This post is from the XebiaLabs blog and has not been updated since the original publish date.
Integrate Compliance and Security Testing into Continuous Delivery
As any bread baker knows, there are four fundamental ingredients to any loaf: flour, yeast, water, and salt. Software delivery, like a great loaf of bread, requires a solid structure to ensure that what comes out of the oven tastes good every time. And good software is not just about a nice-looking package; it has to be secure as well. This series focuses on the four key ingredients needed to bake security and compliance into your software delivery processes.
We discuss ingredient 1 here. Time to add ingredient 2:
Integrate automated compliance and security testing into Continuous Delivery processes
Automated testing is a proven best practice for teams that are adopting Continuous Delivery, so it’s natural for Development teams to automate compliance and security testing by using static code analysis tools such as Fortify, SonarQube, Checkmarx, and Black Duck. These tools make it easy to see whether a particular piece of code or application passes the compliance and security “taste test.” But they don’t integrate test results with other information that is relevant to the overall business software release, which makes it hard for stakeholders outside the Development team to use those results.
In most enterprise environments, security and compliance evaluations don’t always produce a black-and-white, go-or-no-go decision. People such as product owners, release managers, security specialists, and compliance officers often decide whether or not a release can proceed despite negative compliance or security findings.
These people are not as close to the development and testing processes as developers are. They don’t set up the automated testing tools, and they probably never review detailed logs of automated test results. But to make decisions about those results, they need to be able to see them and––more importantly––understand what they mean in the context of the features that are being delivered, or in the context of the release as a whole.
The XebiaLabs DevOps Platform automates the process of collecting release data and producing on-demand, real-time reports with the push of a button. All stakeholders—from product owners and release managers to security specialists and compliance officers—get the data they need to understand the complete picture of what happened in each and every release, readily available in a convenient spreadsheet format.
We’ll be covering the remaining ingredients in upcoming blog posts. Or you can read about them all right now by downloading the white paper below.
- How to Take the Fear out of Software Audits
- Get Automated Compliance and Hands-Free Governance with XebiaLabs’ Software Chain of Custody Reporting Capabilities
- Software Chain of Custody: Collect. Visualize. Report. Prove