Shift Security & Compliance Left with Automated Guardrails

This standard mandates the shifting of security and compliance left with automated guardrails to ensure security and compliance are embedded without adding friction.

1. Shift Security & Compliance Left with Automated Guardrails:

Security and compliance should be embedded without adding friction. This approach ensures that security is integrated early in the development process.

• 1.1 Policy as Code (PaC):
  • 1.1.1 Automated Enforcement:
    • Implement Policy as Code (PaC) to enforce security, governance, and compliance automatically.
    • Automate the execution of PaC policies.
  • 1.1.2 Policy Management:
    • Automate the tracking of policy enforcement.
    • Implement policy tutorials.
• 1.2 Self-Service Security Scanning:
  • 1.2.1 Code and Infrastructure Scanning:
    • Provide self-service security scanning tools for code, infrastructure, and dependencies.
    • Automate the execution of security scans.
  • 1.2.2 Scan Management:
    • Automate the tracking of scan results.
    • Implement scan feedback collection.
• 1.3 Least Privilege (PoLP) Access Controls:
  • 1.3.1 Manual Intervention Avoidance:
    • Ensure access controls follow the principle of least privilege (PoLP) without requiring manual intervention.
    • Automate the configuration of PoLP access.
  • 1.3.2 Control Management:
    • Automate the tracking of access control implementations.
    • Implement control tutorials.

By shifting security left, organisations can ensure security is integrated seamlessly.