INTRODUCTION

Governance seeks to ensure the compliance of an organization with policies designed to protect that organization. Governance, risk, and compliance is a rapidly growing area of concern for many companies due to the rapidly shifting compliance standards. Traditional methods of governance and compliance have been highly manual, relying on controls listed in spreadsheets and evidence manually produced and delivered. DevSecOps brings a new approach to governance, risk, and compliance that can help save manual effort from engineers while improving compliance through automation.

Governance does not, in and of itself, bring value to customers. However, governance does ensure that companies comply with regulations and policies that are designed to limit systemic risk. This compliance, in turn, provides validation to customers that those risk mitigation activities have been adhered to and, in doing so, builds trust with customers and other regulating bodies. It is certainly possible, especially for smaller companies, to be secure without governance. However, as companies grow and become more complex, this governance helps ensure that companies are behaving in a way that mitigates known risks.

DevSecOps brings an automated approach to compliance with compliance as code and governance automation, which can be immensely powerful for companies. Compliance as code is a methodology for automating compliance tasks by describing themes in a programmatic ...