This document outlines a continuous security model that shifts security left by integrating it into the entire software development lifecycle from planning to deployment. It involves establishing security practices like training, threat modeling, static and dynamic testing, secrets management and monitoring across development, operations, and monitoring phases through automation and integration into existing DevOps processes. Centralized dashboards provide continuous feedback across teams.

1. Shift Left Security – Continuous Security
Plan Code Test Package
Release Deploy Monitor
Operate
Dev Ops
Continuous Integrated Security
Audit
Secure SDLC
Training
Static Code
Analysis
Vulnerability
Assessment
Dynamic App
Sec Testing
Build / Policy
Compliance
Vulnerability
Assessment
Vulnerability
Assessment
Policy
Compliance
Dynamic App
Sec Testing

2. CODE
BUILD
TEST
DEPLOY
OPERATE
MONITOR
Manage digital supply chain
Automated Software
Composition Analysis
Automated Container Image
Scanning
Scan artifact and source
code repositories
Threat modeling
Security Requirements
Security SLA cloud providers
Risk Analysis
Automated Security Testing
Automated Static Testing
Integrate security tests
with unit testing
Run-Time application
security testing
Establish Security Mindset Perform Security Training
Establish Security Satellites Perform Continuous Assurance
Manual Security Testing
Manual Penetration Testing
Manual Security
Verifications
Secrets management
Security Configuration
Automation
Automated Remediation
Practice Incident Response
Continuous Monitoring
Security Controls
Application behaviour
Ci/CD security metrics
System metrics
Security SLAs
Centralised dashboards
Self-service capabilities for
dev and ops
Continuous feedback from
prod to dev
Secure the Ci/CD pipeline