Turn your compliance, security and other policy requirements into automated tests

clock • 2 min read

Nick Rycar, Technical Product Marketing Manager at Chef explains how InSpec can help with compliance and security concerns in development and operations

In order to outperform competitors, organizations need to deliver software faster, while ensuring doing so doesn't increase their risks. To accomplish this, it's imperative that security and compliance teams embrace DevOps and drive collaboration through automation.

That's according to Pieter Hagen, Solutions Architect at Chef Software, speaking at Computing's recent DevOps summit in London.

In his talk, How Security and Compliance Teams can be Good Citizens in a DevOps Practice, Pieter articulates how speed and risk are often at odds. As development and operations teams are able to iterate more quickly, security and compliance can become a bottleneck when environments are evaluated late in the release cycle, and often manually. Issues discovered at this stage can be costly to address, and can risk release deadlines. Furthermore, manual processes are difficult to scale, making it difficult to apply validations more frequently or in more environments.

InSpec is a tool that addresses these concerns by allowing compliance requirements to be codified for continuous, automatic evaluation. InSpec code is designed to be easily understood by IT professionals across disciplines, with the flexibility to adapt to ever-changing regulatory requirements and emerging security vulnerabilities.

Because InSpec defines compliance requirements as code, environments can be evaluated consistently at every stage of development. Issues can therefore be discovered earlier, where they can be prioritized and addressed long before a change is promoted to production. The end result of this is a more predictable deployment schedule with fewer delays, and most importantly, greater confidence that security flaws won't find their way into production.

With Chef Automate, organizations have access to a library of pre-written Compliance Profiles that can be run continuously on live environments and validated on-demand in weighted compliance reports. By practicing Continuous Compliance in this fashion, organizations can enter into audits with a complete picture of their systems' security, and maintain visibility even between audits.

Finally, and perhaps most crucially, InSpec provides a single tool that can be used by security, compliance, development and operations alike. By providing a consistent source of truth for what compliance looks like in your organization, InSpec helps drive collaboration between these teams, and allows the entire IT organization to take an active role in ensuring compliance priorities are understood and met.

Nick Rycar is Technical Product Marketing Manager at Chef

You may also like
 Github releases results of first empirical study of DevEx

Developer

Results show that improving developer experience matters more than you might think

clock 24 January 2024 • 4 min read
Celebrate excellence at the DevOps Awards 2024

DevOps

Deadline approaching: 8th December 2023

clock 07 November 2023 • 1 min read
DevOps Awards 2024: Enter now to celebrate DevOps excellence

DevOps

The perfect event to recognise and celebrate DevOps success

clock 10 October 2023 • 2 min read
Most read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on DevOps

Interview: Endava, DevOps Excellence Awards finalist

Interview: Endava, DevOps Excellence Awards finalist

'We always conduct retrospectives so we can evaluate success and areas for improvement'

Computing Staff
clock 21 February 2024 • 4 min read
Celebrate excellence at the DevOps Awards 2024

Celebrate excellence at the DevOps Awards 2024

Deadline approaching: 8th December 2023

clock 07 November 2023 • 1 min read
Bedding in DevSecOps at funiture retailer Dunelm

Bedding in DevSecOps at funiture retailer Dunelm

DevOps leads explain how they got their teams comfortable with integrating security into their code

John Leonard
clock 12 October 2023 • 5 min read