In order to outperform competitors, organizations need to deliver software faster, while ensuring doing so doesn't increase their risks. To accomplish this, it's imperative that security and compliance teams embrace DevOps and drive collaboration through automation.
That's according to Pieter Hagen, Solutions Architect at Chef Software, speaking at Computing's recent DevOps summit in London.
In his talk, How Security and Compliance Teams can be Good Citizens in a DevOps Practice, Pieter articulates how speed and risk are often at odds. As development and operations teams are able to iterate more quickly, security and compliance can become a bottleneck when environments are evaluated late in the release cycle, and often manually. Issues discovered at this stage can be costly to address, and can risk release deadlines. Furthermore, manual processes are difficult to scale, making it difficult to apply validations more frequently or in more environments.
InSpec is a tool that addresses these concerns by allowing compliance requirements to be codified for continuous, automatic evaluation. InSpec code is designed to be easily understood by IT professionals across disciplines, with the flexibility to adapt to ever-changing regulatory requirements and emerging security vulnerabilities.
Because InSpec defines compliance requirements as code, environments can be evaluated consistently at every stage of development. Issues can therefore be discovered earlier, where they can be prioritized and addressed long before a change is promoted to production. The end result of this is a more predictable deployment schedule with fewer delays, and most importantly, greater confidence that security flaws won't find their way into production.
With Chef Automate, organizations have access to a library of pre-written Compliance Profiles that can be run continuously on live environments and validated on-demand in weighted compliance reports. By practicing Continuous Compliance in this fashion, organizations can enter into audits with a complete picture of their systems' security, and maintain visibility even between audits.
Finally, and perhaps most crucially, InSpec provides a single tool that can be used by security, compliance, development and operations alike. By providing a consistent source of truth for what compliance looks like in your organization, InSpec helps drive collaboration between these teams, and allows the entire IT organization to take an active role in ensuring compliance priorities are understood and met.
Nick Rycar is Technical Product Marketing Manager at Chef