This is complemented by the ability to provide continuous scanning of devices and infrastructure elements based on policies. These policies are not dependent on implicit trust but are encoded and adhere to policies the company or the security team wants to make implementable.
Infrastructure as Code (IaC) drives security in both the IT infrastructure and DevOps worlds, much of which has or will shift to the cloud.
For instance, there are a lot of concerns around public cloud workflows. When we put our infrastructure platform apps on the public cloud, how do they behave? Are we leaving gaping holes?
IT can allay these concerns by applying an implicit coded policy. This is particularly critical in regulated industries with compliance requirements from regulators and legal folks.
A Single Feedback Loop
To increase security, IT must detect issues and misconfigurations in the environment. Through IaC automation, or automation as code, one can achieve a simple feedback loop, detect the problem, figure out how to correct, do the correction and then automate it. In essence, IT learns from that problem, so it doesn't happen again.
This issue discovery and correction covers everything from defining a base configuration for your organization's infrastructure, deploying updates to application code, patching and upgrading systems, to remediating vulnerabilities.
All of these must be fixed and are best handled in a coded, automated way.
These automated processes include the detection side as well as the fixing side. With fast feedback loop, you can re-run your detection after every change that happens in the environment. That's how you get the speed and agility you're engineering, or dev teams need to get to market.
Policy as Code and the Beauty of a Shared Language
Every organization has policies that govern how they do their business. These policies define security standards, regulatory issues and other organizational mandates. Typically, these policies are defined as text in PDF documents, Word files or Excel worksheets. But that text must be interpreted by humans before it can be implemented or enforced.
In contrast, codified policies help organizations better document their policies in an unambiguous, shareable, actionable way. Chef's approach is to define and document these policies as unambiguous human readable code.
“One challenge in adding security and compliance elements to all these stages is that operational, development, security, and compliance professionals have their own language and corporate culture. Fortunately, the software code itself, along with codified infrastructure configurations, can serve as a common source of truth shared and understood by all the participants who play a role in the SDLC,” an IDG Security Compliance Survey argued.
With IaC, teams collaborate in a common language that is in human readable form.
Policy as Code results in shared languages and vocabulary. “Policy as Code brings configuration management and compliance into a single step, eliminating the security silo and moving everyone into a shared pipeline and a shared framework. Making DevSecOps an automated reality brings together all the critical steps, allowing you to overcome technical skills gaps and scale automation across your teams and environments,” argued the 7 Benefits of Policy as Code blog.
With IaC, you can thread the needle through a common collaboration language right between the different stakeholders, the security folks, development folks, compliance folks, and DevOps.
Compliance as Code
Having a common language shared among your teams fortifies security and compliance. That language is where your stakeholders — from folks who care deeply about security or compliance or those who simply need to understand what's being codified in order to certify compliance — manage security.
Compliance as Code is the only way to achieve continuous compliance. An example of continuous compliance is when you make a compliance report, perhaps for an auditor. Almost as soon as that report is made, the report is no longer valid as your infrastructure and configurations have changed. With Compliance as Code, that report is a living document updated as infrastructure changes are made.
Continuous Compliance means security is no longer a barrier, but the enabler of speed and agility in developing what the market wants.
IaC offers the ability to scale beyond a single system in a consistent, repeatable, resilient and reliable way, to shift your security testing left from the end of the process to as far into the development cycle as possible. It also allows IT to continuously monitor the status of your security and compliance posture.
One large bank is achieving these results with the help of Progress Chef. “How do you take the continuous delivery, DevOps concepts and scale them across a much larger organization? We proved that what we thought was provable really works and the benefits we suspected we would see we absolutely do see,” said Mike Murphy,
Head of IT Operations for Standard Bank.
The same approaches that detangle DevOps complexity work equally for security. “To be effective, security defenses must be designed, applied, tested, and validated at multiple levels. The process starts with the code that makes up each application, and ultimately extends to infrastructure configurations, application interdependencies, and the security policies that companies institute,” an IDG Security Compliance Survey found.
DevSecOps, Survey Says!
An IDC survey published by CSO Magazine finds that DevSecOps, including automated testing, bolsters security and blocks cyber threats that attack misconfigurations, unpatched and un-updated systems and exploit faulty code.
But not all enterprises embrace DevSecOps. “Unfortunately, information and application security has often been an afterthought in the software development process. With cyberattacks escalating dramatically, the risks and consequences associated with flawed code and faulty infrastructure configurations have grown severe. This new reality has sparked intense interest in adding security and compliance testing throughout the software development lifecycle (SDLC),” the
IDG Security Compliance Survey.
The IDG survey commissioned by Chef Software found that:
- “59% of respondents believe integrating security into the software development lifecycle (SDLC) is crucial for their organization’s success
- Nearly 9 out of 10 DevSecOps adopters
found security to speed up – or at worst have no impact on – software delivery
- 60% of organizations believe that adopting DevSecOps reduces the risk of breaches”
Applying automation to DevOps and DevSecOps practices can speed development while boosting security. “Among adopters, nearly half (47%) said that security team involvement speeds the pace of development. Another 39% said that such involvement has no negative impact on development time,” the IDG report found.
DevSecOps pros interviewed by IDG agree. “All teams work in tandem, so the timelines are squeezed,’ explained the director of a midsize technology company. Another adopter—the CIO of an education solutions company—said, ‘Recognizing errors and finding solutions makes distribution fast,’” the report stated.
The opposite is also true, not applying best slows development. “42% of the non-adopters say security team involvement slows the pace of development. ‘There is ongoing intervention by the security team, therefore we factor in delays, said one survey respondent, a director of a midsize financial services company,” the report argued.
Leave it to Chef DevOps Automation Tools
Learn how Chef can radially simplify your DevOps with our DevOps Solutions and bring new levels of protections by perfecting your DevSecOps.
Chef democratizes DevOps with a way to configure, deliver, and manage from any cloud to any edge that is secure and compliant.