DEVK

  • Industry: Insurance
  • Headquarters: Cologne
  • Focus: Auto, liability, accident, property, and life insurance
  • IT environment: Hybrid setup, with large core systems on-premises and individual microservices running in the cloud

Diese Case Study ist auch auf Deutsch verfügbar

TL;DR

Why it matters

This case shows how organizations with many teams can implement security and compliance requirements consistently by embedding them in shared platforms instead of distributing responsibility across individual teams.

Outcome

  • DEVK now has a centralized view of which vulnerabilities exist in which applications and how ownership is assigned.
  • More than 1,300 applications run through the same automated security process. Relevant updates are applied regularly and systematically.

Business Value

  • Security and compliance no longer need to be interpreted, assessed, and implemented by each development team individually.
  • A standardized container platform for on-premises operations also supports the ongoing cloud migration. The operating environment is designed so teams can move to the cloud step by step without having to rebuild the technical foundation.

Results at a Glance

  • Unified process: 1,300 applications are now automatically scanned for security vulnerabilities
  • Automated updates: 900 applications now receive automated security updates
  • Containerization: 400 applications have been migrated to a standardized runtime environment
  • Central dashboard: Actionable security findings are visible at a glance, without time-consuming manual analysis
  • Clear ownership: Every team now knows which vulnerabilities fall within its area of responsibility
  • Self-sufficiency: Teams now work directly with internal platform teams, without ongoing external support

Challenge: Ensuring Security in an Evolving Software Landscape

DEVK’s application landscape combines purchased and customized software with a large number of in-house developments. Policy management, claims processing, and many other systems are each maintained by their own dedicated teams. In a landscape of this size, the central challenge is clear: how do you maintain visibility into which vulnerabilities affect which applications and ensure that the necessary updates are applied quickly?

Unclear accountability made matters worse. It was often not obvious who was responsible for patching which components, slowing the response to known security issues. At the same time, DORA, the EU’s Digital Operational Resilience Act, increased the urgency. The regulation requires financial institutions to demonstrate effective IT risk management, including the systematic handling of vulnerabilities in their own software.

There was also a strategic dimension: DEVK is pursuing a cloud strategy, but most of its core systems still run on-premises. Modernizing the operating environment was therefore not only a security measure, but also an important step toward gradual cloud adoption.

The objective was to establish a unified process that automatically detects vulnerabilities across applications and ensures relevant updates are applied on a regular basis. This would give DEVK a reliable overview of its security posture and help the organization meet DORA requirements in a structured, auditable way.

Approach: A Paved Path Instead of Isolated Solutions

At its core, the problem was organizational. If every development team has to handle security and compliance requirements on its own, it leaves less capacity for business-critical work. The answer was to embed security and compliance checks into a shared build and deployment pipeline used across teams. Standardizing this process made it possible to handle all applications consistently. Security and license scans now run automatically, without each team having to build and maintain its own solution.

INNOQ began with an analysis phase, including workshops and conversations with around 15 teams to understand how applications were actually built and operated. This created a clear picture of the starting point and laid the foundation for a two-phase strategy.

  • Step 1 focused on the build process. All applications would pass through the same automated process with standardized security checks, regardless of where or how they were operated. For the first time, this gave DEVK a centralized view of which vulnerabilities existed in which applications.
Diagram of Development I/II teams, CI/CD and AWS Cloud, with enabling support for pipeline migration and evolution.
Phase 1: A single, unified build process for all applications, with a dedicated team taking central ownership.
  • Step 2 focused on operations. Limited visibility and unclear ownership had previously slowed the response to vulnerabilities. Containerizing applications introduced a clearer separation of responsibilities. Development teams became responsible for their applications, while platform teams took ownership of the underlying infrastructure. Not every team could move directly to the cloud. Technical dependencies, non-cloud-native architectures, and unresolved compliance questions all stood in the way. The hybrid setup was therefore not a limitation, but a deliberate choice: first standardize the build process, then modernize operations at a pace each team could realistically sustain.
Diagram of org setup: Development I/II teams plus INNOQ enabling team for “Container migration support” and platform evolution.
Phase 2: Containerizing all applications and migrating them to shared operating platforms.

Security and compliance requirements typically affect all teams and are becoming increasingly complex, yet they only contribute indirectly to business goals. These topics are therefore ideal for centralization through platform teams rather than pushing them onto every individual team. This allows development teams to stay focused on their business responsibilities.

Jakob OswaldPrincipal Consultant at INNOQ

Implementation: Build Uniformly, Operate Independently

One Standard, Centrally Owned

A newly formed internal team at DEVK took ownership of the new build and deployment standard and drove its adoption across the organization. INNOQ supported the team in designing the migration path, consolidating existing pipelines, defining responsibilities clearly, and structuring collaboration between platform and development teams. The platform team now ensures that security and compliance standards are implemented centrally. Development teams can rely on those standards without having to implement them on their own.

Moving from Reactive to Proactive Updates

Many vulnerabilities do not stem from custom code, but from outdated software dependencies. A new automated mechanism now continuously checks for newer versions and proposes updates directly. Around 900 applications use this approach today. Instead of collecting updates and applying them in large batches, teams now roll them out continuously in small increments. This lowers the risk that an update will introduce unintended issues into existing applications.

Enabling Teams to Operate Independently

A solution only creates lasting value if the teams using it every day can work with it independently. INNOQ therefore supported not only the technical implementation, but also each team’s migration journey through workshops, hands-on enablement, and practical day-to-day support. This support was tailored to each team’s situation, ranging from targeted knowledge transfer to selective implementation support that freed teams to stay focused on business priorities. The goal was clear: teams should be able to continue without external support once the project was complete.

Because the migration ran alongside day-to-day operations, transparent progress tracking was essential. INNOQ introduced automated reporting that captures the migration status of all applications on a daily basis. This made it possible to see at any time which teams still needed support and where the next steps were required.

Technology & Enablement: Foundation for the Next Step

CI/CD architecture: Renovate and GitLab build pipeline publish to Nexus Repository, deploy to on‑prem Docker/Linux and AWS Kubernetes with secrets management.
Unified build pipeline for on-premises and cloud operations: security and quality scans run automatically across all applications, with vulnerabilities centrally visible.

One principle guided the technology choices: create a standardized, future-proof solution that works across application types and operating environments. The selected tools are established, widely adopted, and well suited for long-term independent operation by DEVK.

From the beginning, the solution was designed to support ongoing cloud migration. Both on-premises and cloud environments were built on the same technical foundation. As a result, moving to the cloud became an operational decision for each team rather than a major technical hurdle.

Previously, information about applications, infrastructure, and security status had been fragmented across multiple systems and teams. Together with DEVK’s platform team, INNOQ developed automation that consolidates and links this information. A role-based dashboard now makes it accessible to all relevant stakeholders and shows at a glance which vulnerabilities exist in which applications and where action is needed most urgently. Development and operations teams now work from the same shared view of the landscape.

INNOQ delivers excellence at multiple levels, from training and implementation to supporting our staff in day-to-day execution. The expertise they bring is exceptional.

Michael HöfinghoffHead of IT Department, DEVK

Conclusion

DEVK now has a reliable, up-to-date overview of vulnerabilities across its application landscape and can address them systematically. Development teams can focus on insurance business functionality, while ownership for infrastructure and platform-related issues is clearly defined. By consolidating its hybrid environment around shared technologies and operating principles, DEVK was able to implement security and compliance requirements quickly across all applications, without first having to complete a full cloud migration. At the same time, the organization moved significantly closer to its long-term goal of expanding cloud operations.

This progress was made possible by a clear strategic decision: to centralize security and compliance requirements within shared platforms and place ownership with dedicated platform teams, instead of distributing responsibility across every individual development team. INNOQ supported DEVK in building the platforms, teams, and processes needed to make this work, with the explicit goal of enabling long-term independent operation. Today, DEVK’s internal platform teams fully own and continue to evolve the solution. The project shows that even in large, long-established software landscapes, organizations can introduce consistent standards incrementally and successfully, while ongoing development and operations continue uninterrupted.

Avatar of Jakob Oswald
Principal Consultant

We’d love to assist you in your digitalization efforts from start to finish. Please do not hesitate to contact us.

Get in touch!

Kontaktformular

Privacy Notice:
Your personal data will be processed exclusively for the purpose of handling your inquiry and any follow-up questions. The legal basis for processing is Art. 6 Para. 1 lit. f GDPR. For more information, please refer to our Privacy Policy .

TAGS