Full Report
How Deloitte and Wiz Enable End-to-End Security Without Slowing Down Development
Analysis Summary
# Best Practices: Securing the Software Development Lifecycle (SbD) through Orchestration
## Overview
These practices focus on integrating security centrally and continuously throughout the Software Development Lifecycle (SDLC) to overcome challenges associated with rapid application deployment, ensuring consistent security controls, end-to-end governance, and enhanced visibility from design through production.
## Key Recommendations
### Immediate Actions
1. **Establish Centralized Intake Mechanism:** Immediately implement a consolidated intake form for all new projects to capture project scope, inherent risk levels, and necessary security domains.
2. **Document the Controls Framework:** Begin formalizing or rationalizing an organizational Common Controls Framework (CCF) to serve as the baseline for automated requirement assignment.
3. **Map Initial Security Checkpoints:** Identify the mandatory security activities tied to the initial intake process (e.g., initial architecture review trigger).
### Short-term Improvements (1-3 months)
1. **Automate Task Creation and Assignment:** Configure the central workflow management system to automatically generate, assign, and track risk-prioritized security tasks based on the intake form data and the CCF.
2. **Implement Centralized Security Assessments:** Systematically start utilizing centralized security assessments (e.g., security architecture review, initial threat modeling) at defined points during the design process.
3. **Integrate Code Scanning Tools:** Deploy tools like Wiz Code to the CI/CD pipeline to begin continuous scanning and vulnerability detection directly within the development stream.
4. **Establish Governance via Policy-as-Code:** Begin the process of converting critical organizational policies into executable code (policy-as-code) for automated enforcement checks.
### Long-term Strategy (3+ months)
1. **Achieve Full Workflow Orchestration:** Fully implement the five phases of the SbD workflow (Intake, Task Creation, Security Assessments, Security Validation, and Approval for Release) across all application pipelines.
2. **Implement Continuous Compliance Monitoring:** Integrate cloud security posture management (Wiz Cloud) and runtime monitoring (Wiz Runtime Sensor) to continuously check for security drift post-deployment, feeding remediation triggers back into the centralized workflow.
3. **Standardize Reporting:** Configure integrated dashboards to provide unified, real-time visibility into control implementation status, security approvals, and overall organizational risk posture.
4. **Formalize Release Approval Gate:** Mandate that production release approval is strictly conditional upon the review and successful verification of all assigned security controls.
## Implementation Guidance
### For Small Organizations
- **Focus on Foundational Tooling:** Prioritize implementing one centralized platform for task management that forces security gates, even if automation is initially lightweight.
- **Risk-Based Triage:** Use the intake form primarily to categorize projects (low, medium, high risk) and apply a simplified, pre-defined set of mandatory security tasks based on that risk level.
- **Manual Validation:** Initially, rely on manual sign-offs documented within the central system for security validation, aiming to automate assignments first.
### For Medium Organizations
- **Formalize CCF Mapping:** Dedicate resources to fully map the existing security requirements to the rationalized CCF to maximize automated assignment accuracy.
- **Integrate Early Security Scanning:** Embed developer-facing security tools (like Wiz Code) into primary development branches to shift security left effectively and provide early feedback.
- **Targeted Automation:** Focus automation efforts on the most common, high-volume security tasks (e.g., standard vulnerability scan reviews).
### For Large Enterprises
- **End-to-End Orchestration Deployment:** Roll out the full five-phase orchestration workflow across multiple business units, ensuring integration across disparate DevOps and security tools.
- **Policy and Governance Enforcement:** Fully leverage policy-as-code and compliance-as-code to enforce organizational standards automatically across heterogeneous cloud environments.
- **Advanced Monitoring Integration:** Fully integrate CSPM (Wiz Cloud), threat detection (Wiz Defend), and runtime security monitoring to ensure ongoing, continuous compliance validation and feed drift detection back into the control loop.
## Configuration Examples
(The context primarily describes a management framework rather than specific technical configurations. The following reflects the integration points mentioned.)
**Workflow Orchestration Configuration:**
* **Intake Mapping:** Configure intake form fields (e.g., "Data Classification: PII/PCI") to trigger automated assignment rules in the Central Workflow System (e.g., IF Data Classification = PCI THEN Assign Task: PCI Compliance Review; Assign Task: External Penetration Test).
* **Policy Enforcement Integration:** Configure Policy-as-Code checks within the CI/CD pipeline to halt builds if a violation threshold is met, pushing a remediation ticket directly to the central management platform.
## Compliance Alignment
The structured approach aligns significantly with major industry frameworks by embedding governance and traceability:
* **NIST Cybersecurity Framework (CSF):** Addresses **Identify** (through risk assessment and intake), **Protect** (via standardized controls and policy enforcement), and **Detect/Respond** (through continuous monitoring integration).
* **ISO/IEC 27001:** Supports the requirement for documented processes (CCF) and evidence of control implementation and monitoring.
* **Center for Internet Security (CIS) Critical Security Controls:** By creating rationalized, standardized controls, this approach enables consistent application of best practices across the SDLC, aligning with specific control implementation criteria.
## Common Pitfalls to Avoid
* **Security as an Afterthought Gate:** Do not wait until deployment or testing to engage security; use the intake phase to "shift security left."
* **Inconsistent Control Application:** Avoid allowing ad-hoc security exceptions without documentation in the central platform, which negates end-to-end governance.
* **Ignoring Post-Deployment Drift:** Failing to monitor deployed assets for configuration changes or new vulnerabilities (drift) after the initial security approval.
* **Disjointed Systems:** Do not allow security task management, documentation storage, and compliance reporting to live in separate, unintegrated tools.
## Resources
* **Framework Reference:** Common Controls Framework (CCF) documentation (Organizational Standard).
* **SDLC Security Integration:** Secure SDLC guidance (Reference link provided in context: `https://www.wiz.io/academy/secure-sdlc`).
* **Automation Technology:** Policy-as-Code implementation documentation (Reference link provided in context: `https://www.wiz.io/academy/policy-as-code`).
* **Cloud Security Posture/Vulnerability Scanning:** Reference documentation for integrated tools like Wiz Code, Wiz Cloud, and Wiz Defend.