Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/7/2020
11:30 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Cloud Security Alliance Publishes New Paper, The Six Pillars of DevSecOps: Automation

Document provides practical advice for integrating automated security into software development lifecycle.

SEATTLE  – July 7, 2020 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, announced today the release of The Six Pillars of DevSecOps: Automation. Produced by CSA’s DevSecOps Working Group in collaboration with SAFECode, the document provides a holistic framework for facilitating security automation within DevSecOps and best practices for automating those security controls, as well as clarification of common misconceptions surrounding DevSecOps security testing.

“The complexity of cloud infrastructure today means that small code changes can have disproportionate impact downstream. Therefore, it’s critical that security checks be integrated and monitored throughout the software development and deployment lifecycle, all the way from design to implementation, testing, and release,” said Souheil Moghnie, SAFECode Board member and one of the paper’s lead authors.

The necessity of security automation, security test automation techniques, and the mechanisms to achieve it are integral components of a comprehensive risk-based security automation approach — all of which can be achieved using a security-enabled delivery pipeline and the controls within it, as the paper explains.

The document provides insight into:

●        The types of triggers and checkpoints that should occur in the delivery pipeline

●        The strategy of shifting security left while accelerating right

●        How to prioritize and balance resources in conjunction with deliverability

●        Risk factors that occur throughout the delivery pipeline and how automation can be introduced to mitigate them

●        Automation best practices that extend beyond DevSecOps

“It's vital that today's DevOps teams be agile, able to address user requirements dynamically, release features incrementally, and deliver at a faster pace than their predecessors and do it all without sacrificing security. Security controls can't be successfully integrated without automated security capabilities that allow for timely and meaningful feedback. By adopting even modest automated security capabilities entire classes of risk can potentially be eliminated,” said Sean Heide, Research Analyst Cloud Security Alliance.

Download the free report.

The CSA DevSecOps Working Group works to create a transparent and full-circle management lifecycle that leverages all the components of DevSecOps to ensure timely and full-functioning application deployment with proper security steps through every process. The working group maintains an active partnership with SAFECode whose members contribute their expertise in designing and managing large-scale software security programs. Individuals interested in becoming involved in the future research and initiatives of this group are invited to do so by visiting the Join page.

About SAFECode
SAFECode is a non-profit global industry forum where business leaders and technical experts come together to exchange insights and ideas on creating, improving, and promoting scalable and effective software security programs. We believe that secure software development can only be achieved with an organizational commitment to the execution of a holistic assurance process, and that sharing information on that process and the practices it encompasses is the most effective way for software providers to help customers and other stakeholders manage software security risk. For more information, please visit www.safecode.org.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.