Cloud 101CircleEventsBlog

Download Publication

DevSecOps - Pillar 4 Bridging Compliance and Development
DevSecOps - Pillar 4 Bridging Compliance and Development

DevSecOps - Pillar 4 Bridging Compliance and Development

Release Date: 02/08/2022

Working Group: DevSecOps

Overview
This document provides guidance to ensure the gap between compliance and development is addressed by recognizing compliance objectives, translating them to appropriate security measures, and identifying inflection points within the software development lifecycle where these controls can be embedded, automated, measured, and tested in a transparent and easily understood way.

Backstory
This document continues the DevSecOps Six Pillars series, with a particular focus on how we can automate compliance, and have it better relate to security requirements. Historically compliance requirements have quickly become outdated, as they are managed separately from the code they relate to. Turning those requirements into automated equivalents help keep them relevant as applications and infrastructure evolve.

Keywords, Takeaways
  • DevSecOps
  • Security compliance
  • Compartmentalization
  • Collective responsibility
  • Software development
  • Secure development lifecycle (SDLC)
  • Continuous assessment
  • “as-Code” model (Infrastructure-as-Code, Compliance-as-Code, Policy-as-Code, etc)
Download this Resource

Prefer to access this resource without an account? Download it now.

The Six Pillars of DevSecOps - Pragmatic Implementation
The Six Pillars of DevSecOps - Pragmatic Implem...
The Six Pillars of DevSecOps: Automation
The Six Pillars of DevSecOps: Automation
The Six Pillars of DevSecOps: Collective Responsibility
The Six Pillars of DevSecOps: Collective Respon...
Privacy by Design and Privacy by Default in the Cloud
Privacy by Design and Privacy by Default in the Cloud
Published: 06/09/2023
Four Things You Need to Know Before Building a Secure SDLC
Four Things You Need to Know Before Building a Secure SDLC
Published: 05/26/2023
How to Support Agile Development with Zero Trust Best Practices
How to Support Agile Development with Zero Trust Best Practices
Published: 04/24/2023
From Code to Cloud, the Case for Cloud-Native App Protection
From Code to Cloud, the Case for Cloud-Native App Protection
Published: 04/21/2023

Acknowledgements

Michael Roza
Michael Roza
Risk, Audit, Control, and Compliance Professional

Michael Roza

Risk, Audit, Control, and Compliance Professional

Since 2012 Michael has contributed to over 85 CSA projects completed by CSA's Internet of Things, Zero Trust/Software-Defined Perimeter, Top Threats, Cloud Control Matrix, Containers/Microservices, DevSecOps, and other working groups. He has also served as co-chair of CSA's Enterprise Architecture, Top Threats, and Security-as-a-Service working groups while also serving as the Standards Liaison Officer for IoT, ICS, EA, SECaaS, and Cloud Ke...

Read more

Roupe Sahans
Roupe Sahans
DevSecOps Leader

Roupe Sahans

DevSecOps Leader

Leads DevSecOps activities for organisations embracing digital transformation.

Read more

Ashleigh Buckingham Headshot Missing
Ashleigh Buckingham

Ashleigh Buckingham

This person does not have a biography listed with CSA.

Chris Hughes
Chris Hughes
Co-Founder and CISO at Aquia

Chris Hughes

Co-Founder and CISO at Aquia

Chris currently serves as the Co-Founder and CISO of Aquia. Chris has nearly 20 years of IT/Cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a Civil Servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as a consultant in the private sector. In addition, he also is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and University of...

Read more

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?