White Paper

Baking Compliance and Security

into Your Software Delivery Process
Executive Summary
As any bread baker knows, there are four fundamental ingredients to any loaf:
flour, yeast, water, and salt. All work together in concert to build a strong yet pliable
structure, impart flavor, and emit an aroma that people from miles away can’t resist.
With experience, you can tweak proportions and throw in other ingredients to make
it your own, but the basics are always there, working in harmony to ensure a sound
structure and good consistency.

Software delivery, like a great loaf of bread, requires a solid structure to ensure
that what comes out of the oven tastes good every time. And good software is not
just about a nice-looking package; it has to be secure as well. From retail to finance
to healthcare to the public sector, the recipe for releasing Production-ready software
calls for fully secure and compliant delivery processes, especially when applications
are running in the cloud. But preventing security vulnerabilities and complying with
regulatory requirements is often a struggle for large enterprises, and the stakes
of that struggle are high––large fines, lost trust, and lost customers.

This paper describes four ingredients that can help organizations in all industries
effectively bake security and compliance into their software delivery processes:

Shift compliance and security concerns left

in the delivery pipeline
Integrate automated compliance and security testing into
Continuous Delivery processes
Establish an immutable chain of custody
for all releases
Visualize and evaluate security vulnerabilities
and IT governance violations
White Paper 2

Necessary Ingredients for Effective

Compliance and Security
As the pressure to outpace the competition rises, more and
more organizations are adopting DevOps practices, such as
Continuous Integration and Continuous Delivery, to optimize
their software delivery efforts. When properly implemented,
DevOps can align Development and Operations efforts to
achieve shorter release cycles, so organizations can deliver
high-quality software rapidly and reliably. But when organizations
try to accelerate the software delivery process without mixing
in risk assessment, security testing, and compliance evaluation,
they run into delayed releases, failed deployments, and security
vulnerabilities that threaten applications running in Production.

Four key ingredients can help organizations in all industries

effectively bake security and compliance into their software
processes without compromising delivery speed.

1. Shift compliance and security concerns left in the delivery pipeline

Shifting compliance and security concerns left in the enterprise software delivery pipeline means putting
processes in place to identify, fix, and prevent security problems and compliance violations as early as possible
in the development lifecycle. By integrating automated security checks that start in Development and continue all
the way through Production, you can ensure that your code is always safe, from the first commit to the release.

Shifting left involves:

Requiring developers to include security and compliance checks in their

build processes.

Using tools for application security monitoring and static code analysis to ensure
that security testing happens continuously throughout the software development lifecycle.

Building in time for Development teams to fix negative security and compliance findings
before pushing changes to higher environments.

Bringing Development and Operations teams together to collaborate on testing strategies

and fixes for security and compliance issues.

Establishing a reporting process that is easy for Audit and Compliance teams to use,
so they have a seat at the DevOps table. And including these teams in the software delivery
process from the start.

xebialabs.com
White Paper 3

Shifting security and compliance concerns left doesn’t mean that these concerns are only the Development
team’s problem. Development and Operations teams must closely collaborate on meeting security and
compliance needs—and that collaboration is most effective when teams focus on data-driven improvement.

Anyone who’s worked in an enterprise where there’s an almost impenetrable wall between Dev and Ops
knows that making changes to practices and processes is harder than day-old bread. It’s much easier
to collaborate on improvements using data––rather than assumptions or gut feelings––as a guide.

Continuous compliance shouldn’t fall flat

To meet audit and compliance requirements, enterprise organizations may be
called on at any time to show...
• What changes were made to the software?
• When were the changes made and by whom?
• Did the changes receive proper approvals?
• Did the teams follow the necessary rules for each development and
release activity as dictated by SOX, PCI, or other regulations?
• Was the software tested appropriately?
• Were permissions properly controlled?
• Do we have the evidence to prove all of this?

2. Integrate automated compliance and security testing into

Continuous Delivery processes
Automated testing is a proven best practice for teams that are adopting Continuous Delivery, so it’s natural
for Development teams to automate compliance and security testing by using static code analysis tools such
as Fortify, SonarQube, Checkmarx, and Black Duck. These tools make it easy to see whether a particular piece
of code or application passes the compliance and security “taste test.” But they don’t integrate test results
with other information that is relevant to the overall business software release, which makes it hard for
stakeholders outside the Development team to use those results.

In most enterprise environments, security and compliance evaluations don’t always produce a black-and-white,
go-or-no-go decision. People such as product owners, release managers, security specialists, and compliance
officers often decide whether or not a release can proceed despite negative compliance or security findings.
These people are not as close to the development and testing processes as developers are. They don’t set up
the automated testing tools, and they probably never review detailed logs of automated test results. But to make
decisions about those results, they need to be able to see them and––more importantly––understand what they
mean in the context of the features that are being delivered, or in the context of the release as a whole.

xebialabs.com
White Paper 4

World’s Only Release Audit Report:

Push the button. Get the report. You’re done.
Get a full release audit report in spreadsheet format, on demand, that covers your end-to-
end software delivery pipeline. See everything that happened throughout the release, across
tools, all in one place. Developers no longer waste hundreds or thousands of hours painstakingly
creating incomplete reports. Audit, compliance, and business team members now get the data
they need, in the format they need, and they can control the process. Executives can rest easy
knowing that governance and security processes have been followed, and that compliance is
easy to prove. With the push of one button, any team member can prove what happened for
each and every release.

3. Establish an immutable chain of custody for all releases

Shifting security and compliance left and integrating automated security and compliance checks throughout the
software delivery process gives you access to more release data than ever before. One way to get value from this
data is to automatically create a software chain of custody for every release that happens.

A software chain of custody is the trail of detailed, immutable proof of what happened, when it happened, and
who made it happen for each and every step in each and every release process, from beginning to end.
Automatically capturing a chain of custody for every release:

Enables both technical and business stakeholders to track the features in each release
as they move from code to Production.

Helps stakeholders ensure that all required security, compliance, and quality checks
are built into the process.

Proves that teams are successfully completing those checks while release processes run,
and captures information about why checks might be skipped.

Gives audit teams all of the information they need, at a glance, whenever
they need it.

After a release is out the door, an immutable software chain of custody ensures that teams can fully satisfy audit
and regulatory requirements without digging through hard-to-interpret log data, trying to correlate information
from disparate tools, or scrambling to discover what’s running in Production. In addition, the chain of custody can
help teams continuously improve by identifying security and compliance gaps in the pipeline—whether that
means missing steps, steps that regularly fail or are skipped, or manual steps that can be automated.

xebialabs.com
White Paper 5

4. Visualize and evaluate security vulnerabilities and

IT governance violations
Collecting security and compliance data and automatically building a release chain of custody isn’t enough;
you must also be sure that everyone who’s involved in the software delivery process can visualize and evaluate
security and compliance information in the context that makes sense for them.

An enterprise software delivery toolchain typically consists of many specialized tools, each of which usually
provides some level of logging and reporting. While the native reporting capabilities of most tools often suffice
for an individual task in the delivery process, they don’t provide a broader view of the process as a whole;
and without that broader view, it’s hard for stakeholders to recognize and take action on security and
compliance risks.

It’s important to automatically pull relevant data from the Continuous Delivery pipeline, elevate it to the point
where stakeholders can see it, and put it into context so they can understand it.

For example, a compliance officer might not be able to identify an IT governance violation by looking at an
isolated set of test results that only apply to a specific feature; but that violation might become obvious when
the officer can see how the feature is implemented, how it relates to other features in the software, and how
it will be deployed to Production.

Roll up your sleeves with XebiaLabs

XebiaLabs enables you to:
• Orchestrate release pipelines automatically and document every step
of the way.
• Automate software deployment in a secure, standardized, and auditable way.
• Give teams the freedom to release software quickly, while following established
and automated processes and maintaining control.
• Reduce release risk by providing full visibility into each release step,
and by proactively issuing analytics-based alerts when problems are imminent.
• Automatically log every activity and make all data available in user-friendly
reports for auditing.

xebialabs.com
White Paper 6

Savory Security at Scale with XebiaLabs

Tightening application security and ensuring constant compliance with IT governance requirements can go
hand-in-hand with increasing the speed of your releases. The XebiaLabs DevOps Platform gives teams a
controlled way to use the tools they prefer in the ways they want to use them. With XebiaLabs, you can take
advantage of the following capabilities to make security and compliance steps an immutable, trackable part of
the software delivery process:

Release Orchestration that bakes security into the process. XebiaLabs lets you automate, orchestrate, and
visualize your release pipelines at enterprise scale. Define and run delivery pipelines for high security and full
compliance scenarios, with built-in security checks and automatic audit logging. Create a standardized process
that includes security steps that can’t be skipped. Reduce release risk by providing full visibility into each release
step, and by proactively issuing analytics-based alerts when problems are imminent.

Deployment Automation that promotes consistency. XebiaLabs standardizes complex deployments to any
target environment—from cloud and containers to middleware and mainframes. Its agentless architecture and
declarative, model-based approach speed up deployment time while greatly reducing errors and failed deployments.
Enable self-service deployments for development teams while maintaining governance and control over the
release and deployment process. Enforce repeatable processes that ensure teams follow the right steps and
only use secure, approved libraries and components.

DevOps Intelligence that helps you identify trends and take action to improve. XebiaLabs analyzes your software
delivery pipelines and highlights trends and anomalies, so you can address problems before they become failures.
Spot potential security issues early in the process and stop them before they make it to Production. Predict security
risks and make data-driven decisions about process improvements that will have the greatest impact.

Software chain of custody and push-button release audit report that cover your end-to-end DevOps toolchain.
XebiaLabs’ unique Software Chain of Custody reporting delivers crucial evidence about everything that happens
in your software delivery pipeline, proving what happened, when it happened, where it happened, and who made
it happen. With XebiaLabs, you can push a button and get a full release audit report in spreadsheet format,
on demand. Without this information, it’s impossible to fully meet compliance and security requirements as
you develop and deliver software at scale.

xebialabs.com
White Paper

You don’t have to be a master baker

to know that making the perfect loaf requires
proper preparation. If you’re tacking on
compliance and security procedures at the end of
the software delivery process, you’re at risk of
delivering applications that are half baked.

Take a Moment to Digest

Building and delivering enterprise applications calls for a variety of tools. With different teams
and roles using these tools and making decisions on the fate of each release, effectively tracking
and reporting can be rough. With so many crucial stakeholders in a release process, you need a
way to give them instant access to actionable data, visualized in the context of each release.

By establishing an immutable chain of custody for all releases, fully integrating automated
testing into DevOps pipelines, leveraging real security and compliance data, and then
visualizing that data so you can spot problems before Production, organizations can rest
assured that they’ve effectively mitigated risk and satisfied audit requirements.

And XebiaLabs is here to help. Try the XebiaLabs DevOps Platform today and see for
yourself how to reap the benefits of left-shifting security and compliance in your software
development processes.
White Paper 8

About XebiaLabs
XebiaLabs offers the industry’s only enterprise-scale Continuous Delivery and DevOps software platform, providing companies
with the orchestration, automation, and reporting they need to deliver software faster and with less risk. Global market leaders
rely on XebiaLabs to meet the increasing demand for accelerated and more reliable software releases.

The XebiaLabs DevOps Platform for

Continuous Delivery at Enterprise Scale

Release Orchestration Deployment Automation DevOps Intelligence

Orchestrate, automate, and get visibility Automate and standardize complex Get unprecedented insight and decision
into release pipelines application deployments support for your softwaredelivery process

For more information and a free trial, please visit www.xebialabs.com.

© XebiaLabs. All rights reserved. xebialabs.com