Document provides practical advice for integrating automated security into software development lifecycle
SEATTLE – July 7, 2020 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, announced today the release of The Six Pillars of DevSecOps: Automation. Produced by CSA’s DevSecOps Working Group in collaboration with SAFECode, the document provides a holistic framework for facilitating security automation within DevSecOps and best practices for automating those security controls, as well as clarification of common misconceptions surrounding DevSecOps security testing.
“The complexity of cloud infrastructure today means that small code changes can have disproportionate impact downstream. Therefore, it’s critical that security checks be integrated and monitored throughout the software development and deployment lifecycle, all the way from design to implementation, testing, and release,” said Souheil Moghnie, SAFECode Board member and one of the paper’s lead authors.
The necessity of security automation, security test automation techniques, and the mechanisms to achieve it are integral components of a comprehensive risk-based security automation approach — all of which can be achieved using a security-enabled delivery pipeline and the controls within it, as the paper explains.
The document provides insight into:
- The types of triggers and checkpoints that should occur in the delivery pipeline
- The strategy of shifting security left while accelerating right
- How to prioritize and balance resources in conjunction with deliverability
- Risk factors that occur throughout the delivery pipeline and how automation can be introduced to mitigate them
- Automation best practices that extend beyond DevSecOps
“It’s vital that today’s DevOps teams be agile, able to address user requirements dynamically, release features incrementally, and deliver at a faster pace than their predecessors and do it all without sacrificing security. Security controls can’t be successfully integrated without automated security capabilities that allow for timely and meaningful feedback. By adopting even modest automated security capabilities entire classes of risk can potentially be eliminated,” said Sean Heide, Research Analyst Cloud Security Alliance.
The CSA DevSecOps Working Group works to create a transparent and full-circle management lifecycle that leverages all the components of DevSecOps to ensure timely and full-functioning application deployment with proper security steps through every process. The working group maintains an active partnership with SAFECode whose members contribute their expertise in designing and managing large-scale software security programs. Individuals interested in becoming involved in the future research and initiatives of this group are invited to do so by visiting the Join page.
SAFECode is a non-profit global industry forum where business leaders and technical experts come together to exchange insights and ideas on creating, improving, and promoting scalable and effective software security programs. We believe that secure software development can only be achieved with an organizational commitment to the execution of a holistic assurance process, and that sharing information on that process and the practices it encompasses is the most effective way for software providers to help customers and other stakeholders manage software security risk. For more information, please visit www.safecode.org.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA’s activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
Kari Walker for the CSA