By Steve Lipner, Executive Director, SAFECode

Today, we joined the Cloud Security Alliance (CSA) in releasing a new framework for thinking about DevSecOps in a cloud environment. The paper, “The Six Pillars of DevSecOps: Achieving Reflexive Security through Integration of Security, Development and Operations,” defines six focus areas critical to implementing and integrating DevSecOps into an organization.

DevSecOps addresses many of the security and operations challenges of today’s modern iterative development approaches. Succinctly defined as the “integration of continuous security principles, processes, and technologies into DevOps culture, practices, and workflows,” DevSecOps has emerged as a way for organizations to adapt their security practices to a more interconnected and rapidly changing security environment with increasingly shortened infrastructure and product life cycles. More than just another checklist of security best practices, DevSecOps provides a holistic framework that bridges the traditionally siloed operations of software development, infrastructure operations, and information technology with controlled processes that facilitate the development of secure software.

A key principle guiding SAFECode’s work has always been our belief that secure software development can only be achieved with an organizational commitment and a holistic assurance process. A mature secure development lifecycle (SDL) not only includes secure development practices but also encompasses all aspects of a healthy business process, such as program management, stakeholder engagement, deployment planning, program measurement, and continuous improvement. In fact, we highlight many of these aspects of SDL planning and implementation in our third and most recent edition of our flagship publication Fundamental Practices for Secure Software Development.

At its core, CSA’s DevSecOps project is the application of many of these principles to the uniquely challenging world of DevOps in a cloud-first environment. Today’s paper is the first step in a larger effort and provides a high-level overview of the six focus areas the DevSecOps Working Group identified as critical to integrating DevSecOps into an organization’s operations, as aligned with CSA’s Reflexive Secure Framework. A special thank you goes to SAFECode member John Martin of Boeing who has led SAFECode’s participation in the project and is a key author of the paper.

SAFECode is pleased to partner with CSA on this ongoing effort and we look forward to working closely with the working group to develop more detailed guidance for each pillar identified in the document. We encourage you to take a look at today’s paper, provide feedback on the focus areas, and stay tuned for future updates. If you are a SAFECode member who’d like to get more involved with the DevSecOps working group, reach out today.