Standard : Security checks (e.g., SAST, dependency scanning) are automated in CI/CD

Purpose and Strategic Importance

This standard ensures that critical security checks — such as Static Application Security Testing (SAST) and dependency vulnerability scanning — are fully automated within CI/CD pipelines. Integrating security early and consistently reduces risk, enables faster feedback, and protects systems from known vulnerabilities without slowing delivery.

Aligned to our "Secure by Design" and "Automate Everything Possible" policies, this standard enables proactive risk management and fosters a culture of secure software development. Without it, vulnerabilities are often detected too late, increasing the cost of remediation and exposing the organization to greater security risks.

Strategic Impact

Clearly defined impacts of meeting this standard include earlier detection of security issues, reduced risk of breaches, faster remediation times, and a strong baseline of trust in all deployed software.

Risks of Not Having This Standard

  • Vulnerabilities slip through into production environments
  • Increased cost and time to remediate late-discovered security flaws
  • Reduced customer and stakeholder trust
  • Higher risk of regulatory non-compliance and breaches
  • Slower delivery due to reactive security interventions

CMMI Maturity Model

Level 1 – Initial

  • People & Culture

    • Security is considered a late-stage or manual task.
    • Awareness of secure coding practices is low.

  • Process & Governance

    • No consistent or automated security checks during build or release.

  • Technology & Tools

    • Manual scanning tools used sporadically after development.

  • Measurement & Metrics

    • No tracking of security defects until production incidents occur.

Level 2 – Managed

  • People & Culture

    • Teams acknowledge the need for earlier security checks.
    • Some manual use of security scanners by developers.

  • Process & Governance

    • Ad-hoc SAST or dependency scans are run for critical releases.

  • Technology & Tools

    • Basic integration of scanning tools exists but is not enforced.

  • Measurement & Metrics

    • Number of known vulnerabilities at release tracked manually.

Level 3 – Defined

  • People & Culture

    • Security is considered a shared responsibility within delivery teams.
    • Secure coding training is provided to engineers.

  • Process & Governance

    • Security checks are mandatory gates in CI pipelines.
    • Policies define minimum acceptable security thresholds.

  • Technology & Tools

    • CI/CD pipelines include automated SAST, dependency scanning, and report generation.
    • Scan results block progression if critical vulnerabilities are detected.

  • Measurement & Metrics

    • Number of vulnerabilities detected pre-production is measured and reported.

Level 4 – Quantitatively Managed

  • People & Culture

    • Teams actively monitor security metrics and use them to drive improvements.
    • Regular security retrospectives are held.

  • Process & Governance

    • Security policies are continuously refined based on live data.
    • Compliance thresholds are dynamically adjusted based on risk.

  • Technology & Tools

    • Automated remediation suggestions are integrated into pipelines.
    • Scan exceptions are tracked and governed centrally.

  • Measurement & Metrics

    • Mean Time to Remediate (MTTR) vulnerabilities is tracked and improved.

Level 5 – Optimising

  • People & Culture

    • Security practices evolve continuously based on threat landscape changes.
    • Teams innovate on security feedback loops (e.g., security chaos engineering).

  • Process & Governance

    • Proactive security posture management becomes standard practice.

  • Technology & Tools

    • Predictive analytics flag likely vulnerabilities before coding errors occur.
    • Continuous scanning and validation are applied throughout the SDLC.

  • Measurement & Metrics

    • Near-zero critical vulnerabilities reach production.
    • Proactive identification of emerging dependency risks.

Key Measures

  • % of CI/CD pipelines with automated security scanning integrated
  • Number of critical vulnerabilities detected pre-production
  • Mean Time to Remediate (MTTR) vulnerabilities
  • % of deployments blocked by security quality gates
  • Compliance rate against secure coding and vulnerability policies