Download Publication

Who it's for:
- CISOs
- DevSecOps Engineers
- Cybersecurity Managers, Analysts, and Architects
- Incident Response Coordinators
- Compliance Officers
- Software Developers
The Six Pillars of DevSecOps: Measure, Monitor, Report, and Action
Release Date: 05/14/2024
Working Group: DevSecOps
The implementation and maintenance of DevSecOps initiatives can take anywhere from a few months to several years to implement. Therefore, continuous measurement is essential when attempting to understand what changes have occurred in people, processes, and tooling. Without actionable DevSecOps metrics and observability, teams cannot measure performance, understand progress, replicate success, or recognize failures. These characteristics are essential for establishing a robust security posture.
This publication discusses how measuring, monitoring, and reporting are crucial for understanding and improving security practices within software development lifecycles. DevOps teams of all maturity levels will learn how to turn security metrics into reportable and observable data.
Key Takeaways:
- How to make vulnerability, security architecture, and incident response data observable and actionable
- How varying levels of DevSecOps maturity impact security observability and response
- The importance of continuous measurement
- How to enhance DevOps observability through reporting, including making data accessible, highlighting areas of opportunity, driving continuous improvement, and encouraging communication and collaboration
This publication is part of an entire series on the Six Pillars of DevSecOps. You can find all the papers in the series that have been released so far here.
Download this Resource
Related Resources
Acknowledgements

Roupe Sahans
DevSecOps Leader
Roupe Sahans
DevSecOps Leader
Roupe leads DevSecOps delivery and thought leadership for technology and media clients embracing digital transformation.
Roupe started his DevOps journey in 2016, building containerised microservices on AWS for government platforms. He has since been working with engineers to c-suite executives to embed security and resilience into digital products, secure cloud services, and reduce cyber technical-debt.
Most recently Roupe ha...

Daniel Gora
Daniel Gora

Josh Buker
Research Analyst, CSA
Josh Buker
Research Analyst, CSA

Michael Roza
Risk, Audit, Control and Compliance Professional at EVC
Michael Roza
Risk, Audit, Control and Compliance Professional at EVC
Since 2012, Michael Roza has been a pivotal member of the Cloud Security Alliance (CSA) family. He has contributed to over 125 projects, as a Lead Author or Author/Contributor and many more as a Reviewer/Editor.
Michael's extensive contributions encompass critical areas including Artificial Intelligence, Zero Trust/Software Defined Perimeter, Internet of Things, Top Threats, Cloud Control Matrix, DevSecOps, and Key Management. H...
Are you a research volunteer? Request to have your profile displayed on the website here.
Interested in helping develop research with CSA?
Related Certificates & Training

CSA's Cloud Infrastructure Security training provides a high-level introduction to the most critical cloud security topics through virtual self-paced courses. Each Cloud Infrastructure Security training focuses on a specific area of cloud computing, and is design to be succinct, taking one-hour to complete.
Learn more
Learn more