Startup Constantinople Uses Devsecops To Build In Security",null,"security",{"layout":9,"template":10,"author":11,"featured":12},"the-source","TheSourceArticle","sharon-gaudin",false,{"title":14,"date":15,"description":16,"timeToRead":17,"heroImage":18,"keyTakeaways":19,"articleBody":23},"FinServ startup Constantinople uses DevSecOps to build in security","2023-05-17","With a DevSecOps platform, Constantinople has minimized security and compliance risks while maximizing efficiency.","6 min read","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464713/jc0ceajcrsgteyhtaibf.png",[20,21,22],"Constantinople integrates security early using GitLab's DevSecOps Platform, ensuring software is secure from the start and compliant with industry standards.","The platform fosters collaboration across teams, creating a seamless environment where developers work together efficiently, avoiding overlap and errors.","By relying on GitLab's mature features, Constantinople enhances development efficiency, reducing toolchain complexity and focusing resources on product innovation.","Constantinople, a startup in the financial services space, is using GitLab’s DevSecOps Platform to incorporate security into their software development lifecycle from the very beginning, while also fostering critical, long-term collaboration across the business.\n\n“Security is a non-negotiable in our industry, and something neither we nor our clients will compromise on,” says Jeremy Smith, Vice President of Engineering at [Constantinople](https://www.cxnpl.com/), which has fewer than 70 employees and is based in Sydney, Australia. “By building in best practices through use of the DevSecOps platform from day zero, we are building a platform with [security baked in](/blog/its-time-to-put-the-sec-in-devsecops/). Trying to retrofit it in the future would not only leave us exposed until then, it also would result in a lesser end product.”\n\nBefore diving further into Constantinople’s story, here's a snapshot of what they’re doing and achieving with GitLab:\n- They’ve used GitLab to create a cloud-native backend platform, comprising six interconnected services, along with a mobile banking customer app.\n- Developers are deploying code 20 to 30 times per day.\n- The company is using automation built into the platform for more than a dozen processes, including testing, security scanning, and updating hosted API documentation.\n- The platform’s analytics and dashboards are continually displayed on a TV in the office for company-wide visibility.\n\nFor Macgregor Duncan, co-founder and co-CEO of Constantinople, it’s all about making sure security is at the forefront of everything they do.\n\n“Our customers entrust us to handle their most sensitive financial data and mission-critical operations. There is no margin for error,” he says. “As a result, we have treated security as a top priority from day one, building it into every aspect of our software lifecycle. GitLab’s DevSecOps Platform has been a key part of ensuring this. And as we continue to scale our business, we are placing more reliance on other platform features, like visibility, measurability, and collaboration.”\n\n## Starting out with a DevSecOps platform\nConstantinople delivers fully managed digital banking services to financial institutions. The venture capital-backed business, which was founded in 2022, is building a cloud-native operating platform and operational service software, along with customer-facing applications that each client bank can configure as its own.\n\nBy hosting customers directly on their platform and managing all operational aspects for their client banks, Constantinople is looking to radically simplify how banks operate.\n\nAll of this is being built with GitLab, using the [DevSecOps](/topics/devsecops/) Platform to create mission-critical software for everything from customer experience to transaction and lending products, digital servicing, and compliance solutions.\n\nFor Constantinople, [security](/blog/its-time-to-put-the-sec-in-devsecops/) needs to be part of every aspect of their software lifecycle now so they [don’t have to go back and fix vulnerabilities](/blog/devsecops-platforms-give-smbs-security-muscle/) when it’s more costly and time-consuming. Using GitLab’s DevSecOps Platform from the very beginning has been a key part of their startup strategy. They also want visibility, measurability, and collaboration to be part of their process at the earliest stages of their company.\n\n## Beginning with a security focus\nConstantinople, which uses the AWS cloud, is creating software and a multi-tenant platform that a number of banks will use, so strong security must be foundational. Moving security earlier in the software development lifecycle - all the way to the planning stages - is crucial. So is using [automated security testing](/blog/want-faster-releases-your-answer-lies-in-automated-software-testing/) to catch vulnerabilities when they’re created, instead of when software is about to be deployed. [Gaining those abilities](/the-source/security/how-to-strengthen-security-by-applying-devsecops-principles/) inside a single, end-to-end platform is the best way for Constantinople developers to make sure all of this happens.\n\n“Security is always front of mind for all of our developers, especially since we are working within a high-security industry,” says Smith. “A critical part of our secure software lifecycle is making it as easy as possible for developers to build secure code, and make sure any issues are quickly fixed, long before merge and release. By shortening our security feedback cycle, we have both happier developers, and a cleaner and more secure codebase.”\n\nIt’s key for Constantinople to not only offer its customers software that is [compliant](/blog/top-5-compliance-features-to-leverage-in-gitlab/) with industry and government regulations, but to ease the process for becoming and remaining compliant.\n\n“Compliance is obviously vital to any business operating within the regulated perimeter, especially financial services,” says Smith. “Automated compliance capabilities in the DevSecOps platform are a key differentiator for us, precisely because it makes the process easy, reliable, and repeatable.”\n\n## Creating an atmosphere of collaboration\nThe leadership team also is focused on building into their company - in development teams and across the entire business - an [atmosphere of collaboration](/blog/5-ways-collaboration-boosts-productivity-and-your-career/). They don’t want to wait until the number of employees has expanded from tens to hundreds or thousands, and then begin to try to convince people to work together. They want that happening right now, from the very beginning, so the collaboration mentality is part of the Constantinople experience that scales with the company.\n\n“[Collaboration](/blog/6-ways-smbs-can-leverage-the-power-of-a-devops-platform/) is absolutely critical,” says Smith, noting that about 80% of the company is directly responsible for delivering software products. “Without developers being able to collaborate, no complex system could be built because developers would tread on each other's toes and break each other’s work. While the software we build is at the heart of what we do, we’re so much more than just a software provider. With operations, compliance, and a multitude of other functions layered on top of the software, enabling multiple features to work together is key to us.”\n\nHe adds, “Having a group of self-driven developers each contributing seamlessly is like seeing a piece of art come together. Collaboration is the difference between a team that works and one that doesn’t.”\n\n## Getting started with GitLab’s platform\nConstantinople didn’t want to start with a complicated and costly bunch of DevOps tools strung together into an unwieldy toolchain. Developers and leaders wanted to launch the company using a full DevSecOps platform. They evaluated BitBucket, GitHub, and Snyk, but decided to go with GitLab Ultimate. This was largely because of its feature maturity as well as its [security](/blog/getting-started-with-gitlab-application-security/) and [CI/CD](/topics/ci-cd/) capabilities. Using a single application also means that they aren’t building a toolchain that would have their developers and engineers spending time integrating, updating, and maintaining a plethora of tools, instead of focusing on creating products, according to Smith.\n\n“We’ve been able to do all of our technical tooling within GitLab,” says Smith. “For a startup, especially, using a DevSecOps platform allows us to focus on building our product without all the overhead and risk that comes with trying to manage development and security in isolation. We can maximize the efficiency of, and minimize the rework for, both software and DevOps engineers.”\n\nAnd it’s working well for the company’s team of developers. Smith notes that everyone surveyed said they either “liked” or “loved” GitLab’s DevSecOps Platform.\n\n> **Next:** GitLab CISO Josh Lemos shares advice for [addressing the root cause of common security frustrations](https://about.gitlab.com/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security/).\n","yml",{},true,"/en-us/the-source/security/finserv-startup-constantinople-uses-devsecops-to-build-in-security",{"title":14,"description":16,"ogImage":18,"config":29},{"ignoreTitleCharLimit":26},"finserv-startup-constantinople-uses-devsecops-to-build-in-security","en-us/the-source/security/finserv-startup-constantinople-uses-devsecops-to-build-in-security","article","D7It6i65CPpanJ1wC2bbhXfZosdaecYQtFTV5cOc6N8",{"data":35},{"text":36,"source":37,"edit":43,"contribute":48,"config":53,"items":58,"minimal":357},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":38,"config":39},"View page source",{"href":40,"dataGaName":41,"dataGaLocation":42},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":44,"config":45},"Edit this page",{"href":46,"dataGaName":47,"dataGaLocation":42},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":49,"config":50},"Please contribute",{"href":51,"dataGaName":52,"dataGaLocation":42},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":54,"facebook":55,"youtube":56,"linkedin":57},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[59,116,173,232,295],{"title":60,"links":61,"subMenu":77},"Pricing",[62,67,72],{"text":63,"config":64},"View plans",{"href":65,"dataGaName":66,"dataGaLocation":42},"/pricing/","view plans",{"text":68,"config":69},"Why Premium?",{"href":70,"dataGaName":71,"dataGaLocation":42},"/pricing/premium/","why premium",{"text":73,"config":74},"Why Ultimate?",{"href":75,"dataGaName":76,"dataGaLocation":42},"/pricing/ultimate/","why ultimate",[78],{"title":79,"links":80},"Contact Us",[81,86,91,96,101,106,111],{"text":82,"config":83},"Contact sales",{"href":84,"dataGaName":85,"dataGaLocation":42},"/sales/","sales",{"text":87,"config":88},"Support portal",{"href":89,"dataGaName":90,"dataGaLocation":42},"https://support.gitlab.com","support portal",{"text":92,"config":93},"Customer portal",{"href":94,"dataGaName":95,"dataGaLocation":42},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":97,"config":98},"Status",{"href":99,"dataGaName":100,"dataGaLocation":42},"https://status.gitlab.com/","status",{"text":102,"config":103},"Terms of use",{"href":104,"dataGaName":105,"dataGaLocation":42},"/terms/","terms of use",{"text":107,"config":108},"Privacy statement",{"href":109,"dataGaName":110,"dataGaLocation":42},"/privacy/","privacy statement",{"text":112,"config":113},"Cookie preferences",{"dataGaName":114,"dataGaLocation":42,"id":115,"isOneTrustButton":26},"cookie preferences","ot-sdk-btn",{"title":117,"links":118,"subMenu":129},"Product",[119,124],{"text":120,"config":121},"DevSecOps platform",{"href":122,"dataGaName":123,"dataGaLocation":42},"/platform/","devsecops platform",{"text":125,"config":126},"AI-Assisted Development",{"href":127,"dataGaName":128,"dataGaLocation":42},"/gitlab-duo/","ai-assisted development",[130],{"title":131,"links":132},"Topics",[133,138,143,148,153,158,163,168],{"text":134,"config":135},"CICD",{"href":136,"dataGaName":137,"dataGaLocation":42},"/topics/ci-cd/","cicd",{"text":139,"config":140},"GitOps",{"href":141,"dataGaName":142,"dataGaLocation":42},"/topics/gitops/","gitops",{"text":144,"config":145},"DevOps",{"href":146,"dataGaName":147,"dataGaLocation":42},"/topics/devops/","devops",{"text":149,"config":150},"Version Control",{"href":151,"dataGaName":152,"dataGaLocation":42},"/topics/version-control/","version control",{"text":154,"config":155},"DevSecOps",{"href":156,"dataGaName":157,"dataGaLocation":42},"/topics/devsecops/","devsecops",{"text":159,"config":160},"Cloud Native",{"href":161,"dataGaName":162,"dataGaLocation":42},"/topics/cloud-native/","cloud native",{"text":164,"config":165},"AI for Coding",{"href":166,"dataGaName":167,"dataGaLocation":42},"/topics/devops/ai-for-coding/","ai for coding",{"text":169,"config":170},"Agentic AI",{"href":171,"dataGaName":172,"dataGaLocation":42},"/topics/agentic-ai/","agentic ai",{"title":174,"links":175},"Solutions",[176,180,185,190,195,199,204,207,212,217,222,227],{"text":177,"config":178},"Application Security Testing",{"href":179,"dataGaName":177,"dataGaLocation":42},"/solutions/application-security-testing/",{"text":181,"config":182},"Automated software delivery",{"href":183,"dataGaName":184,"dataGaLocation":42},"/solutions/delivery-automation/","automated software delivery",{"text":186,"config":187},"Agile development",{"href":188,"dataGaName":189,"dataGaLocation":42},"/solutions/agile-delivery/","agile delivery",{"text":191,"config":192},"SCM",{"href":193,"dataGaName":194,"dataGaLocation":42},"/solutions/source-code-management/","source code management",{"text":134,"config":196},{"href":197,"dataGaName":198,"dataGaLocation":42},"/solutions/continuous-integration/","continuous integration & delivery",{"text":200,"config":201},"Value stream management",{"href":202,"dataGaName":203,"dataGaLocation":42},"/solutions/value-stream-management/","value stream management",{"text":139,"config":205},{"href":206,"dataGaName":142,"dataGaLocation":42},"/solutions/gitops/",{"text":208,"config":209},"Enterprise",{"href":210,"dataGaName":211,"dataGaLocation":42},"/enterprise/","enterprise",{"text":213,"config":214},"Small business",{"href":215,"dataGaName":216,"dataGaLocation":42},"/small-business/","small business",{"text":218,"config":219},"Public sector",{"href":220,"dataGaName":221,"dataGaLocation":42},"/solutions/public-sector/","public sector",{"text":223,"config":224},"Education",{"href":225,"dataGaName":226,"dataGaLocation":42},"/solutions/education/","education",{"text":228,"config":229},"Financial services",{"href":230,"dataGaName":231,"dataGaLocation":42},"/solutions/finance/","financial services",{"title":233,"links":234},"Resources",[235,240,245,250,255,260,265,270,275,280,285,290],{"text":236,"config":237},"Install",{"href":238,"dataGaName":239,"dataGaLocation":42},"/install/","install",{"text":241,"config":242},"Quick start guides",{"href":243,"dataGaName":244,"dataGaLocation":42},"/get-started/","quick setup checklists",{"text":246,"config":247},"Learn",{"href":248,"dataGaName":249,"dataGaLocation":42},"https://university.gitlab.com/","learn",{"text":251,"config":252},"Product documentation",{"href":253,"dataGaName":254,"dataGaLocation":42},"https://docs.gitlab.com/","docs",{"text":256,"config":257},"Blog",{"href":258,"dataGaName":259,"dataGaLocation":42},"/blog/","blog",{"text":261,"config":262},"Customer success stories",{"href":263,"dataGaName":264,"dataGaLocation":42},"/customers/","customer success stories",{"text":266,"config":267},"Remote",{"href":268,"dataGaName":269,"dataGaLocation":42},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":271,"config":272},"GitLab Services",{"href":273,"dataGaName":274,"dataGaLocation":42},"/services/","services",{"text":276,"config":277},"Community",{"href":278,"dataGaName":279,"dataGaLocation":42},"/community/","community",{"text":281,"config":282},"Forum",{"href":283,"dataGaName":284,"dataGaLocation":42},"https://forum.gitlab.com/","forum",{"text":286,"config":287},"Events",{"href":288,"dataGaName":289,"dataGaLocation":42},"/events/","events",{"text":291,"config":292},"Partners",{"href":293,"dataGaName":294,"dataGaLocation":42},"/partners/","partners",{"title":296,"links":297},"Company",[298,303,308,313,318,323,328,332,337,342,347,352],{"text":299,"config":300},"About",{"href":301,"dataGaName":302,"dataGaLocation":42},"/company/","company",{"text":304,"config":305},"Jobs",{"href":306,"dataGaName":307,"dataGaLocation":42},"/jobs/","jobs",{"text":309,"config":310},"Leadership",{"href":311,"dataGaName":312,"dataGaLocation":42},"/company/team/e-group/","leadership",{"text":314,"config":315},"Team",{"href":316,"dataGaName":317,"dataGaLocation":42},"/company/team/","team",{"text":319,"config":320},"Handbook",{"href":321,"dataGaName":322,"dataGaLocation":42},"https://handbook.gitlab.com/","handbook",{"text":324,"config":325},"Investor relations",{"href":326,"dataGaName":327,"dataGaLocation":42},"https://ir.gitlab.com/","investor relations",{"text":329,"config":330},"Sustainability",{"href":331,"dataGaName":329,"dataGaLocation":42},"/sustainability/",{"text":333,"config":334},"Diversity, inclusion and belonging (DIB)",{"href":335,"dataGaName":336,"dataGaLocation":42},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":338,"config":339},"Trust Center",{"href":340,"dataGaName":341,"dataGaLocation":42},"/security/","trust center",{"text":343,"config":344},"Newsletter",{"href":345,"dataGaName":346,"dataGaLocation":42},"/company/contact/#contact-forms","newsletter",{"text":348,"config":349},"Press",{"href":350,"dataGaName":351,"dataGaLocation":42},"/press/","press",{"text":353,"config":354},"Modern Slavery Transparency Statement",{"href":355,"dataGaName":356,"dataGaLocation":42},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":358},[359,362,365],{"text":360,"config":361},"Terms",{"href":104,"dataGaName":105,"dataGaLocation":42},{"text":363,"config":364},"Cookies",{"dataGaName":114,"dataGaLocation":42,"id":115,"isOneTrustButton":26},{"text":366,"config":367},"Privacy",{"href":109,"dataGaName":110,"dataGaLocation":42},{"visibility":26,"title":369,"button":370},"The Intelligent Software Development Era: How AI is reshaping DevSecOps teams",{"config":371,"text":373},{"href":372},"/developer-survey/","Get the research report",{"logo":375,"subscribeLink":380,"navItems":384},{"altText":376,"config":377},"the source logo",{"src":378,"href":379},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":381,"config":382},"Subscribe",{"href":383},"#subscribe",[385,389,393],{"text":386,"config":387},"Artificial Intelligence",{"href":388},"/the-source/ai/",{"text":390,"config":391},"Security & Compliance",{"href":392},"/the-source/security/",{"text":394,"config":395},"Platform & Infrastructure",{"href":396},"/the-source/platform/",{"categoryNames":398},{"ai":386,"platform":394,"security":390},{"title":400,"description":401,"submitMessage":402,"formData":403},"The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":404},{"formId":405,"formName":346,"hideRequiredLabel":26},1077,{"id":407,"title":408,"body":6,"category":6,"config":409,"content":410,"description":6,"extension":24,"meta":426,"navigation":26,"path":427,"seo":428,"slug":7,"stem":429,"testContent":6,"type":430,"__hash__":431},"pages/en-us/the-source/security/index.yml","",{"layout":9},[411,418],{"componentName":412,"type":412,"componentContent":413},"TheSourceCategoryHero",{"title":390,"description":414,"image":415},"Get up to speed on how organizations can ensure they're staying on top of evolving security threats and compliance requirements.",{"config":416},{"src":417},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463273/aplkxrvwpii26xao5yhi.png",{"componentName":419,"type":419,"componentContent":420},"TheSourceCategoryMainSection",{"config":421},{"sourceCTAs":422},[423,424,425],"source-lp-guide-to-dynamic-sboms","source-lp-devsecops-the-key-to-modern-security-resilience","application-security-in-the-digital-age",{},"/en-us/the-source/security",{"title":390,"description":414,"ogImage":417},"en-us/the-source/security/index","category","Yz-XSZ2w3Zg4r2_4aWlzq2kmfduukECmMNfXD6Ha26w",{"id":407,"title":408,"body":6,"category":6,"config":433,"content":434,"description":6,"extension":24,"meta":443,"navigation":26,"path":427,"seo":444,"slug":7,"stem":429,"testContent":6,"type":430,"__hash__":431},{"layout":9},[435,439],{"componentName":412,"type":412,"componentContent":436},{"title":390,"description":414,"image":437},{"config":438},{"src":417},{"componentName":419,"type":419,"componentContent":440},{"config":441},{"sourceCTAs":442},[423,424,425],{},{"title":390,"description":414,"ogImage":417},{"id":446,"title":447,"body":6,"category":6,"config":448,"content":449,"description":6,"extension":24,"meta":458,"navigation":26,"path":459,"seo":460,"slug":11,"stem":461,"testContent":6,"type":462,"__hash__":463},"theSourceAuthors/en-us/the-source/authors/sharon-gaudin.yml","Sharon Gaudin",{"layout":9},[450,456],{"componentName":451,"type":451,"componentContent":452},"TheSourceAuthorHero",{"name":447,"headshot":453},{"altText":447,"config":454},{"src":455},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463475/h6j4nnvykzyfzgvl7txb.webp",{"componentName":457,"type":457},"TheSourceArticlesList",{},"/en-us/the-source/authors/sharon-gaudin",{"title":447},"en-us/the-source/authors/sharon-gaudin","author","nZcpWZ1mFtRW-QOzR1kyhu0MvJjLlEvLh59Ofhsoe7M",[465,475,484],{"config":466,"title":467,"description":468,"link":469},{"slug":425},"Application security in the digital age","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are grappling with increasing attack surfaces and changing attitudes towards security and AI.",{"text":470,"config":471},"Read the report",{"href":472,"dataGaName":473,"dataGaLocation":474},"/developer-survey/2024/security-compliance/","Application Security in the Digital Age","thesource",{"config":476,"title":477,"description":478,"link":479},{"slug":424},"DevSecOps: The key to modern security resilience","Learn how embedding security in development can slash incident response time by 720x and save millions in security costs annually.",{"text":480,"config":481},"Download the guide",{"href":482,"dataGaName":483,"dataGaLocation":474},"/the-source/security/devsecops-the-key-to-modern-security-resilience/","DevSecOps the key to modern security resilience",{"config":485,"title":486,"description":487,"link":488},{"slug":423},"Guide to dynamic SBOMs: An integral element of modern software development","Learn how to gain visibility into previously unidentified organizational risks with a software bill of materials (SBOM).",{"text":489,"config":490},"Read the guide",{"href":491,"dataGaName":492,"dataGaLocation":474},"/the-source/security/guide-to-dynamic-sboms/","Guide to Dynamic SBOMs",1772652094753]