Standard : Security checks (e.g., SAST, dependency scanning) are automated in CI/CD

Purpose and Strategic Importance

This standard ensures that critical security checks — such as Static Application Security Testing (SAST) and dependency vulnerability scanning — are fully automated within CI/CD pipelines. Integrating security early and consistently reduces risk, enables faster feedback, and protects systems from known vulnerabilities without slowing delivery.

Aligned to our "Secure by Design" and "Automate Everything Possible" policies, this standard enables proactive risk management and fosters a culture of secure software development. Without it, vulnerabilities are often detected too late, increasing the cost of remediation and exposing the organisation to greater security risks.

Strategic Impact

  • Earlier detection of security issues
  • Reduced risk of breaches and reputational damage
  • Faster remediation cycles and safer code releases
  • Compliance with security regulations and policies

Risks of Not Having This Standard

  • Vulnerabilities reaching production environments undetected
  • Increased cost and delay due to late-stage fixes
  • Lower stakeholder and user trust in the product
  • Increased exposure to compliance violations and security incidents

CMMI Maturity Model

Level 1 – Initial

Category Description
People & Culture Security is considered a late-stage or manual task.
Awareness of secure coding practices is low.
Process & Governance No consistent or automated security checks during build or release.
Technology & Tools Manual scanning tools used sporadically after development.
Measurement & Metrics No tracking of security defects until production incidents occur.

Level 2 – Managed

Category Description
People & Culture Teams acknowledge the need for earlier security checks.
Some manual use of security scanners by developers.
Process & Governance Ad-hoc SAST or dependency scans are run for critical releases.
Technology & Tools Basic integration of scanning tools exists but is not enforced.
Measurement & Metrics Number of known vulnerabilities at release tracked manually.

Level 3 – Defined

Category Description
People & Culture Security is a shared responsibility within delivery teams.
Secure coding training is provided.
Process & Governance Security checks are mandatory CI gates.
Policies define minimum security thresholds.
Technology & Tools Pipelines include automated SAST and dependency scanning.
Critical findings block progression.
Measurement & Metrics Pre-production vulnerabilities are measured and reported.

Level 4 – Quantitatively Managed

Category Description
People & Culture Teams monitor security metrics to drive improvements.
Security retrospectives are conducted.
Process & Governance Policies are refined based on scan data and risk levels.
Technology & Tools Automated remediation suggestions and exception governance are in place.
Measurement & Metrics MTTR for vulnerabilities is tracked and improved over time.

Level 5 – Optimising

Category Description
People & Culture Teams innovate security feedback loops (e.g., chaos engineering).
Process & Governance Proactive security posture management is standard.
Technology & Tools Predictive tools flag vulnerabilities early.
Continuous scanning across SDLC.
Measurement & Metrics Critical vulnerabilities reaching production near zero.
Emerging risks identified early.

Key Measures

  • % of CI/CD pipelines with automated security scanning integrated
  • Number of critical vulnerabilities detected pre-production
  • Mean Time to Remediate (MTTR) vulnerabilities
  • % of deployments blocked by security quality gates
  • Compliance rate against secure coding and vulnerability policies