In today's rapidly evolving business landscape, organizations are under immense pressure to swiftly develop and deploy applications to meet market demands and customer expectations. This accelerated pace of development, while essential for staying competitive, introduces a multitude of challenges when it comes to applying security. These challenges can include inconsistent security controls, lack of visibility into security processes, absence of end-to-end governance, and the perception of security as a blocker rather than an enabler.
Deloitte’s SbD
Deloitte's SbD helps organizations centrally orchestrate security activities and checkpoints throughout the software development lifecycle (SDLC) in an integrated end-to-end solution. This includes:
A centralized workflow management system that automates security task management across teams, centralizing security and development tasks on a single platform.
A consolidated intake form helps identify project scope, inherent risk, relevant security domains and requirements. Information collected during intake is used to automate requirement assignments based on a rationalized controls framework or Common Controls Framework (CCF).
Risk-prioritized security tasks are automatically created, assigned and centrally managed across security domains. Thus, establishing a central platform where multiple teams can track the completion of security activities, store design documentation, and view the status of control implementation.
Based on the rationalized controls framework, centralized security assessments are used to gather information from the project team at various points in the design process. Assessments may be customized based on business requirements and include security architecture review, threat modeling, data security and privacy review, vulnerability testing, and vendor risk assessment.
SbD leverages policy-as-code to automate policy checks and compliance-as-code to enable automated governance and enforce organizational policies for alignment with regulatory and business requirements.
Integrated dashboards and reporting providing insights into control implementation status, security approvals, compliance progress, and overall security posture.
Production release approval is granted after review of the implemented security controls assigned to the project during intake enhancing security, streamlining the release process, and providing consistent compliance with security standards.
The SbD orchestration workflow consists of five phases namely Intake, Task Creation, Security Assessments, Security Validation, and Approval for Release.
SbD is an end-to-end, industry agnostic solution that enhances security posture, operational efficiency, and regulatory compliance by orchestrating tasks such as risk assessments and vulnerability testing, providing visibility, reporting, and early identification and mitigation of security issues.
SbD can help organizations:
Bring ubiquity and agility to the end-to-end development process.
Make security consumable to the business.
Enable centralized reporting to provide visibility into security metrics and risk posture.
Standardize security controls across the organization and automate the generation and confirmation of security requirements.
Deloitte SbD Powered by Wiz
SbD workflow powered by Wiz represents a sophisticated approach to helping achieve end-to-end security throughout the SDLC, from the planning and ideation phase to the production state and beyond. This workflow is driven by an automated governance and accountability layer, enabling continuous compliance with security policies throughout the SDLC.
SbD workflow, powered by Wiz
By combining Deloitte's strategic security framework with Wiz's innovative technology, including Wiz Code, Wiz Cloud, Wiz Defend, Wiz Runtime Sensor, and reporting capabilities, organizations can make significant strides towards securing applications throughout the application lifecycle.
Wiz Code integrates security directly into the development process, enabling continuous scanning and vulnerability detection in code.
Wiz Cloud provides security posture management, continuously monitoring cloud environments for misconfigurations, attack paths, and compliance issues.
Wiz’s reporting capabilities complement other Wiz capabilities by offering detailed analytics and reporting features, which feed into the SbD platform to provide a unified view of security metrics and compliance status.
Wiz Defend enhances cloud threat detection and response capabilities, enabling real-time protection against emerging threats.
Wiz Runtime Sensor extends the threat detection and response capabilities to the workload by continuously monitoring workloads for suspicious activity and blocking potential threats in real time.
Together, Wiz and SbD offer an effective and integrated approach to security, helping maintain security and compliance for deployed assets thereby fortifying the overall security posture from development through deployment and beyond.
How Wiz augments the SbD security assurance workflow
Shift-left security and enhanced developer experience
Security assurance starts before hands-on development, and by leveraging the Wiz Code, security and development teams can shift left and implement secure practices from the onset of coding. Wiz Code can connect at the Integrated Development Environment (IDE) level to scan Infrastructure-as-Code (IaC) files, directories, and containers locally for sensitive data and vulnerabilities. Then, Wiz Code can protect the Continuous Integration / Continuous Deployment (CI/CD) pipeline from code commit with a variety of Source Code Management (SCMs) and Version Control System (VCS) connectors to identify risks in code repositories prior to building the artifact and conduct scans during actual deployment of an artifact for policy violations or misconfigurations within an environment.
Cloud configuration drift and threat monitoring
Once an asset is deployed to the cloud environment, Wiz Cloud can monitor the assets and configurations and assess them against external compliance frameworks. This means that an asset’s profile and bill of materials are documented, and drift against its baseline or against policy is monitored. If there is suspicious activity or a potential threat in your cloud, then Wiz Defend can swiftly detect, notify, and respond to threats so you can reduce blast radius and swiftly return to compliance.
By leveraging Wiz Code, Cloud, and Defend, assets and solutions can maintain their security posture from project through deployment across iterations, with security integrated throughout the lifecycle.
Unified solution for code to cloud coverage
Wiz complements Deloitte’s SbD by effectively integrating security from the very first lines of code, to production deployment. Rather than layering multiple tools, Wiz plugs directly into developers’ IDEs to help identify vulnerabilities early, then transitions to continuous cloud monitoring and real-time threat detection. Its agentless deployment keeps overhead low and makes it easy to embed security into SbD’s governance workflows.
Risk prioritization & compliance monitoring
Wiz’s unified risk graph prioritizes issues based on criticality, which is in sync with SbD’s focus on data sensitivity and compliance. By mapping vulnerabilities to industry leading frameworks such as (Center for Internet Security (CIS) and Payment Card Industry – Data Security Standard (PCI-DSS), Wiz enables teams to understand their compliance status. Once assets go live, Wiz can check for drift, new threats, or configuration changes, triggering swift remediation within SbD’s automated processes. This code-to-cloud coverage and integrated approach to risk truly set Wiz apart.
Conclusion
In summary, Deloitte's SbD framework, powered by Wiz, offers an effective solution to address the evolving security challenges in today's fast-paced business environment. By integrating security early in the development lifecycle and leveraging Wiz's advanced capabilities, organizations can enable consistent security controls, enhanced visibility, and end-to-end governance. This collaboration can help organizations not only in fortifying their overall security posture but also helping address compliance with regulatory requirements, enabling organizations to innovate and deploy applications swiftly without compromising on security. Together, Deloitte and Wiz provide an effective, integrated approach to security that spans from design to code development to cloud deployment and monitoring, facilitating security, privacy and resilience throughout the application lifecycle.
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
All product names mentioned in this document are the trademarks or registered trademarks of their respective owners and are mentioned for identification purposes only. Deloitte is not responsible for the functionality or technology related to the vendor or other systems or technologies as defined in this document.
Deloitte shall not be responsible for any loss sustained by any person who relies on this document.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.
