Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

Continuous Compliance and DevOps

June 17, 2019 By Derek Weeks

Security, Compliance, and DevOps walk into a pipeline...

Okay, I don’t have a joke that starts out that way. But, then again, this isn’t a joke - this is reality and something DevOps organizations need to embrace. Tools like InSpec help organizations fully automate testing, security, and compliance into Continuous Integration/Continuous Delivery pipelines.

Christoph Hartmann (@chri_hartmann) is a lead engineer at Chef and the creator of InSpec, an open source project at Chef to automate security and compliance as infrastructure as code. Christoph introduced the reasons for InSpec and what it can do at the 2017 AllDayDevOps conference in his talk, Continuous Patch and Security Assessment with InSpec.

Christoph's session is worth revisiting as we prepare for the next All Day DevOps conference.

Why Automate Compliance and Security?

Christoph answers the question many ask: why do I need to automate compliance and security? Almost anyone in an organization subject to compliance has, at some point, run up against the Compliance Wall, halting progress. Compliance is important, but organizations need to build their infrastructure so that developers and operations partner with compliance and make the job easier for both the DevOps team and the compliance team. This ensures greater compliance, and, hopefully, greater security.

 

DevOps and Compliance can have separate agendas

 

By fully automating compliance and security testing, developers can show -- with an auditable record -- that they have met the requirements. This makes it easier on the DevOps team, which makes it more likely they will comply. This makes for a healthier, more productive development because there is no need for developers to find ways around the system in order to do what they need to get done.

InSpec in particular focuses its efforts on two of the OWASP Top 10 Web Application Security Risks:

A5 - Security Misconfiguration

A9 - Using Known Vulnerable Components

These contribute and exacerbate to the vicious cycle we see in security: someone finds a loophole, exploits it, new regulations are implemented to stop it, and repeat. Minimizing them will go a long way towards being more secure.

 

null

How can you minimize them? Best practice hardening seems obvious, but it can be difficult to implement and it doesn’t show auditors what they need to see. Automation brings clarity to your compliance and security implementations because it shows everything, exactly as it was done, and it helps ensure organizations that they are meeting compliance regulations to increase security and decrease liability.

Getting over the hurdle of agreeing to automate compliance is a big challenge, but we all know it doesn’t stop there. Getting DevOps, Security, and Compliance to work together is another hurdle towards the finish line.

How can we bring DevOps, Security, and Compliance together to build compliance-drive infrastructure? Hint: Look at a trade-off of speed vs. risk.

DevOps teams focus on faster innovation, potentially increasing risk. InfoSec teams focus on mitigating risk, potentially reducing speed.

Can We Do It Faster?

Christoph asks, “How can we accelerate speed but improve test coverage so that we grow in a good manner?” As he says: when you put a faster engine in your car, you better make sure you have better brakes.

 

Compliance Continuous, Detect and Correct

What are solutions (the better brakes)?

You need something that does deep analysis. Christoph notes that most compliance activity tends to degrade over time and resume when auditors come by. Instead, it needs to be constantly checking and improving.

Faulty assumptions in compliance dropping over time

Christoph walks through specific InSpec examples, including some live demos, and looks at its capabilities, extendability, and outlook for integrations into more cloud environments in the near future. He highlights two resources for further study: inspec.io and dev-sec.io.

Watch Christoph’s full talk below, including his live demos of InSpec.

Tags: OSS compliance, News and Views, Industry commentary

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.