DevOps Summit: Complete compliance in coding is an Alice in Wonderland-style fairytale

Chef's Justin Arbuckle argues you have to be selective when it comes to compliance

The idea that complete compliance in coding is achievable is a "fairytale".

That's what Justin Arbuckle, vice president EMEA and chief enterprise architect at IT automation firm Chef, who was presenting on bringing high velocity to IT at Computing's DevOps Summit 2015.

"You need to get over the idea that complete compliance is possible. I've never seen a business with complete compliance when it is older than the internet; there's always legacy problems that you have to deal with," he told the audience.

The answer, Arbuckle suggested, is to select a few specific areas that you want to always be compliant and work exclusively and continuously on them.

"Pick a few rules you can improve and iterate consistently across your entire organisation at scale. Pick a few of those practices and do that," he said, arguing that it improves the ability to quickly work on development.

"If you've developed a high velocity capability, an ability to automate those requirements - both software and compliance - then you also have the ability to be able to improve them very quickly."

Referring to Alice in Wonderland, he said "this is one thing that Alice didn't get right", suggesting the section where Alice "meets a caterpillar on a mushroom smoking a pipe" represents a classic meeting with an auditor.

"The caterpillar says if you go this way and eat the mushroom it'll make you grow taller and if you go this way, it'll make you shrink," Arbuckle explained.

"So what Alice does is she says she'll do both. So she grows an incredibly long neck, turns into a monster and it's very frightening for the children. The fact is it then takes her a whole bunch of times to take successive nibbles of the mushroom until she gets back to normal height," he continued, arguing that for many in IT, this sounds like negations with other departments over compliance.

"Does that feel like processes you do? Does that feel like a constant negotiation you have with security people saying ‘when you said this, what you meant is this?' Or best practice, you didn't mean this, you meant this? It's these continual nibbles of the mushroom," Arbuckle said.

He went on to suggest that by switching compliance to a DevOps-based model, it allows IT to be specific about future goals, thus building a solid foundation for future iterations and developments.

"The point is you're able to be super-specific if your compliance requirements are written as code. Because you're able to say this is what we basically think, does anyone disagree? No, so we're going to go with that," Arbuckle said.

It ultimately means that development teams can continue to learn as they go along during the building process.

"We then learn in production and that's what DevOps is about; as we learn in production we then say we have to make adjustments, so you make adjustments," he said.

"But the adjustments that you make don't have to be remembered as bite-sized nibbles of the mushroom which have to be written in some document because they're written down as code," Arbuckle added, going back to the Alice In Wonderland reference.

"What happens when you learn additional things you have to do, it all gets built on the code you've already built where you are improving your improving and embedding the experience in code as you improve your effort," Arbuckle concluded.