 Yeah, my name is Jihai, I'm quite happy to be invited to join this conference to share my experience on DevOps. Today, the topic is implementation of DevOps C-crops in large global banks. Okay, so here's the content for my presentation. Firstly, I will introduce myself. Next, I will give you some background about DevOps C-crops. The third one, I will talk about the DevOps C-crops current status and also the challenge to implement the DevOps C-crops. The next one, I will also show some like DevOps C-crops tools, especially for the source, DAS, and S. Finally, I will share my experience, how to implement the DevOps C-crops in HIPC Bank, and also how to establish the culture over there. Okay, here's me. So actually, I graduated from Imperial College London as a PhD, probably more than 10 years ago. Yeah, and actually my major was the mobile communications, so it's like the mobile communications. My research was 4G before, but now you know it's a 5G word, now it's all 5G. So yeah, and then when I finished my study and started working in the banks, such as like RBS, UBS, Barclays, and HIPC. I started to work on DevOps work in Barclays since 2012 and then joined HIPC in 2016 and transferred to China office from London office to China office in 2018 and started to lead the DevOps transformation in China. And in the last year, I started to join Tencent as a senior DevOps architect. So yes, here's my background. Okay, DevOps C-crops. I believe many people probably know DevOps already, but maybe not many people, very few people know what is a DevOps C-crops. In one word, you know, DevOps C-crops is the DevOps plus cybersecurity. Yeah, so why we need the cybersecurity in the DevOps? Okay, so let's start from like, what is a DevOps C-crops? Actually, this term was created quite a long time ago. Originally, it was called DevOps C-crops. I heard about that, you know, probably that two reason people change the name to DevOps C-crops. So the one reason is, you know, the short name for the DevOps C-c is DOS. You know, there's another network attack called DDoS, so it's very similar to this name. So in order to not to have duplicate names, you know, people start to change the name to DevOps C-crops. Another reason I heard about that is, you know, the DevOps C-c. It's still followed a traditional way for the cybersecurity, which means we do the DevOps first and then operations. And finally, before you release to the production, they do the cybersecurity assessment. So in order to have something new, you know, people put the security in the middle, which means the cybersecurity should cover the whole DevOps process. You know, similar to this figure on the page, you know, it's easy to see, you know, the cybersecurity should cover the whole DevOps process. And the main purpose for DevOps C-cops is to shift left the cybersecurity to the development areas. Yeah, so very similar to our DevOps, you know, we shift left the testing, we shift left the operations. So for DevOps C-cops, we shift left the cybersecurity. And it's able to, for everyone, you know, you try to get everyone to respond for the cybersecurity, not only the cybersecurity department. Okay. So now, you know, let's go back to why we need DevOps C-cops, why we need to do this, right? You know, here I use one example, you know, try to explain why we need the DevOps C-cops. So there's one figure on the top, and you know, this is just one example, you know, it's just one example. So on top, so we can see there's a traditional development process. So for, it takes like three weeks for the whole development process, like we gather the requirements, we do the design, we do the coding, we do the testing. So finally, it's ready to be related to the production. Yeah. And also, and then before we release to the production, it takes like one week for the cybersecurity assessment. Yeah. Okay, so by doing the DevOps, I will try to reduce the development process by using probably the automations or microservice or agile methodologies, you know, whatever, you know, we try to use a different way, you know, to reduce the whole development process. So for example, for the figure in the middle, you can see, I will reduce three weeks into one week. So we'll make it faster. Yeah. But the original DevOps, it didn't consider the cybersecurity. So for the cybersecurity assessment is still one week. So you can see, you know, it's easy to know it's easy to see the bottleneck, but the whole the delivery delivery process. Yeah, so it's easy to see the bottleneck. So you know the whole purpose for that will see cops now, they try to, they try to further reduce the whole process, you know, by reducing, you know, this period of cybersecurity assessment. So like the figure on the third figure. So we try to reduce the set, the cybersecurity assessment to further reduce the whole, the whole process to make the faster. Okay, so I think this, this, this example, you know, I hope you can easily understand why we need the devil C cops, you know, from this example. Okay, so next one, let's see the benefit. I think the first one, we have to talk about this already from this example, you know, by using by implement, you know, implementing the devil C cops is to make the faster, make it the whole process faster. Right. So the benefit control risk. What does it mean. Originally, you know, we, for the team, they rely on the separate security team or separate secret department to do the separate secret assessment. So they rely on the vulnerabilities. Yeah, before you release, release to the production. But by doing the several devil C cops, the developer and also the tester can also found the vulnerabilities earlier. Yeah, so, so we can see like, you know, it's under control, but under control by the developer and tester is not only rely on the separate security teams. So the third one is cost of saving. What does that mean. So it means like, you know, when you find this vulnerabilities late, late, late stage, for example, traditionally, before release to the production, if you found the vulnerability at this stage. Yeah. So you have to be feedback to developer, but developer to fix these vulnerabilities. And then you have to go through the whole process again. Yeah. And if you find what abilities again, you have to feedback, fix the problem again, and, and go through the whole process again. So you can see, like, you know, if you can, if you can find the vulnerabilities earlier at early stage, not the late stage. For example, we found the vulnerabilities at the coding stage, or at testing stage, and then, you know, for developer to fix the problem earlier. Then we don't have to go back. Right. So this means, you know, we can see the cost. Okay, so, you know, there's too many benefits. You know, I'm the only least of the three key points, you know, people benefit. We can, we can get from the devil C cops. So the next one, I will talk about some like devil C cops, current status, and also is the challenge. There's the one devil C cops community in Singapore, it published the devil C cops reports every year since 2017. So now, you know, the data and show here is many come from this report. It show shows like this devil C cops activities, mainly come from like the technology and the financial industry. Yeah, so you know, for these two area is the is covered like almost half of the devil C cops activities, which means there's a much deep, just much demand for off the devil C cops from the technology and the, and the financial industry. Okay, next one, this figure is where it's very interesting. When I did DevOps before, many people asked me one questions. You know, they asked me like, you know, you guys put that one up together. You know, so what was the, what's the most reasonable and the best number, the best ratio between the developer and the operations guy. To be honest, you know, there's no right answer for this. Yeah. And now, you know, when I'm working on the devil C cops, people still asking the same question, you know, what was the reasonable and probably better ratio between developer operation and the separate guy. Yeah, to be honest, I don't know the right answer. Yeah, and I don't also don't believe that the right answer. But in the, in the reports, I think based on research, they give, I think they give some reference. So here is a number that give to us. For example, if there are 100 developers, they're probably like 10 operations and only only one, several security guard. Yeah. So it means like, you know, normally in the company, then that there are not too many separate people, or it means it's a lack of separate great people. The first time I saw this number. I'm trying to find the same situation. And finally, I found it's even one is even worse number. So that there are like 200 developers in hibc with only one separate security guy. So like 200 to one. Yeah, so you can see like, actually hibc we are lack of separate people. So based on this, actually, I even have some some thoughts myself. You know, for like, I'm probably thinking I'm thinking like my keys grow up. I probably will ask him to learn the separate security. Yeah, probably to go to college to learn separate security, because you know, there are not many people working on this. Maybe it's easy to find a job. Yeah, just kidding. Yeah. Okay, so the next figure is also quite interesting. Actually, it's a show like many people believe separate security is important. But it's probably only half of people do something. Yeah, people, you know, it's a still, it's still only like a basic kind of work. So talking your people only talk about the separate security but not not many people working on that to be honest, I think in the real world in the practical practical work. The number probably is much even lower than this. Yeah. So this, this figure show like, you know, the most popular they will see called choose, you know, be used in the company, like a web application firewall, container and image separate tools, open source tools. I think currently it's become more and more popular. Yeah. So static application tools. This is mainly used for the source code and also dynamic application tools. So I will later I will talk about tools in details and I will share more information, you know, how we use the tools to implement that was a cop. Okay, the challenge. Similar to DevOps, you know, for that was a cops and feel it's probably even harder to implement that was a cop. Yeah, because the separate separate security is too far away from the business. It's too far away from business. Yeah, sometimes you know before, when the DevOps, you know, not too many people don't, you know, don't care about this. You know, people only care about delivery, the business delivery, but now even for that was a cop. I think it's even harder for that was a cop. Yeah. Okay, I think the challenge, mainly come from two area. So one is the technical challenge. So, because the Delta C cops is very new concept. So far, they are not too many product available on the market. It's not many tools or technologies for the Delta C cops on the market. Also, it's even for the existing tools or existing products for Delta C cops is still not a metro enough. For example, for the scanning results, you know, the result is not accurate enough. So, so for this is this area, the technology or these tools are still not not too much metro. Okay. This is taking technical challenge. But, but I'm basically my experience, you know, the muscle challenge actually come from the people come from the culture. What I mean, you know, most of the people, especially for the developer. Many developers, you know, they don't believe the cyber security is their job. You know, they believe, you know, the cyber security is a security department job. It's not that, you know, for developers, they only need to focus on coding. Yeah, I think it's a, you know, it's a traditional way, you know, people only believe developer only working on on the coding. But even for the people, you know, who have this mindset already for the developer. They believe the cyber security important. Sometimes they found they probably don't have enough knowledge or skills into fix these vulnerabilities. Yeah, this is another problem. Also, another big problem, I think currently for Delta C cops is from the senior management, you know, similar to the DevOps, when we try to promote the DevOps in the company. It's the best method is from top to down. It's from top to down. Yeah, if your senior management to support the DevOps, you know, it will be easy, you know, to implement or promote the DevOps across the whole company. Yeah, similar to that will see cops, because, again, many people, many senior management, they more care about the business, the business delivery. So, again, like I mentioned already, the separate security that too far away from the business. So not not too many senior management, you know, they have the mindset, you know, regarding, you know, we need to focus on the cyber security, we need to introduce separate security into our DevOps process. So, you know, this is not a key challenge, you know, we need to convince the senior management first, you know, and then will be easy to promote and implement the service, the devil sick cops. Okay, but let's take one example from, you know, my, my, my example, you know, like I mentioned, I started to do the devil sick cops in 2018. I think probably in July or August. It's my first time to present, you know, to share this devil sick cop in the senior management board. You know, I talked to, you know, I think at the moment of the more than 20 senior management in the meeting and share is on, you know, the devil sick cops. I still remember like, you know, two years ago that the only one city manager. He supported my idea. Yeah, one out of 20, only one support my doc cops idea. Yeah. So this is our challenge. And later, after half a year, you know, during the half a year and try to, you know, do some pallets to get some pallets to do to do the doc cops. And then we get some achievement from this parallel teams. And finally, I remember in January 2019. My, this is my second time to share this devil sick cops in the senior management teams. So at the moment, because we got some achievement already. Yeah. And it's probably easy to convince the senior management. So I still remember at the moment, almost half, almost half of the senior management, you know, they support my idea. They have interesting in the devil sick cops. And later, this year, 2020, you know, for the whole HBC, the devil sick of become the top one, you know, high priority, you know, the work, you know, people need to start to implement in their department. So you can see, you know, gradually, you know, we, we, we try to implement doc cops. And also the senior management is very important for the whole, you know, devil sick calls implementation. Okay. Next, I will probably talk about the devil sick of tools, which is very important, because, you know, for DevOps, or devil sick cops, and still believe, you know, the forces, the step to implement the tool first, and then probably the people and culture. Okay, for devil sick of tools. It's a man. It's normally we classify them into four different category. So the static is applications that security testing tools, which means is the many first on the source code is kind of source code based on the rules. And I find that the code don't follow this set of security rules. Yeah, like sequel injection, something like that. The second one is a dynamic application security testing tools. For this kind of tools, they try to follow the hacker behavior. So the hacker behavior, try to attack your website, attack your interface, you know, try to get something they want, for example, your username or password. Yeah, so this one is similar to your testing case. You need to produce some tests. So some, you'll need to produce some security testing case. Yeah, to simulate the hacker behavior. Okay, the third one is the interactive applications security testing. This one is is install some agent, your applications, or your proxy proxy. Yeah, when your application is running, they try to capture some data. And try to do some analysis to see whether or not there's a vulnerabilities or threat in your application. Okay, the last one is for the open source security tools. So you know when we do the coding or when we try to release some products, we sometimes we need to introduce some third party library, third party tools, or third party package or third party plug-in. So how we can guarantee, you know, the library or tools from third party, they are security enough. Yeah, so this is the reason why we needed to scan for this kind of work. Okay, so let's talk about this tool in details. You can see from this figure, we try to, you know, measure the different tools from different angle. For the SAS, there's a static application security testing tool, we call SAS. For the SAS, it's like the white box. Yeah, like I mentioned already, it scans the source code. Yeah. So for this kind of tool, it's easy to find, to discover the vulnerabilities. And also, it's kind of easy to track the source, like which level code resulting in just the vulnerabilities. Yeah. And also for this tool, it's easy to be accept by the developer, because it's a coding basic. Yeah, it's because it's meant about source code. However, the disadvantage for this tool is it has very high false positive rates. Yeah, so because this is a disadvantage, normally people have to spend time to review the results. To see how accurate the result it is. Yeah, and this will result in, you know, much labor cost, because people have to review this. Also, the scan speed will become slower when your coding, your line of code is increased. Yeah. And finally, this tool, it needs to support different language. Yeah, so also make it more complex. Okay, the next tool is we call does, like I mentioned already, you know, this is, this is try to simulate the high court behavior. Yeah, so it's black box. Yeah. And this tools has a large testing coverage, and also be able to do the business, the business of one bit logic, the business logical scanning. And also it has lower false positive rate. Yeah, but the disadvantage 42. It's also, it's not it's also a lot because as I mentioned already, this is similar to a testing case, you'll need to produce your security testing case to simulate the hacker behavior. So this will require, you know, the people, you know, the professional cybersecurity knowledge and skills for you to be able to produce this security testing case. Yeah, so, so this is not easy. And also, it's not easy because it's black box. This is not easy to discover the wall and beta source. So we know the problem, but we don't know why I call this problem. And finally, these two also bring a lot of dirty data. So sometimes you have to clean the data, your database. Yeah. Okay, the next one is a interactive application security testing tool, we normally call as asked. So this is, this is what we call like green box, the before is white box black box. This one called green box. So like I mentioned already to use some agent and proxy to analyze the data in a system. But these two is also easy and fast to find your vulnerabilities. Yeah, and also has a very, very, very low false positive rates, and also easy to track the one beta source. So 1342. It's not a march. For example, like when when the agent is upgrade or is updated. So the web server also need to reboot. Yeah, so this will result in like a bit higher the deployment cost. Also, for the S. So we can't do the business logical one British scanning. So, you know, I try to, you know, to share the tool, you know, try to find more, you know, what was a good 42 and what's the negative 42. So people can, you know, you can compare the different to to see, you know, which one is is good for your scenario. Okay, here is the tools for the different tools, you know, available on the market. And the first, the most popular one, you know, just based on my my experience is check marks and 45. Also, we have the IBM app scan for the dots and as this tool called HP web inspect. And also there's a one open source to call all one step. Contrast is a one as to on the market. There's a one called so not have actual server. And another one called jfrog extreme I didn't list here. There's a one called dependence check, which is the open source to from all of us. Okay, and the thought is a separate as the DLC called choose currently is a mainly first on the two stage. So, so like the sauce and the false tool. One for the coding stage. Yeah. One for the source code one for a third party, like whatever library or all this tools. And for the dust and s is mainly first on the testing stage. Yeah, like I mentioned already is a try to you produce a security testing case to simulate hacker behavior. So you use the agent and proxy, you know, to capture the data to analyze the vulnerabilities. Okay. Finally, I'm probably share, you know, how we implement the DLC cops in HSBC and also how we establish the culture over there. So before, you know, we cover more background, the challenge and also choose now let's see some, some, some example, some keys. Okay, firstly, we set up some model. You know, for the DLC cops, the one we call it is called implementation model. It's quite easy. The first phase is to implement the separate tools. So like we mentioned before, the truth we mentioned before, we introduce them to like checkmarks. So let's have several, you know, try to integrate integrated tools into our city pipeline to automate the process. Yeah, for any tool we introduce here, you know, all of them need to be automated. Yeah, and for developer and tester, you know, they only see the results only see the dashboard or the result from dashboard or the reported reports. So the second phase, you know, we, we try to probably some training for people to, you know, just to establish the mind side, establish the knowledge. Yeah, so we, we use three different methods, like it's a study material in the tools. And also, we also probably some online training costs and online training games, I call security call worry, I will talk about it later. And also the separate department probably the separate like consultancy to help the team to use the tools and also try to fix the box. And finally, you know, by using the tools to discover discover the vulnerabilities and by probably training, you know, for people to have enough knowledge to fix the vulnerabilities. And then we try to, you know, to set up, you know, some kind of produce some kind of separate experts or we call separate champion in the team. Yeah. So this is the implementation model and the final goal is trying to produce some, some separate champion or separate experts. Yeah, so we have a different role in this model. So the devil's secret champion. This role we try to bring the separate secret department and the development team together. And to, there's one word I try to make this happen. Yeah, to make this happen similar to the project manager doesn't make it happen. Yeah. And for the separate secret team, you know, on the right, like I mentioned before, they probably the tools, they probably the training, and they also probably consultancy, try to help the development teams, you know, to, to get this they'll seek off skills. And the, the final date, the development teams, you know, when they try to use the tools, when they try to get the training. Yeah, in their projects in the real projects. So with the time. So, you know, they tried, I think they get to use about this, the devil's secret concept. And so, you know, we try to make this happen, make the devil's secret happen in each ABC. Okay, so this is one example, like I mentioned before, we need to integrate the, the, the seven devil's secrets tools into our safety pipeline to automate the process. But here's an example, you know, we integrate the check marks, which is one starts to into a Jenkins to automate the process. And first, the first step, you need to install a check mark scheme plugin. Yeah, so once you install the plugin, there's two different methods that you can, you can automate the process one or use a traditional way, the free scale jobs. So once you install the plugin, you can find that there's one additional tab in the build section called it's cute a check mark scan. You select this, this option, and then you fill the form, you configure this form by input like the check marks server URL, the credential information, and also your source code location, something like that. So this, you feel it when you finish the configuration, you can trigger this job. Yeah, another another way you can use what they call a pipeline as a code. So you use this code, you know, to to configure the whole process. Yeah. So there's two different way you know is a thing. Finally, we will trigger this job will trigger this pipeline. It will scan the code. Yeah, it will trigger the check mark to scan the code. And finally, the producer reports, similar to the figure on the on the right, bottom right, you can see, you know, do you find the vulnerabilities from different level. Okay. So next one is a, is a tool we used before called check marks on the top, you can see that the one figure is classified vulnerabilities into three different category, like high level vulnerabilities, media level vulnerabilities and low level vulnerabilities. Normally, the rules we deal with the different vulnerabilities is if you have any, any high level vulnerabilities, you'll need to fix this before you release to the production. Yeah, so before you release the production, you have to fix all high level vulnerabilities. Yeah, no argument. Yeah, that's all of them. And also for the media level vulnerabilities, we normally give a team a certain time, for example, like a one month. Yeah, so you can release to the production, but within one month, you'll have to fix all these media level vulnerabilities. Okay. And for the low level vulnerabilities, we normally, you know, consider this as a technical debt, the technical debt. So which means, you know, when you have time, when you have free resource, then you can start to reduce this low level vulnerabilities. Yeah. Okay. And on the left of it, you can see another figure, which means, you know, from this tool, you can easily to find which line of code, which line of your code, you know, resulting in these vulnerabilities. So I think it's very good to, you know, you can track the source of these vulnerabilities. Okay, similar another tool called Sona type echo server, you know, this is for the third party, you know, open source, like the open source tool scan. So it's also similar to classify this, this vulnerabilities into three different category, and also is even scan the lessons, you know, to see whether or not it's out of date. Okay, so these are, these are two tools like a checker mouse and the Sona type echo server we introduce we use in HPC at the coding stage and also for the source code, and also for this third party, the third party library and and tools. So here are some training we probably for people. The first one is the train, the study tutorial in the tools for them in the check marks. So for this example, you know, if you click on the question mark, it will show you some information. For example, like what's the risk for this vulnerabilities, and what causes the vulnerabilities, and even give you some example, how you fix this vulnerabilities. Yeah. So this I think this is a set of material from tools. It's very useful for developer, you know, when they scan scan their code when they found their vulnerabilities, then they just just need to follow the example to easily fix the vulnerabilities. Yeah. Oh, sorry. Okay, we also probably some online training costs for the devil sick of training. As I remember, as we had, I think, more than 50 courses. Yeah, and it's for different roles that for the number for business analyst for developers for architect for tester, something like that. And also we have it had different level of the causes. Yeah, so people can learn the knowledge, not the devil sick of knowledge for this online training costs. Also, we, we probably an online training platform, a call security call warrior. This is a very, quite interesting tools. It's a try to, how to say, produce a story, produce a story and then behind the story. It's try to teach you and let you to to learn the separate knowledge. For example, in this case, it's so like, there's some hacker from do to attack the people or server in the UK. And I know this story. The hacker probably go through this from some code. And then, you know, you ask you to see, you know, what's the one baited from this code. And you know, you can see on the left. There's some options you can, you can select. So by using this, just just a platform, I think probably. It's easy. And also, it's not, it's not boring, you know, for people to learn this. Okay. You know, before we talk about to, we talk about, you know, this, the online training causes. You know, just for the people to learn the skills. You know, in order to establish the culture in the company, how people to have more awareness about the cybersecurity. We also, you know, produce some like, like events. Like security coding competition. Yeah. So we, we launched this in the office and also in China office last year. Yeah. So the whole purpose is for people, you know, to have strong awareness about security. Yeah. As you remember, last year, you know, as I remember, we have more than 100 developers to join this game. So, you know, to answer the questions to, to, to, to, I think the, the business is this platform. Yeah. And you try to answer more questions and to get high mark to win game. Okay. So finally, this is our majority model. What does it mean? And, you know, before, I'm not sure you still remember, you know, I'll show you one example why we need to see cops. You know, you'll remember, you know, the traditional way they will see cops, they will see cops, we know why we need to see cops. But finally, we need we need to get a benefit for the teams by further reduce this a separate assessment. Right. So how do this, you know, before we talk about we introduce tools to find the vulnerabilities, we probably training for people to have enough knowledge and the skills to fix the right at coding and testing stage, but how we can reduce the separate assessment. Yeah. If you don't reduce this, this period, you know, people don't get benefit from this. Right. So this, this, this is the reason why we need this. They'll see cops my trial model. So here's just one, one simple example and show here. Actually, the documents, the document for this my trial model, as I remember is more than 30 pages. Yeah, it's had a very much detailed information in documents to show, you know, which level for the level one, which condition you need to meet level two, which connection me here I just give you one simple example. You know, to show how you meet, how you meet the different level. Yeah. And finally, this is how we run this they'll seek off the whole devil sick of skin in the hibc, like I mentioned already, we probably the tools we probably training. Yeah, for people to get knowledge. Yeah. So how we define are they will seek off teams. Yeah, so one if your team is a is a measure to become a devil sick of some teams. Then the cyber security teams will reduce the cyber security assessment, probably like, for example, from five days from one week, like file working days to two working days or three working days because they believe you have done some cyber secret job in the coding and testing area, but they can trust you, you know, that they don't have to do too much work at cyber security assessment. Yeah. So how we measure, you know, your maturity model. Normally, we have to condition for a team to be defined as a devil sick of team. So one condition is all the people in the team, you know, all the people in the team, they need to pass level one. For all the people, which means all the developers, all the testers, they need to study the fundamental, the fundamental cyber security knowledge, or they need to know how to use the separate to separate tools at fundamental level. Yeah. So, if you have a basic level, when they coding, which produce a code, I think they have to have more avenues, you know, to award just one of it is. And also, when they try to, when they use the two of the final one of it is at least they have the basic level to fix the one of it is. So it, the first condition required all the people in the team, they need to have the fundamental skills. Okay. This is a conditional one. The second condition is at least in the team in the team at least you need to have one, at least one people need to pass level three. Which means you'll need to have at least one people to be recognized as several secret champion or several secret experts in your team. So this guy, when, when the team from the one of it is, and, and other people can't fix the one of it is. So is this this guy job to help team to fix this one of it is to become it become the expert in the team. Right. So if you meet these two condition, all the people pass the level one, at least one guy pass level three, then we recognize your team is the devil sick cop team. So if you are recognized as devil sick cop team, and basically your level, your maturity level, the several secret department or separate team will reduce. You know, the separate assessment I mentioned before, you know, this is in the example, this is one week separate assessment. Based on your maturity model. Yeah, it was based on your maturity level. Yeah. Okay, I hope you understand what I'm talking about. Yeah, so this is how it works. You know, in HIPC. So like I mentioned, we introduced tools to find the vulnerabilities. We probably training for people to have enough skills and knowledge to fix the vulnerabilities and also to produce experts in the team. Finally, you know, we try we use this a maturity model to measure your team. So all your people, all the people in the team, they need to pass level one, at least the one people need to pass level three. So once you've done this, we recognize you, you are devil sick cop teams. Yeah. And also, based on your devil sick cop maturity level, the devil sick at the separate secret department will try to reduce the separate security assessment period. Even probably to zero days to make it all faster. Yeah, so I hope you understand the logical behind this, you know, this is the hallway implement devil sick calls and how to get people, you know, to benefit from this. I think that's all my my predictions. I hope you, you know, you learn something from this. And if you have any questions, you're free to ask me. Okay, thank you.