“Compliance is not a checklist — it’s a mindset.”
As 2026 approaches, the Turkish banking sector faces a massive cultural shift.
The Regulation on Banks’ Information Systems and Electronic Banking Services (BDDK) now demands security by design — not by accident.
And two key approaches make this possible:
Secure by Design
DevSecOps
What Is Secure by Design?
Secure by Design means building security into systems from day one — not bolting it on at the end.
No more “we’ll test later” culture.
It aligns directly with:
Article 20: Secure software development
Article 25: Information security management
Example:
If a mobile banking app is designed with encryption, authentication, and data access policies at its core — compliance follows naturally.
Why DevSecOps Matters
DevSecOps integrates security into every step of the CI/CD pipeline.
Through:
Static and dynamic code analysis
Automated vulnerability scans
Continuous monitoring
Security becomes invisible but constant.
BDDK Alignment:
Article 22: Change management automation
Article 23: Continuous testing and traceability
Article 25: Security as a team culture
Recommended Trainings for Compliance
| Training | Regulation Article | Focus Area |
|---|---|---|
| Secure by Design Training | 20, 25 | Secure architecture, OWASP, AI & LLM risks |
| DevSecOps Training | 22, 23 | CI/CD security, automation, IaC |
| Application Security for Developers | 20–23 | STRIDE, threat modeling, secure coding |
| Certified Java and Web Application Security | 20 | Java, Spring, Log4Shell prevention |
| Certified C# and Web Application Security | 20 | .NET, OWASP Top 10, XSS/CSRF defense |
| Programming Foundations | 20 | Secure coding fundamentals |
Real-World Case
A major financial institution deployed new code without security gates.
A single insecure YAML file exposed credentials in a DevOps pipeline.
After BDDK inspection, remediation included automated scans, training, and full DevSecOps adoption.
Result: zero incidents since implementation.
Expert Insight
“DevSecOps isn’t a toolset, it’s a cultural reset.
Secure by Design is the philosophy that powers it.”
— Bilginc Cyber Security Instructor
FAQ
Is Secure by Design required by law?
Yes, Article 20 mandates secure development and design principles.
Does DevSecOps require specific tools?
No. Jenkins, GitLab, or Azure DevOps — the key is security integration.
Are trainings mandatory for developers?
Yes, BDDK auditors request training evidence during inspections.
Where should we start?
Start with Secure by Design and DevSecOps trainings.
Compliance Through Culture
When security becomes part of your design and development DNA,
compliance stops being a task — it becomes your default state.
Build securely, and compliance follows.