← All DORA Capabilities

Pervasive Security

Reliability, Observability & Security
DIRECT DRIVER

Pervasive security means security is embedded throughout the entire system lifecycle, architecture, and organisational culture rather than treated as a separate function or final checkpoint. Modern digital systems operate in hostile environments where threats evolve continuously, making perimeter-only or reactive approaches insufficient.

When security is integrated into design, development, deployment, and operations, risks are reduced early, compliance is easier to maintain, and resilience improves. Mature organisations move from sporadic controls toward systematic protection of data, systems, and users. At the highest level, security becomes a shared responsibility supported by automation, awareness, and adaptive defence mechanisms, enabling innovation without exposing the organisation to unacceptable risk.

Reactive and Fragmented Security
(Protection applied after problems emerge)

Description

Security measures are minimal or applied inconsistently, often in response to incidents or compliance pressures.


Observable Characteristics

  • Security addressed late in projects
  • Basic controls such as passwords or firewalls
  • Limited awareness of vulnerabilities
  • Manual remediation after issues discovered
  • Responsibility unclear or centralised in a small team
  • Inconsistent practices across systems

Outcomes & Risks

  • Elevated risk of breaches or data loss
  • Regulatory and reputational exposure
  • Slow response to emerging threats
  • Increased cost of remediation
Defined Security Controls
(Policies exist, enforcement uneven)

Description

Standard security requirements are established, but implementation varies and integration into workflows is limited.


Observable Characteristics

  • Security policies documented
  • Periodic assessments or audits
  • Baseline controls applied to systems
  • Training provided inconsistently
  • Remediation efforts manual
  • Security reviews performed at key milestones

Outcomes & Risks

  • Reduced but persistent risk exposure
  • Compliance requirements more likely met
  • Limited agility due to review bottlenecks
  • Inconsistent security posture
Security Embedded in Development and Operations
(Shift-left security practices)

Description

Security considerations are integrated into design, development, and operational activities, reducing late-stage issues.


Observable Characteristics

  • Threat modelling during design
  • Security testing integrated into development workflows
  • Secure coding practices adopted
  • Vulnerability management processes in place
  • Collaboration between security and delivery teams
  • Awareness of security responsibilities across roles

Outcomes & Risks

  • Stronger protection of systems and data
  • Reduced cost of addressing vulnerabilities
  • Improved compliance posture
  • Requires ongoing education and discipline
Automated and Continuous Security Assurance
(Protection maintained at scale)

Description

Security controls are enforced through automation, monitoring, and continuous validation across environments.


Observable Characteristics

  • Automated scanning and testing integrated into pipelines
  • Continuous monitoring for threats and anomalies
  • Rapid patching and mitigation processes
  • Identity and access controls centrally managed
  • Evidence available for compliance
  • Minimal manual intervention required

Outcomes & Risks

  • Strong defence against evolving threats
  • Reduced operational disruption from security incidents
  • Efficient compliance management
  • Increased complexity of tooling
Adaptive Security Ecosystem
(Security as an enabling capability)

Description

Security dynamically evolves to address emerging threats while supporting innovation and operational agility.


Observable Characteristics

  • Real-time threat intelligence integration
  • Automated response to suspicious activity
  • Security integrated across all layers of the system
  • Strong culture of shared responsibility
  • Continuous improvement based on lessons learned
  • Minimal friction for secure delivery

Outcomes & Risks

  • Durable protection of critical assets
  • Ability to innovate safely at scale
  • Reduced reputational and regulatory risk
  • Competitive advantage through trust
Embed security practices throughout the software lifecycle to protect systems and data.