Professional Documents
Culture Documents
Purpose. This standard provides direction for addressing cybersecurity requirements as part
of agile software development projects that employ continuous integration and continuous
delivery (CI/CD) processes.
Scope. This standard applies to all VSP CI/CD software development projects. It does not apply
to software development projects that follow waterfall, spiral, extreme programming or other
software development methodologies. It applies to all VSP employees and the contingent
workforce.
STANDARD
1.0 Standard.
This standard uses the DevSecOps lifecycle shown in Figure 1. It recognizes that the success of
a DevSecOps project depends on the extent to which security can be automated and
integrated into the CI/CD pipeline to remove roadblocks and enable the timely movement of
artifacts between lifecycle phases and support secure delivery to our customers.
This standard defines the requirements for the training, tooling, and automation support
needed by DevSecOps teams to act in a trusted, autonomous and secure manner.
Figure 1. DevSecOps Lifecycle.
of security automation
solutions for reuse by
development teams.
GLOSSARY
Term Definition
Static Application Security A type of security testing that involves the review of
Testing (SAST) code separate from its execution.
System Owner The person responsible for the development and
operation of a system.
Threat Any circumstance or event with the potential to
adversely impact organizational operations
(including mission, functions, image, or reputation),
organizational assets, individuals, or other
organizations through an information system via
unauthorized access, destruction, disclosure, or
modification of information, and/or denial of
service.
Threat Modeling The process of identifying and prioritizing threats
with respect to a specific context or application.
Vulnerability Weakness in an information system, system security
procedures, internal controls, or implementation
that could be exploited by a threat source.
Vulnerability Scan The automated checking of an information asset for
security vulnerabilities.
Web Application Firewall (WAF) An application firewall for HTTP applications. It
applies a set of rules to an HTTP conversation.
Generally, these rules cover common attacks such as
cross-site scripting (XSS) and SQL injection.
RESPONSIBILITIES
2.0 Responsibilities. The following roles and responsibilities apply to this standard.
Roles Responsibilities
Provide DevSecOps teams with the training, tools, and automation support needed to
OIS
ensure their success.
DevSecOps Learn to integrate security tools and best practices into their development and
Team Members operations processes.
Security Take and pass OIS DevSecOps security training.
Champions Evangelize security for their team.
Violations of this standard may result in verbal counseling, written warning, suspension, and
termination in accordance with VSP’s HR Progressive Discipline policy. Outside personnel who
fail to comply with this standard, or its requirements are subject to the immediate termination
of their engagement, contract, proposal, or other agreement.
Non-compliance to this standard for any reason may increase the companies’ information risk
exposure. To understand the information risk and impacts, appropriate lines of business
personnel are required to request a Risk Assessment. To initiate a formal Risk Assessment,
click here.
RELATED DOCUMENTS
DOCUMENT CONTROL
Control Information
Approval
Roin Z. Nance
Vice President & Chief Information Security Officer, VSP Global
Change Control