DevOps makes software deployment faster but, without proper controls, that often means developers are also releasing security vulnerabilities and non-compliant applications more quickly. Organizations must learn how to decrease risk by shipping software quickly, but with higher efficiency and lower risk. The solution is to not deal with information security right before or even in production.
Organizations can achieve both speed and safety by extending Agile, Lean, and DevOps (ALDO) principles to their information security teams and by adopting automation tools, such as InSpec and Chef Automate. Tools like these turn compliance into code and integrate security into your full development cycle.
Debunking the myth that safe can’t be fast
High-performing DevOps teams scale both speed and quality by shifting compliance into the software development process as part of their daily work, rather than retrofitting security at the end. With “shift left” testing (testing that integrates information security earlier in the development lifecycle, or to the left on the project timeline) developers are more likely to find errors before reaching production.
Tools that focus on managing compliance as code shift InfoSec assessments away from manual processes driven by binders full of policy documentation to a model where controls are instead expressed as executable, versionable, and human-readable code. These controls can be distributed as another set of tests any developer can incorporate into their existing workflow and toolchain. This code-driven approach builds on existing methods for collaboration already used by DevOps teams.
Bridging the compliance gap with InSpec and Chef Automate
InSpec is open source testing framework for infrastructure. It is a human-readable language for specifying compliance, security, and other policy requirements as tests. Teams can easily integrate these automated tests into any stage of their deployment pipeline.
Integrate InSpec with Chef Automate, Chef’s continuous automation platform, and you gain greater control over the detection and correction of issues, even in production. Across your entire fleet of servers and machines – no matter their environments – Automate provides analysis, reporting, and visualization based upon inSpec data. Users can even download pre-packaged CIS benchmarks to use as is, or to customize to their business or industry standards.