The Case for Compliance Automation

Bridging the Gap Between Development & Information Security

Every company wants to move fast – and DevOps helps make software deployment faster. But without proper controls, moving faster may simply mean developers are releasing security vulnerabilities. Rather than approaching information security as a bolt-on afterthought in the development cycle, companies should leverage modern practices and adopt tools to maintain continuous compliance.

Digital transformation is a must in today’s competitive landscape, radically speeding the pace of operations and increasing the demands placed on businesses to deliver new experiences. Businesses that embrace digital transformation will capitalize on this disruption to become industry leaders. It’s a reality that rewards swiftness and agility.

But speed is nothing without control. Without proper controls, moving faster may simply mean developers are releasing security vulnerabilities faster, exposing their organizations and customers to greater risk. The increasing pace of rapid innovation isn’t going to slow down. Organizations have to master shipping software faster, with higher efficiency and lower risk. The primary defense to ensure safety and speed work together is how to test for compliance through Agile, Lean and DevOps (ALDO) principles.

DevOps is Eating the World

ALDO principles are about building high-velocity organizations with streamlined processes and the flexibility to respond to changing situations quickly. Continuous delivery puts those principles into practice in service of shipping software faster, safer and more reliably. As a result, we see that DevOps is eating the world of IT; a recent Rightscale report found that 78 percent of IT organizations are in some phase of DevOps adoption.^[1]

Despite the name, DevOps is about more than just the concerns of development and operations teams. DevOps is a cultural philosophy designed to lower barriers between teams traditionally working in silos by giving them ways to convey information quickly and effectively. Code becomes the source of truth and the mechanism by which teams communicate at scale.

Should your organization be practicing continuous delivery and following ALDO principles? Most organizations already understand the value of moving fast and the response to that is obvious. But when you ask those same organizations if they can deliver everything continuously and still remain compliant with information security standards, that response is anything but obvious. That’s because most information security teams simply aren’t set up to move with high velocity.

Information Security Lags Behind

Despite velocity gains across other IT teams, information security is still perceived to be an inhibitor to agility and speed. Gartner reports that among IT operations professionals, 81 percent say they believe information security policies slow them down. Information security professionals agree, with 77 percent sharing that very same dismal view.^[2]

Further, through 2020, Gartner estimates that 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year or more.^[3] Verizon’s Data Breach report shows that for the last three years, more than 88 percent of exploits observed can be accounted for by only nine known vulnerabilities.^[4]

Information security policies are slow to implement, slow to audit and firmly situated in practices that pre-date the shift toward orienting around high velocity, making them arguably ineffective as a result.

Mature DevOps organizations have taken steps to lower collaboration barriers across all teams by extending the same code-driven practices pioneered by development and operations to information security as well. Industry data shows that the secret behind the success of high-performing DevOps teams is how they have expanded their scope to involve information security in every phase of the software development process.

Security by the Numbers

In the past three years, organizations that test for security requirements throughout their software development processes have increased 80 percent (from 15 percent to 27 percent).^[5] Organizations are starting to see the value of incorporating security earlier into the development cycle. However, there’s still plenty room for improvement. An estimated 64 percent of DevOps organizations also have regulatory standards to follow. Of those, 73 percent wait to assess compliance after development has already started, and 59 percent don’t assess compliance until code is already running in production.^[6] That type of bolt-on approach to information security leads to higher levels of technical debt and rework as developed changes often require last minute modifications for acceptance, potentially exposing them to greater risk.

Compliance policies exist as a way of enforcing application and data security. The more frequently audits occur and vulnerabilities are remediated, the lower the risk of attackers exploiting known vectors. Data shows that 75 percent of organizations only assess the state of their compliance policies on a quarterly (or longer) basis, with 46 percent of those organizations making assessments at an inconsistent rate.^[7]

Further, if vulnerabilities or compliance violations are discovered, one-in-four organizations needs weeks or months to remediate them. In a world where dozens or hundreds of builds a day are deployed to production, that response time is simply unacceptable for a high-velocity organization to stay competitive. The challenge is to reconcile the needs of information security with the speed of continuous delivery.

The Tension Between Speed and Risk

DevOps teams focus on shipping software fast and increasing speed, whereas information security teams are focused on mitigating risk. Historically, these were viewed as diametrically opposed goals. If companies increased speed, they sacrificed quality and increased risk and vice versa.

But years of industry data now show that this perception is a myth. High-performing DevOps teams are able to scale both speed and quality by building quality and security into the software development process as part of their daily work, rather than retrofitting security at the end.^[8] Security becomes an integral part of continuous delivery because verifying security requirements is part of automated testing processes.

The problem organizations face here is that most information security tools simply aren’t built for this purpose. They are too far removed from the typical developer’s workflow and toolchain. In order to integrate information security into the development cycle, it’s necessary to meet high-velocity teams where they already are: code-driven continuous delivery.

Most information security tools are built around manual assessments: audit, penetration testing, vulnerability scanning, auth testing, etc. These are vital information security functions; however, the security posture implemented by these tools is typically orthogonal to software development postures that use small automated tests with fast feedback loops that can be applied frequently during every phase of development.

Building quality and security into the daily work of software development means that developers share responsibility for implementing your company’s security posture. The problem is that in traditional silos, the distance between a developer making a decision about feature design and understanding how that feature runs in production is so vast that it’s difficult to assign them that responsibility. The key, therefore, is to bridge that divide by managing your information security posture the same way you manage your development posture.

Compliance as Code

A new breed of tools has emerged to help bridge that divide and resolve the tension between speed and risk. Tools that focus on managing compliance as code shift information security assessments away from manual processes driven by three-ring binders full of policy documentation to a model where controls are instead expressed as executable, versionable and human-readable code. These executable controls can then be distributed as another set of tests any developer can pull into their existing workflow and toolchain.

This code-driven approach to collaboration builds on existing methods already in use by DevOps teams. The distance between understanding feature development and understanding how that feature will run in production is shortened because every developer can easily reference what the security postures are, how their features should comply and how to influence change if necessary – thereby creating a sense of ownership and responsibility that carries throughout daily work.

Rather than remaining perceived as slow and largely ineffective, information security teams can instead enable a state of high-velocity continuous compliance by making pre-approved, easy to consume automated processes for development and operations to ensure security is built into every part of the software development cycle.

^[1] Rightscale – 2017 State of the Cloud report

^[2] Gartner – DevSecOps: How to Seamlessly Integrate Security Into DevOps 2016

^[3] Gartner – Predicts 2016: Threat and Vulnerability Management

^[4] Verizon – Data Breach Investigations Report 2017

^[5] Sonatype – DevSecOps Community Survey 2017

^[6] Chef Software – Chef Survey 2017

^[7] Chef Software – Chef Survey 2017

^[8] DORA – 2016 State of DevOps Report