Content focused on generating, collecting, and retaining auditable evidence from CI/CD pipelines and security controls.
Third-Party ICT Risk Controls for Regulated CI/CD Pipelines Why this checklist exists In regulated environments, suppliers are not “external.” They are part of your delivery system. When third-party services support your SDLC (Git hosting, CI/CD SaaS, artifact registries, cloud runtime, security scanners), auditors expect you to demonstrate: This checklist is designed to be used by … Read more
Static Application Security Testing (SAST) is often presented as a core DevSecOps control. However, there is a significant gap between how security teams believe auditors assess SAST and how auditors actually do it. In regulated environments, auditors do not evaluate SAST tools as security products. They evaluate them as operational controls within the software delivery … Read more
SAST Tool Selection — Enterprise Audit Table Scope: Evaluation of a Static Application Security Testing (SAST) tool for enterprise and regulated CI/CD environments. # Control Area Audit Question Yes No 1 Governance Does the tool support policy-based enforcement (block / warn / report-only)? ☐ ☐ 2 Governance Can policies be defined per application, team, or … Read more
