Continuous Compliance and DevOps

Security, Compliance, and DevOps walk into a pipeline…

Okay, I don’t have a joke that starts out that way. But, then again, this isn’t a joke – this is reality and something DevOps organizations need to embrace. Tools like InSpec help organizations fully automate testing, security, and compliance into Continuous Integration/Continuous Delivery pipelines.

Christoph Hartmann (@chri_hartmann) is a lead engineer at Chef and the creator of InSpec, an open source project at Chef to automate security and compliance as infrastructure as code. Christoph introduced the reasons for InSpec and what it can do at the 2017 AllDayDevOps conference in his talk, Continuous Patch and Security Assessment with InSpec.

Christoph’s session is worth revisiting as we prepare for the next All Day DevOps conference.

Why Automate Compliance and Security?

Christoph answers the question many ask: why do I need to automate compliance and security? Almost anyone in an organization subject to compliance has, at some point, run up against the Compliance Wall, halting progress. Compliance is important, but organizations need to build their infrastructure so that developers and operations partner with compliance and make the job easier for both the DevOps team and the compliance team. This ensures greater compliance, and, hopefully, greater security.


DevOps and Compliance can have separate agendas


By fully automating compliance and security testing, developers can show — with an auditable record — that they have met the requirements. This makes it easier on the DevOps team, which makes it more likely they will comply. This makes for a healthier, more productive development because there is no need for developers to find ways around the system in order to do what they need to get done.

InSpec in particular focuses its efforts on two of the OWASP Top 10 Web Application Security Risks:

A5 – Security Misconfiguration

A9 – Using Known Vulnerable Components

(Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Derek Weeks. Read the original post at: