DevOps makes software deployment faster but, without proper controls, that often means developers are also releasing security vulnerabilities and non-compliant applications more quickly. Organizations must learn how to decrease risk by shipping software quickly, but with higher efficiency and lower risk. The solution is to not deal with information security right before or even in production.
Organizations can achieve both speed and safety by extending Agile, Lean, and DevOps (ALDO) principles to their information security teams and by adopting automation tools, such as Chef InSpec and Chef Automate. These tools translate compliance into code which can be easily integrated in any environment enabling you to integrate security into your full development cycle.
Make code better and keep data safe by shifting security and compliance
left – Odie Routh, Optum
DevOps Organizations Still Suffer Without the Right Tools
and Processes for Compliance
Industry data shows that the secret behind the success of high-performing DevOps teams is that they have expanded their scope to involve InfoSec in every phase of the software development process. However, there’s still plenty of room for improvement. InfoSec policies are arguably ineffective -
- slow to implement
- slow to audit
- difficult to automate
- impedes release velocity
The latest State of DevOps report states that “organizations must shift from reactive practices to proactive and diagnostic measures. Integrating security practices throughout their software supply chain deliver software quickly, reliably, and safely.” The elite performers in the report managed to minimize the change failure rate as well as the lead time for changes which resulted in higher throughput and software stability.
Debunking the Myth That Safe
Can’t Be Fast
High-performing DevOps teams scale both speed and quality by shifting compliance into the software development process as part of their daily work, rather than retrofitting security at the end. With “shift left” testing (testing that integrates information security earlier in the development lifecycle, or to the left on the project timeline) developers are more likely to find errors before reaching production.
Tools that focus on managing compliance as code shift InfoSec assessments away from manual processes driven by binders full of policy documentation to a model where controls are instead expressed as executable, versionable, and human-readable code. These controls can be distributed as another set of tests any developer can incorporate into their existing workflow and toolchain. This code-driven approach builds on existing methods for collaboration already used by DevOps teams.
“The faster your teams can make changes to your software, the sooner you can deliver value to your customers, run experiments, and receive valuable feedback.” - 2021 Accelerate State of DevOps Report
Comparing the elite group against the low performers, we find that elite performers have…
more frequent code deployments
faster load time from commit to deploy
Yes, you read correctly.
This is not an editorial error.
Lower change failure rate (changes are ⅓ less likely to fail)
faster time to recover from incidents
Bridging the Compliance Gap with Chef Compliance Automation
Chef InSpec is an open-source testing framework for infrastructure. It is a human-readable language for specifying compliance, security, and other policy requirements as tests. Teams can easily integrate these automated tests into any stage of their deployment pipeline.
With Chef Compliance Automation you gain greater control over the detection and correction of issues, even in production. Across your entire fleet of servers and machines – no matter their environments – Chef Automate provides analysis, reporting, and visualization based upon Chef InSpec data. Users can even download pre-packaged CIS benchmarks to use as is or to customize to their business or industry standards.Learn more about Chef Automate
The Chef Infra Compliance Phase enables Chef InSpec users to automatically execute compliance as part of any Chef Infra Client run and achieve continuous compliance. It extends Chef’s policy-based approach to configuration enabling a single agent that can handle the end-to-end workflow from state enforcement to data aggregation to validation. With the introduction of the Chef Infra Compliance Phase, the Audit Cookbook will no longer be necessary, and Chef Client InSpec Users can automatically execute compliance audits and view the results in Chef Automate as part of any Chef Infra Client Run.