Application Security Working Group White Paper: Embedding Security Controls in a DevOps Pipeline
Organizations today need to identify and adopt different Software Development Lifecycle (SDLC) strategies to be more agile and efficient. DevOps as a strategy has enabled organizations to reduce the amount of time it takes to create software. As risks in the runtime environment and the components used to build software become clear, it is important to determine at which stage in the DevOps process to incorporate security measures.
In the White Paper “Embedding Security Controls in a DevOps Pipeline”, the ND-ISAC Application Security Working Group presents unique strategies on how to incorporate security controls in DevOps pipelines for these emerging technologies:
- Containers
- Cloud
- Infrastructure as Code
The paper introduces the importance of leveraging emerging technologies and combining them with automation in a DevOps pipeline to proactively detect risk. The white paper covers the implementation of automation to:
- Detect risk in Infrastructure as Code (IaC), containers ( host OS, images, registry, and runtime) and cloud security misconfigurations
- Risk gate approach in a DevOps pipeline
- Considerations for the feedback loop integration
- Embedding Threat Modeling in DevOps
The audience of this white paper includes security engineers, software engineers, cloud architects, and product managers responsible for securing software used by end users.
Download the White Paper: https://ndisac.org/wp-content/uploads/2025/07/ND-ISAC-Embed-Security-Controls-in-a-DevOps-pipeline-Final.pdf
For more information, collaboration on future releases, or if you are interested in becoming a member of ND-ISAC contact: info@ndisac.org