DevOps makes software deployment faster but, without proper controls, that often means developers are also releasing security vulnerabilities and non-compliant applications more quickly. Organizations must learn how to decrease risk by shipping software quickly, but with higher efficiency and lower risk. The solution is to not deal with information security right before or even in production.
Organizations can achieve both speed and safety by extending Agile, Lean, and DevOps (ALDO) principles to their information security teams and by adopting automation tools, such as Chef InSpec and Chef Automate. Tools like these turn compliance into code and integrate security into your full development cycle.
Make code better and keep data safe by shifting security and compliance left
– Odie Routh, Optum
Information security lags behind and
becomes a barrier to velocity
Most organizations understand the value of speed. But when you ask those same organizations if they can deliver software continuously and remain compliant, their response is eye-opening.
In the 2017 Chef Compliance Survey, DevOps practitioners placed InfoSec and Compliance concerns at the bottom of their priorities. Information security is still seen to inhibit agility and speed.
Operations Pros believe compliance policies slow them down
InfoSec Pros believe compliance policies slow them down
Devops organizations still suffer without the right tools and processes for compliance
Industry data shows that the secret behind the success of high-performing DevOps teams is that they have expanded their scope to involve InfoSec in every phase of the software development process. However, there’s still plenty room for improvement. InfoSec policies are slow to implement, slow to audit, and are firmly situated in practices that pre-date the shift toward orienting around automation and high velocity. As a result, they are arguably ineffective.
Estimates are that, through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year or more.* Verizon’s Data Breach report shows that for the last three years, more than 88% of observed exploits can be accounted for by only nine known vulnerabilities.**
Of DevOps organisations have to follow regulatory standards
Assess Compliance after development has begun
Assess code only after it’s in production
*Gartner—Predicts 2016: Threat and Vulnerability Management
**Verizon—Data Breach Investigations Report 2017
Both the speed of shipping and the speed of remediation are costly issues
In an era of rapidly developing threats and continually evolving compliance frameworks, what is becoming more alarming is the data relating to how long it takes most organizations to remediate their violations or vulnerabilities. When dozens or even hundreds of builds a day are deployed to production, that response time is simply unacceptable. And, keep in mind, these survey respondents practice DevOps.
Need hours to
Need days to
Need weeks to
Need months to
*Chef Software – Chef Compliance Survey 2017
Debunking the myth that safe can’t be fast
High-performing DevOps teams scale both speed and quality by shifting compliance into the software development process as part of their daily work, rather than retrofitting security at the end. With “shift left” testing (testing that integrates information security earlier in the development lifecycle, or to the left on the project timeline) developers are more likely to find errors before reaching production.
Tools that focus on managing compliance as code shift InfoSec assessments away from manual processes driven by binders full of policy documentation to a model where controls are instead expressed as executable, versionable, and human-readable code. These controls can be distributed as another set of tests any developer can incorporate into their existing workflow and toolchain. This code-driven approach builds on existing methods for collaboration already used by DevOps teams.
Bridging the compliance gap with InSpec and Chef Automate
Chef InSpec is open source testing framework for infrastructure. It is a human-readable language for specifying compliance, security, and other policy requirements as tests. Teams can easily integrate these automated tests into any stage of their deployment pipeline.
Integrate Chef InSpec with Chef Automate, Chef’s continuous automation platform, and you gain greater control over the detection and correction of issues, even in production. Across your entire fleet of servers and machines – no matter their environments – Automate provides analysis, reporting, and visualization based upon Chef InSpec data. Users can even download pre-packaged CIS benchmarks to use as is, or to customize to their business or industry standards.Learn more about Chef Automate