Organizations are constantly trying to deliver innovation and business value to their customers by building and deploying software faster. But such tight rollout schedules often come at the cost of quality and security. Balancing deployment frequency and maintaining security and quality is a significant challenge for most organizations.
Security and compliance review is one of the most overlooked yet critical phases in the software development cycle. It is usually relegated to a low-priority task at the end of development and right before deployment. This approach prolongs the feedback/approval loop creating unnecessary bottlenecks when pushing code to the production environment.
This blog post discusses the security and compliance challenges that create major roadblocks in software delivery and why most organizations find implementing auditing and remediating processes daunting.
Speed vs Security
DevOps has greatly reduced the toil in development, enabling continuous delivery with streamlined processes and effective collaboration between teams. But the adoption of DevOps principles within information security teams has been considerably slow.
Security and compliance are non-negotiable, so not prioritizing it at every level of development result in impediments when trying to deliver with speed. The constant demand to increase deployment velocity has amplified existing issues in the dev cycle and introduced higher failure rates. Security breaches are not detected early on and remediation takes time to complete. Verizon’s Data Breach Report 2019 highlights these risks -
- 56% of breaches took months or longer to discover.
- Since 2014 (for more than 5 years) 90% of observed exploits used only nine known vulnerabilities.
There is a delicate balance between the need for speed and the ability to do so in a secure and compliant way. Most teams involved in development view the process as cumbersome and time-consuming, mainly because -
- Security reviews are reserved for the end of a long delivery process. At this stage, prior delays have added to the pressure of getting the security review done quickly without impacting the delivery.
- Developers would rather focus on delivering innovations/business value without having to concentrate on manual and cumbersome audit processes.
- Even when done appropriately, the current security and compliance efforts or processes provide limited visibility and hinder collaboration, which in many cases result in increased failure rates.
According to a recent Gartner report, 81% of IT professionals agree that InfoSec policies inhibit agility and speed while 77% of security professionals themselves agree that policies slow things down. Undoubtedly, the general perception is that InfoSec policies slow down software delivery.
Shift Left with Chef Compliance
Some of the reasons that make security reviews the Achilles heel of dev teams are:
- It is often manual and slow.
- It relies on scanning tools that generate too much data.
- The data from scanning tools are not effectively managed or analyzed.
- Problems are detected late in the development cycle which makes remediation expensive.
- Exceptions are not managed appropriately.
Chef Compliance addresses each of the pain points by integrating compliance at every level of the dev cycle. The solution aims to streamline and redefine the entire audit and remediation process with our “policy as code” approach. Chef Compliance helps in maintaining and enforcing compliance across the organization while providing visibility and control across hybrid and multi-cloud environments.
Many of our customers have been able to enforce compliance effectively and easily using Chef Compliance solutions. They have seen:
- Quicker time to value: Customers can tune compliance profiles to address organization-specific requirements. No additional coding is needed to understand compliance posture and to identify non-compliant controls faster.
- Lower context switching: Customers can define and deploy compliance policies from their workstation and view results in Chef Automate for better visibility and control.
- Lower code: Customers can configure waivers and remediation in a single file with little or no coding expertise.
“We can push a button and have a completely new VPC, with new application stacks, operational in less than 10 minutes. It has created a high-resilient ecosystem in which we’ve had zero data loss in five years.” - Robert Morrish, CEO, Haventec
Register for our upcoming webinar “Chef Compliance – An Update Story” to learn more about Chef Compliance and how your organization can benefit. The webinar focuses on:
- Basics of audit and remediate
- Skipped controls vs waivers
- Using datafeed options for third-party integrations, like ServiceNow
- Chef Compliance product roadmap
We will walk you through a demo of all these features in action to understand how Chef helps with audit and remediation.