Document provides practical advice for integrating automated security into the software development lifecycle.
The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, announced today the release of The Six Pillars of DevSecOps: Automation. Produced by CSA’s DevSecOps Working Group in collaboration with SAFECode, the document provides a holistic framework for facilitating security automation within DevSecOps and best practices for automating those security controls, as well as clarification of common misconceptions surrounding DevSecOps security testing.
“The complexity of cloud infrastructure today means that small code changes can have a disproportionate impact downstream. Therefore, it’s critical that security checks be integrated and monitored throughout the software development and deployment lifecycle, all the way from design to implementation, testing, and release,” said Souheil Moghnie, SAFECode Board member and one of the paper’s lead authors.
The necessity of security automation, security test automation techniques, and the mechanisms to achieve it are integral components of a comprehensive risk-based security automation approach — all of which can be achieved using a security-enabled delivery pipeline and the controls within it, as the paper explains.
The document provides insight into:
- The types of triggers and checkpoints that should occur in the delivery pipeline
- The strategy of shifting security left while accelerating right
- How to prioritize and balance resources in conjunction with deliverability
- Risk factors that occur throughout the delivery pipeline and how automation can be introduced to mitigate them
- Automation best practices that extend beyond DevSecOps
“It’s vital that today’s DevOps teams be agile, able to address user requirements dynamically, release features incrementally, and deliver at a faster pace than their predecessors and do it all without sacrificing security. Security controls can’t be successfully integrated without automated security capabilities that allow for timely and meaningful feedback. By adopting even modest automated security capabilities entire classes of risk can potentially be eliminated,” said Sean Heide, Research Analyst Cloud Security Alliance.
