Skip to main content
DevOps Image

This post is from the XebiaLabs blog and has not been updated since the original publish date.

Last Updated Sep 11, 2019 — DevOps Expert

Integrate Compliance and Security Testing into Continuous Delivery


As any bread baker knows, there are four fundamental ingredients to any loaf: flour, yeast, water, and salt. Software delivery, like a great loaf of bread, requires a solid structure to ensure that what comes out of the oven tastes good every time. And good software is not just about a nice-looking package; it has to be secure as well. This series focuses on the four key ingredients needed to bake security and compliance into your software delivery processes.

We discuss ingredient 1 here. Time to add ingredient 2:

Integrate automated compliance and security testing into Continuous Delivery processes

Automated testing is a proven best practice for teams that are adopting Continuous Delivery, so it’s natural for Development teams to automate compliance and security testing by using static code analysis tools such as Fortify, SonarQube, Checkmarx, and Black Duck. These tools make it easy to see whether a particular piece of code or application passes the compliance and security “taste test.” But they don’t integrate test results with other information that is relevant to the overall business software release, which makes it hard for stakeholders outside the Development team to use those results. 

In most enterprise environments, security and compliance evaluations don’t always produce a black-and-white, go-or-no-go decision. People such as product owners, release managers, security specialists, and compliance officers often decide whether or not a release can proceed despite negative compliance or security findings. 

These people are not as close to the development and testing processes as developers are. They don’t set up the automated testing tools, and they probably never review detailed logs of automated test results. But to make decisions about those results, they need to be able to see them and––more importantly––understand what they mean in the context of the features that are being delivered, or in the context of the release as a whole.

The XebiaLabs DevOps Platform automates the process of collecting release data and producing on-demand, real-time reports with the push of a button. All stakeholders—from product owners and release managers to security specialists and compliance officers—get the data they need to understand the complete picture of what happened in each and every release, readily available in a convenient spreadsheet format.

We’ll be covering the remaining ingredients in upcoming blog posts. Or you can read about them all right now by downloading the white paper below. 

Related Reading



More from the Blog

View more
May 06, 2021

Use Value Stream Management to release apps with confidence

Many companies worldwide use a blend of DevOps and agile methods to he ...
Read More
Agile or DevOps on Its own Is not enough
Apr 23, 2021

Agile or DevOps on Its own Is not enough

As every company becomes a software company, it becomes increasingly i ...
Read More
Mar 16, 2021

Does successful change management require DevOps?

Around the world, digital product providers are looking to reduce dysf ...
Read More
Mar 04, 2021

Getting key stakeholder buy-in for changes perceived as risky

Organizational leaders must recognize that change is vital for the sur ...
Read More
Contact Us