Adding compliance assurance into DevOps practices to ship software faster with less risk

Software-based services — apps! — are now the primary way a company connects with customers. A company’s best chance in competing for a larger piece of the market is by shipping software faster. Teams need to continuously deliver infrastructure to run applications, regardless of location or computing environment. But companies can’t ship software faster if security and compliance isn’t a consideration; it leaves customers and businesses more susceptible to vulnerability and risk.

The recent Forrester report, “Master DevOps For Faster Delivery of Software Innovation,” states that “organizations must integrate software supply chain practices into their application governance frameworks. DevOps practices provide the means for doing this at scale.”


Compliance as code allows SAP NS2 to achieve velocity

Jeremy Fields, Senior Director of Cloud Operations at SAP NS2, said DevOps at SAP NS2 means dev and ops teams work together to achieve velocity at releasing code. “Development teams which work through Chef and myriad other tools in order to automate our platform layer work hand in hand with operations. In the DevOps methodology, we can release through the system dev lifecycle, make sure it’s secure and the devs also integrate with O&M teams to see how that code actually works in a production environment.”

SAP NS2 provides SAP’s portfolio to the federal sector, which means they take pre-packaged applications and add additional layers of compliance and security to meet national security standards. In order to do so, SAP NS2 has to package compliance as code, and working with Chef and InSpec is the best way to automate compliance testing and log and audit policy failures for speedy remediation.

“We look at it from a holistic approach,” said Cheerag Patel, DevOps Manager at SAP NS2. “A lot of folks build environments and put compliancy in toward the end — which can cause a lot of trouble. If we start building with compliancy in mind from day one, it should make our lives a lot easier.

With automated compliance, SAP NS2 can build federally secure systems from the get-go.

Remediate faster with Chef

When Shellshock hit in 2014, a major financial institution we work with saw drastic differences in its servers that were treated as code using Chef and those that had not yet migrated.

Systems that are treated as code can self-report, meaning the security team can quickly and easily identify the vulnerability and patch accordingly.

To learn more about how companies can use DevOps alongside tooling and automation to provide safe and flexible environments for more reliable software, check out Forrester’s report,“Master DevOps For Faster Delivery Of Software Innovation.”


Marc Holmes

Former Chef employee.