Security-Embedded Quality Assurance: Zero-Trust Control Validation as Executable Enterprise Tests

The alignment of cybersecurity and quality assurance (QA) is a radical paradigm change in enterprise risk management, which may be seen in the 2020-2021 threat landscape. With the shift of organizations to the models of defense based on a perimeter and the implementation of the Zero Trust Architecture (ZTA), the functional testing and security auditing were no longer bifurcated. The paper, based on the technological and threat environment of 2021, describes the approach of the methodology of Security-Embedded Quality Assurance. It is assumed that Zero Trust principles, namely validation of identity, device posture, and microsegmentation, should be put in form of executable tests in the Continuous Integration/Continuous Deployment (CI/CD) pipeline. Using Policy-as-Code (PaC), automated identity verification, and service mesh telemetry, enterprises are able to shift their focus towards reactive security compliance as opposed to proactive continuous control validation. The analysis is based on the synthesis of crucial data by NIST, CISA, IBM and industry benchmarks to prove that automated security testing is not only an efficiency of technical nature but a core economic necessity, which can save millions of dollars in data breach costs and allow to reduce the time of threat dwelling by a significant margin.