One in Six Developers in Healthcare Report Open Source Breaches | Press Release

blog-logo Sonatype Blog

Compliance as Code

July 06, 2020 By Pachi Carlson

If your business is regulated, you already know compliance is a must have. But how can you make it easier?

In an All Day DevOps session, CTO of Devoteam, Gert Jan van Halem discussed the topic of compliance as code, covering an example solution that will help you verify your product’s compliance.

What is Compliance?
In general, compliance means conforming to a set of rules that are set for you. As you can see, it’s quite a simple concept.

But while compliance is simple, when it comes to coding products, it’s also critically important—especially nowadays, with the growing number of regulations.

If you search for the word “compliance” on LinkedIn, you’ll see that there’s a demand for professionals that have compliance-related skills.

Why is Compliance Getting So Big? Why Do We Need All These Compliance Professionals?

A long time ago, compliance was simple. You had something that you had to bring into production, and you followed a simple set of rules. Then you delivered it, and it would get inspected.

But slowly and steadily, the rules started to grow, and the regulators kept adding to those rules.

So now you have lots of rules to keep in mind while building your product. And complying with all those rules is difficult. It’s a block in the developer’s way of reaching their final goal of sending the product to production.

But at the end of the day, you still need to be compliant. So developers have to follow the rules.

Awareness of Compliance

Everybody on the team understands that compliance is an important part of the product and of their jobs. They just want to be able to be compliant without a big process.

Everybody is aware of the need for compliance. But in the day-to-day, team members often just get their job done. Compliance is a lost thought in the back of their minds.

Then, around twice a year, when the product is ready to be sent into production, people start to focus on compliance, turning on their awareness of it. By then, though, it’s often too late. They have to waste a sprint to get it done.

Process, Not Product

Here’s another fact to take into consideration: the compliance-focused team might know everything about how the process should be done but nothing about the product itself.

It’s also important to mention that not everything gets checked. When there’s a number of random changes, often the compliance check happens months after the process.

So team members might assume that if there’s something wrong with the process there’s also something wrong with the product, and vice-versa. That’s not necessarily true.

The process may have been perfect, and everything might be fine according to compliance. But that doesn’t mean the end product is necessarily OK.

How to Fix This?

The folks at Gert Jan van Halem’s company Devoteam knew they had to fix these problems. After some research, they found a framework called “In-Toto,” created by New Jersey Institute of Technology and NYU, that could secure the integrity of software supply chains. Here’s how it works.

If you look into your supply chain, there are a few steps that your product goes through. Some people are allowed to work in each step. Once step one is done, the chain moves to step two, and so on until the product is sent to production. In-Toto, the framework Devoteam adopted, helps you make checks after each step.

You start with a layout that describes the steps to take and how the process should flow. Then you actually go through the steps, following layout instructions.

Example in-toto flow for demo purposes from Gert Jan van Halem's Compliance as Code

Example In-Toto flow, for demo purposes, from Gert Jan van Halem’s “Compliance as Code” presentation.

The last part of the process is the inspection. It’s at this stage that you’ll get back a report saying if the product is OK or not. If the product passes the inspection, it can go to production. If not, you can go back and see exactly which steps need to be worked on.

Process AND Product

If you adopt a framework like In-Toto, things get much easier. Now you check your process and your product at the same time. You describe your process in a certain way, and it’s codified, so there’s no misunderstanding.

Following this system means you also checked the product, making sure nothing was tampered with. You inspected it in between steps, so you’re sure it works the way you expect it to. And if it doesn’t, you know where the issue is. If something goes wrong, it can be fixed right away. Compliance awareness is a daily part of the routine

Summary

Having a framework for compliance means a developer can actually address compliance easily and as a part of their daily job. It ensures you can bring to production a product that’s compliant, that you’re sure isn’t tampered with, and that works as it’s supposed to.

Tags: Compliance, AppSec, OSS compliance, software security, compliance as code

Written by Pachi Carlson

Pachi Carlson is a Brazilian self-taught front-end developer who's passionate about helping coding newbies and inspiring other women in tech. She's always learning something new or deepening her knowledge of technologies she already knows, and she prides herself in writing in a simple manner so beginners can learn with her.