Shifting Left the Right Way with OSCAL, Dr. Michaela Iorga, Senior Security Technical Lead for Cloud Computing, National Institute of Standards and Technology (NIST/ITL)
Release Date: 10/29/2021
A key component of the Cloud Development Lifecycle (CDLC) is the early development phase involving infrastructure as code (IaC), which is used to define and provision the initial cloud resources and configurations in code files. If IaC contains misconfiguration or compliance violations, it becomes a means of deploying those vulnerabilities at scale, representing significant cloud risk. NIST’s Open Security Controls Assessment Language (OSCAL) provides a normalized expression of security requirements across standards, and a machine-readable representation of security information from controls to system implementation and security assessment, allowing to shift left on cloud security. This talk will briefly describe OSCAL models and discuss its ability to shift left cloud security continuous assessment.