Speeding away from security
Many software development teams today have adopted DevOps practices that enable them to regularly produce and push code into production environments. These developers aim for rapid releases to deliver great user experiences and drive business value often. At the same time, Security and Compliance groups struggle to keep up as they navigate the complicated challenge of balancing the merits of faster development speed against the need to manage risk and protect the organization without introducing unnecessary hurdles.
Today, a growing list of security tooling adds complexity to build pipelines and the data generated by the tools usually lives in its own silo. While the scanning tool may provide additional visibility into potential vulnerabilities, the introduction of more components to increasingly complicated continuous integration/ continuous delivery (CI/CD) pipelines can make it hard to have a wholistic understanding of security and compliance.
In organizations trying to adapt to this evolving challenge multiple teams are involved in the process, including:
Each of these teams tend to have different priorities. Luckily, there is a way to align the goals of the three distinct teams. By implementing a common framework of Automated Governance, organizations can enable a unified vision for automation, security, and compliance at scale.
An Automated Governance framework solves the issues of our three stakeholder tribes by reducing the time needed for audits, improving the coverage of security controls in the development pipeline, and increasing the reliability of risk assessments and audits.
To implement this framework, organizations need to outline potential risks that can be introduced and a set of associated controls to mitigate these risks at different stages of the software delivery pipeline. In most organizations, the typical pipeline stages may be:
The controls that are defined for the different stages offer checks that development teams’ code must pass before a deployment can occur and offer an opportunity to capture evidence, or “attestations” of each control. By storing machine-generated and digitally signed attestations in a single data repository, stakeholders have an objective, trustworthy record of what happened during the software build process.
To keep the business protected from relevant threats without reducing time to value, these governance processes must be automated in development pipelines to help ensure that developers can continue to accelerate the rate of software delivery while Security and Compliance teams can have confidence in the reduction of overall risk. As we expect this challenge to escalate further, understanding how to adopt and implement an Automated Governance framework may be vital for organizations that wish to have a trustworthy, repeatable approach to build, protect, and deliver their products and services.