Wednesday, September 28, 2016

“Shift Left” Security and Compliance Automation with InSpec and Chef [feedly]

"Shift Left" Security and Compliance Automation with InSpec and Chef
https://blog.chef.io/2016/09/26/shift-left-security-and-compliance-automation-with-inspec-and-chef/

-- via my feedly newsfeed

Velocity needs control to be successful. As DevOps delivers high-velocity, high-performing digital transformation for business, there is increased focus on the need for security and compliance capabilities to match. Balancing these two seemingly contradictory demands – velocity and control – is difficult. We're excited that our launch of InSpec 1.0, and its integration with Chef Automate, can help deliver compliance at velocity for your app delivery pipelines.

Compliance is Everyone's Business

Security and compliance functions have changed from being business enablers to critical components of every organization's daily processes. Corporations no longer look at these functions as a problem that belongs to the Chief Security Officer or the Chief Compliance Officer; it's the board's problem now.

With the adoption of DevOps practices such as continuous integration and continuous deployment, high performing teams are shipping code a few hundred times faster than their low performing counterparts. The rate of change of infrastructure and applications adds compounds security and compliance risks.

Continuous Compliance

Ideally, security teams would take part in a continuous integration or continuous deployment process, with automation ensuring security and compliance policies are incorporated into the application development pipelines. Tests are run, issues remediated and audit trails generated.

Stated simply, security and compliance processes should be embedded in every step of your DevOps pipeline. The fundamental shift here is to see security as an integral part of the product, and not an after-the-fact process that slows down "real" work and productivity.

Compliance as Code

InSpec offers integration of compliance processes into a DevOps pipeline by enabling you to express your requirements as code.

When compliance is code, organizations can remain secure while staying true to their DevOps principles. They can create awesome products and services, provide insights directly to developers, and generally favor iteration over trying to come up with the best answer just before a deployment.

When compliance code is human-readable and easy to understand, security and compliance teams can actively engage in the development process. Organizations that remove security and compliance as a bottleneck in their application development pipeline will see their ideas become a reality, rapidly and safely.

We at Chef are empowering forward-thinking organizations by fostering collaboration among seemingly disparate teams to work together to reach their goals.

Shifting Left

We call this a drive to "shift left": moving risk from production and into build, allowing compliance and security issues to be addressed earlier in the pipeline rather than later.

Michael Hedgepeth, Sr Software Architect at NCR, underlines how important the concept of automation at scale is:

"The only way that security can audit at scale and velocity is if they automate the audit. Our security people have really gotten that and gotten behind InSpec."

The code is easy to understand so everyone on the team can participate. Developers know what standards they're expected to meet and auditors know exactly what is being tested. With InSpec, you can replace spreadsheets filled with abstract descriptions with tangible tests that have a clear intent.

At Chef, we believe innovation, security and compliance are not incompatible. We believe the solution is to bring teams together to realize value quickly, safely and securely.

Together, InSpec and Chef Automate can help you bring compliance at velocity to your app delivery pipeline.

Try It

Learn More

The post "Shift Left" Security and Compliance Automation with InSpec and Chef appeared first on Chef Blog.