Shifting Left into DevSecOps Automation

Traditionally embedded software has been developed in more waterfall-like process than, for instance, web application. However, changing requirements on security and customer demands is introducing much more agile and DevOps driven processes. The challenge is to keep product quality and security in lockstep with faster and more frequent releases. We present a two-pronged approach for meeting this challenge: Firstly, an automated security-driven approach to manage open source packages and third-party code within the DevOps pipeline. And secondly, an automated "pre-commit" testing of our own source code already in the developer domain before committing to the production branch. We illustrate the approach through our expense managing this DevSecOps process in large-scale and geographically distributed projects.