Professional Documents
Culture Documents
Software delivery, like a great loaf of bread, requires a solid structure to ensure
that what comes out of the oven tastes good every time. And good software is not
just about a nice-looking package; it has to be secure as well. From retail to finance
to healthcare to the public sector, the recipe for releasing Production-ready software
calls for fully secure and compliant delivery processes, especially when applications
are running in the cloud. But preventing security vulnerabilities and complying with
regulatory requirements is often a struggle for large enterprises, and the stakes
of that struggle are high––large fines, lost trust, and lost customers.
This paper describes four ingredients that can help organizations in all industries
effectively bake security and compliance into their software delivery processes:
Using tools for application security monitoring and static code analysis to ensure
that security testing happens continuously throughout the software development lifecycle.
Building in time for Development teams to fix negative security and compliance findings
before pushing changes to higher environments.
Establishing a reporting process that is easy for Audit and Compliance teams to use,
so they have a seat at the DevOps table. And including these teams in the software delivery
process from the start.
xebialabs.com
White Paper 3
Shifting security and compliance concerns left doesn’t mean that these concerns are only the Development
team’s problem. Development and Operations teams must closely collaborate on meeting security and
compliance needs—and that collaboration is most effective when teams focus on data-driven improvement.
Anyone who’s worked in an enterprise where there’s an almost impenetrable wall between Dev and Ops
knows that making changes to practices and processes is harder than day-old bread. It’s much easier
to collaborate on improvements using data––rather than assumptions or gut feelings––as a guide.
In most enterprise environments, security and compliance evaluations don’t always produce a black-and-white,
go-or-no-go decision. People such as product owners, release managers, security specialists, and compliance
officers often decide whether or not a release can proceed despite negative compliance or security findings.
These people are not as close to the development and testing processes as developers are. They don’t set up
the automated testing tools, and they probably never review detailed logs of automated test results. But to make
decisions about those results, they need to be able to see them and––more importantly––understand what they
mean in the context of the features that are being delivered, or in the context of the release as a whole.
xebialabs.com
White Paper 4
A software chain of custody is the trail of detailed, immutable proof of what happened, when it happened, and
who made it happen for each and every step in each and every release process, from beginning to end.
Automatically capturing a chain of custody for every release:
Enables both technical and business stakeholders to track the features in each release
as they move from code to Production.
Helps stakeholders ensure that all required security, compliance, and quality checks
are built into the process.
Proves that teams are successfully completing those checks while release processes run,
and captures information about why checks might be skipped.
Gives audit teams all of the information they need, at a glance, whenever
they need it.
After a release is out the door, an immutable software chain of custody ensures that teams can fully satisfy audit
and regulatory requirements without digging through hard-to-interpret log data, trying to correlate information
from disparate tools, or scrambling to discover what’s running in Production. In addition, the chain of custody can
help teams continuously improve by identifying security and compliance gaps in the pipeline—whether that
means missing steps, steps that regularly fail or are skipped, or manual steps that can be automated.
xebialabs.com
White Paper 5
An enterprise software delivery toolchain typically consists of many specialized tools, each of which usually
provides some level of logging and reporting. While the native reporting capabilities of most tools often suffice
for an individual task in the delivery process, they don’t provide a broader view of the process as a whole;
and without that broader view, it’s hard for stakeholders to recognize and take action on security and
compliance risks.
It’s important to automatically pull relevant data from the Continuous Delivery pipeline, elevate it to the point
where stakeholders can see it, and put it into context so they can understand it.
For example, a compliance officer might not be able to identify an IT governance violation by looking at an
isolated set of test results that only apply to a specific feature; but that violation might become obvious when
the officer can see how the feature is implemented, how it relates to other features in the software, and how
it will be deployed to Production.
xebialabs.com
White Paper 6
Release Orchestration that bakes security into the process. XebiaLabs lets you automate, orchestrate, and
visualize your release pipelines at enterprise scale. Define and run delivery pipelines for high security and full
compliance scenarios, with built-in security checks and automatic audit logging. Create a standardized process
that includes security steps that can’t be skipped. Reduce release risk by providing full visibility into each release
step, and by proactively issuing analytics-based alerts when problems are imminent.
Deployment Automation that promotes consistency. XebiaLabs standardizes complex deployments to any
target environment—from cloud and containers to middleware and mainframes. Its agentless architecture and
declarative, model-based approach speed up deployment time while greatly reducing errors and failed deployments.
Enable self-service deployments for development teams while maintaining governance and control over the
release and deployment process. Enforce repeatable processes that ensure teams follow the right steps and
only use secure, approved libraries and components.
DevOps Intelligence that helps you identify trends and take action to improve. XebiaLabs analyzes your software
delivery pipelines and highlights trends and anomalies, so you can address problems before they become failures.
Spot potential security issues early in the process and stop them before they make it to Production. Predict security
risks and make data-driven decisions about process improvements that will have the greatest impact.
Software chain of custody and push-button release audit report that cover your end-to-end DevOps toolchain.
XebiaLabs’ unique Software Chain of Custody reporting delivers crucial evidence about everything that happens
in your software delivery pipeline, proving what happened, when it happened, where it happened, and who made
it happen. With XebiaLabs, you can push a button and get a full release audit report in spreadsheet format,
on demand. Without this information, it’s impossible to fully meet compliance and security requirements as
you develop and deliver software at scale.
xebialabs.com
White Paper
By establishing an immutable chain of custody for all releases, fully integrating automated
testing into DevOps pipelines, leveraging real security and compliance data, and then
visualizing that data so you can spot problems before Production, organizations can rest
assured that they’ve effectively mitigated risk and satisfied audit requirements.
And XebiaLabs is here to help. Try the XebiaLabs DevOps Platform today and see for
yourself how to reap the benefits of left-shifting security and compliance in your software
development processes.
White Paper 8
About XebiaLabs
XebiaLabs offers the industry’s only enterprise-scale Continuous Delivery and DevOps software platform, providing companies
with the orchestration, automation, and reporting they need to deliver software faster and with less risk. Global market leaders
rely on XebiaLabs to meet the increasing demand for accelerated and more reliable software releases.