Document provides framework to ensure gap between compliance and development is addressed

SEATTLE – Feb. 8, 2022 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released DevSecOps – Pillar 4 Bridging Compliance and Development. Written by CSA’s DevSecOps Working Group in collaboration with SAFECode, the paper provides guidance to ensure the gap between compliance and development is addressed by recognizing compliance objectives, translating them to appropriate security measures, and identifying inflection points within the software development lifecycle where these controls can be easily and transparently embedded, automated, measured, and tested.

The paper is the third in a series of reports detailing the six focus areas critical to integrating DevSecOps into an organization outlined in the Six Pillars of DevSecOps.

“The increasing speed and frequency of deployments in application development today mandates a solution that is both efficient and more automated but without compromising security and quality,” said Roupe Sahans, the paper’s lead author.

The methods explored in this paper allow DevSecOps teams to translate security and compliance requirements into the development cycle so they are actionable for software developers, objectively measurable, and work to reduce risk. It provides a set of best practices that, if followed, will help DevSecOps teams realize enhanced risk mitigation and the ability to apply security controls at scale more efficiently. The document is broken down into three parts:

  1. Assess. An approach to compartmentalization and assessment with an eye to minimizing operating impact.
  2. Mindset. The shift in both thought and practice for how compliance can be designed and implemented into applications.
  3. Tooling. The different security tooling practices that can provide assurance to compliance requirements.

Download DevSecOps – Pillar 4 Bridging Compliance and Development today.

The CSA DevSecOps Working Group works to create a transparent and full-circle management lifecycle that leverages all the components of DevSecOps to ensure timely and full-functioning application deployment with proper security steps through every process. The working group maintains an active partnership with SAFECode whose members contribute their expertise in designing and managing software security programs. Individuals interested in becoming involved in the future research and initiatives of this group are invited to do so by visiting the Join page.

About SAFECode
SAFECode is a non-profit global industry forum where business leaders and technical experts come together to exchange insights and ideas on creating, improving, and promoting scalable and effective software security programs. We believe that secure software development can only be achieved with an organizational commitment to the execution of a holistic assurance process, and that sharing information on that process and the practices it encompasses is the most effective way for software providers to help customers and other stakeholders manage software security risk. For more information, please visit

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA’s activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.

Media Contacts

Kristina Rundquist

ZAG Communications for the CSA

[email protected]

Bob Olson

Virtual Inc. for SAFECode

[email protected]