Keep CALMS with Intelligent Orchestration and Code Dx
As a trusted adviser to my clients, I use my unparalleled experience with a broad range of security tools to help them build and mature security programs. I work tirelessly to help them break down silos, facilitate collaborative change, create a culture of lean learning, and ensure continuous feedback and sharing, so they can build intelligent and risk-based pipelines.
Damon Edwards first coined the acronym CAMS, which stands for culture, automation, measurement, and sharing. CALMS, coined by Jez Humble, coauthor of “The DevOps Handbook,” stands for culture, automation, lean, measurement, and sharing.
In the diagram below, what both these acronyms signify is that DevSecOps is a culture of continuous collaboration, continuous feedback, automation, lean/learning, measurement, and sharing.
CALMS methodology |
Theme |
How Intelligent Orchestration and Code Dx can help |
Collaboration and sharing |
Facilitating collaborative change and sharing |
- Intelligent Orchestration enables collaboration by providing information and feedback to the organization. Collaboration enables all groups within an organization to move toward a proactive rather than reactive engagement.
- Intelligent Orchestration and Code Dx provide developers with the information they need to fix identified issues and merge the fixed code into the main branch.
- Security or quality gates based on configurable failure criteria can be easily implemented using Intelligent Orchestration and Code Dx. Both can push identified critical issues automatically to issue-tracking systems like Jira, providing development teams with continuous feedback and visibility into findings.
|
Automation |
Accelerating development velocity with improved automation |
- Intelligent Orchestration's automation enables teams to build DevSecOps pipelines that are intelligent and risk-based. This supports security activities by matching the DevOps team's velocity. It also enables governance, compliance, and assurance to support organizations as they scale their security testing activities.
- Intelligent Orchestration saves time by running only the right tools at the right time—or not at all.
- Security teams can configure governance and compliance requirements as code with Intelligent Orchestration. These policies determine the depth and breadth of security activities, define development workflows, and set scan compliance requirements that can be configured and automated for everyone in the organization.
|
Lean and learning |
Building a culture of lean learning |
- Intelligent Orchestration and Code Dx integrate security into the DevOps processes so that developers receive feedback only when security issues are identified.
- Organizations can configure postscan feedback so that designated development, security, and DevOps leads are immediately notified of paused or failed builds, or critical security vulnerabilities or failures, so they can be remediated rapidly.
|
Measurement |
Measuring success |
- Data gathered by Code Dx on the type and frequency of security vulnerabilities found in individual developers' code can be leveraged for focused feedback and training. This data helps prioritize the most critical vulnerabilities for remediation to properly allocate resources.
- Code Dx provides a centralized place to manage the results from AppSec tools across multiple projects and departments.
- Metrics dashboards provided by Code Dx show how vulnerability management and AppSec are performing over time in an organization.
|
Read the full article to learn more about Intelligent Orchestration and Code Dx.