This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.
The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.
Domain: DevSecOps and CI/CD
Sub-Domain | Req. Name | Req. Description |
Governance | Application Risk Categorization | All applications shall be categorized by risk. Risk can be categorized as internal, external, or strategic (e.g., weak cryptographic standards can get the app compromised during production phase. So this can be marked as high risk.) |
Construction | Third-Party Components | Any third-party components that may be used in any software development cycle shall be documented |
Verification | Automated Code Analysis Tools — Security | Automated code analysis tools with specific components for monitoring for security issues shall be used |
Verification | Penetration Testing | Penetration tests prior to release to production shall be performed |
Deployment | Third-Party Components Security Updates | Third-party software components’ websites for any security-related updates shall be regularly reviewed |
Deployment | Patch Management Process | Single process for applying upgrades and patches to applications shall be used |
Deployment | Operational Environment Automation | Software Engineering shall use automated tools to evaluate operational environment and application-specific health |
Deployment | Security Alerts and Errors | Security-related alerts and error conditions for all released applications |
Deployment | Change Management Process | Use of common change management process, and all software engineers shall be trained on the process |
Deployment | Secure Code Signing | All released code for a single consistent process shall be securely signed on |
Are you ready to audit and secure your cloud environment? Contact our security specialists, today!