Summary
In this chapter, we discussed various security frameworks. These frameworks are guidelines for setting security controls for the IT environments of the enterprise. These controls apply to systems and applications, and also to the DevOps practice. From the moment developers pull code from a repository and start the build, up until deployment and production, IT environments, including CI/CD pipelines, need to adhere to security controls. There are a lot of different frameworks. Some of them are generically and broadly accepted by enterprises, such as NIST, CIS, and COBIT.
We also discussed the MITRE ATT&CK framework, which takes a different angle by comparing itself to other security control frameworks. MITRE ATT&CK lists tactics and techniques that hackers may use or have used to exploit vulnerabilities. Just like CIS, MITRE ATT&CK lists specifics for various platforms and technologies, including containers that are commonly used in CI/CD.
In the last section...
