Building a Compliance and AppSec Program for a Federal Platform-as-a-Service (PaaS)
A panel with Federal and DoD leaders on building a Compliance and AppSec program for a cloud-native PaaS
What are some of the specific challenges you encountered when trying to create a compliance and AppSec program/approach for a Federal Platform-as-a-Service (PaaS)?
We know topics like security control inheritance often become a hot topic when building a Federal PaaS, can you speak on your experiences there, with clarifying what is inheritable, and what development teams still need to be cognizant of?
It is one thing to onboard a single development team or mission/system owner, but what are your thoughts and experiences of trying to do so at-scale, across many teams, are there any unique challenges as the program grows?
One challenge that always exists is trying to minimize the friction and burden on Developers while still ensuring security and compliance requirements are met, what are your thoughts and experiences on that front?
Flipping the perspective from the Developers and System Owners a bit, it can also be a learning curve and new endeavor for the auditing and A&A community when it comes to Cloud, PaaS, control inheritance, DevSecOps etc. What approaches have you found successful to bring along the compliance SME’s on the journey?