DevSecOps increases the speed of development and the security of the delivered software. Traditionally, compliance has been a separate consideration. But can DevSecOps help with compliance as well?
Enterprise compliance has always been important, but with the introduction of GDPR and CCPA, compliance has become business-critical. An Accenture study found that 84% of respondents have a dedicated Technology Compliance Officer. The financial risks associated with non-compliance have become quite steep, as seen when Google was struck with a $57 million fine by a French regulatory body back in 2019.
Until recently, most essential compliance checks were performed separately from the development process. This often meant that compliance checks and audits were completed late in the delivery cycle, resulting in rewrites and other inefficiencies that slow down the software development lifecycle (SDLC) for DevOps teams. When these checks are completed manually, there is also a risk of human error that may result in non-compliant revisions reaching the end product.
What Is the Role of DevSecOps in Compliance Management?
Now, SecOps and DevOps are converging to form a new operating paradigm–DevSecOps.
By enlisting the help of SecOps teams during application development, DevSecOps allows enterprises to maintain full compliance while simultaneously expediting the SDLC for applications and services via DevOps. When compliance checks shift left in the SDLC, this allows SecOps to remediate compliance problems collaboratively with DevOps earlier in the development cycle.
DevSecOps promotes the adoption of compliance-as-code: an operating paradigm that helps you define compliance requirements in a manner that can easily be read by humans and machines alike. This allows SecOps personnel to develop compliance policies as code, without needing to use technical programming languages. These compliance policies can then be stored in a source code version control system like Git for continuous compliance monitoring during the development phase. (Note that this expands the traditional role of SecOps; compliance is primarily meant to minimize regulatory and contractual risks to your organization, and is not solely to enhance security.)
DevSecOps for Automated Compliance Management
By shifting compliance checks left in the SDLC, DevOps teams can get real-time feedback on their code commits using compliance monitoring tools. One platform-agnostic tool is Chef InSpec, which converts compliance frameworks and IT policies into automated tests that can then be injected into your pipelines. This allows developers to proactively assess whether code revisions that alter application or service functionality will adhere to your enterprise compliance framework or IT policies. Developers can then leverage this insight to rewrite any commits that do not adhere.
While SecOps teams will have feedback regarding compliance for DevOps teams, the majority of these compliance checks can be automated. This is thanks to the advent of the cloud, where the prevalence of AI and ML-powered compliance management software is growing in line with DevSecOps adoption. Examples of CI/CD compliance solutions include Grafeas, an open-source governance API for team and pipeline management, and Kritis, a Kubernetes policy-enforcement tool for software supply chains.
Another helpful practice is to vet changes using the (free and open-source) OWASP Zed Attack Proxy (ZAP), which can integrate with your CI/CD pipeline. Along with running various security tests, it can also identify the use of vulnerable APIs and software components. The tool references the NIST National Vulnerability Database, allowing you to granularly control the heuristics of the program in relation to your enterprise compliance needs, depending on the CVSS Severity score.
By integrating and automating these various compliance checks, you create an environment of continuous compliance, which is built upon automated processes and workflows that promote compliance as a requirement rather than an afterthought in the minds of developers. In short, developers build their software around the compliance requirements of the business from the very beginning, instead of building and then augmenting to adhere to compliance frameworks.
Many of these workflows and technologies are still in their infancy; therefore, low-level compliance management tasks are the best candidates for automation at this time. This could include role-based access control (RBAC or IAM), key management services (KMS), and Threat and Vulnerability Management (TVM) system-alert automation.
Tracking changes to your RBAC policies are integral to maintaining compliance, as it defines who can read and edit stored data. KMS ties in with RBAC to govern access to encrypted data, ensuring only those with sufficient privileges can access decryption keys for the data in question. This data should be categorized based on sensitivity, with continuous compliance checks to ensure critical data that should be encrypted is indeed encrypted, both in-transit and at-rest. Finally, TVM integration with your CI/CD pipeline provides you with evidence of the action you take to remediate compliance threats, simplifying the audit process with regulations like PCI DSS and HIPAA.
How Does DevSecOps Improve Compliance Management?
Now that we’ve discussed some ways in which DevSecOps can help achieve and maintain compliance, let’s cover the advantages of this operating paradigm.
More Compliance Feedback: By integrating security auditing, continuous compliance monitoring, and TVM alerts into your pipelines, you significantly increase the quantity and quality of compliance-related feedback. As the old adage goes, “You don’t know what you don’t know,” and without feedback on the state of your IT compliance, you cannot take steps to improve it. This feedback can then be used at all stages of the SDLC to influence your planning, development, review, and testing workflows in the CI/CD pipeline.
Preventative Monitoring and Feedback Loops: Prevention is better than a cure, and preventing compliance missteps earlier in the SDLC serves to increase development velocity. Without this SDLC compliance validation, hours or days of development work could be submitted for approval, only for it to be rejected on the grounds of non-compliance. This creates more work and only serves to frustrate developers due to wasted time.
Continuous Audits: Many organizations are subject to compliance audits throughout the year. Using PCI DSS as an example, this would include a yearly on-site audit from a qualified security assessor (QSA) and quarterly security scans. The most painful part for enterprises is the annual on-site audit, which includes an evaluation of the organization’s compliance practices.
By using a continuous auditing tool integrated with your SLDC, you can create logs of all audit trails relating to compliance tasks. This information will be searchable, greatly expediting the lengthy annual audit process. What usually takes months could be shortened to a period of a few weeks, when your organization has the information needed for a successful audit.
Behavior-Driven Development: While DevOps and SecOps can work together, SecOps will not necessarily have the coding knowledge your development team has. This can be a problem, as SecOps is the team with the most knowledge of your IT compliance initiatives and policies. However, SecOps personnel are also the most logical people to implement compliance-as-code.
With tools like SpecFlow, the barrier of entry to writing code is greatly reduced due to the use of a simplified syntax called Gherkin, which is written in a Given-When-Then style. Your SecOps team can use tools like SpecFlow with the Gherkin syntax to build compliance frameworks. This is all done in simple plain English, a language initiative (promoted by the US government) to reduce communication bottlenecks.
In summary, Compliance-as-Code lowers the barrier of entry for non-technical personnel, allowing them to use a code syntax that is written in plain English. For Gherkin specifically, ‘
Given’ refers to the context of the argument, for example, ‘
Given the user is logged in’. ‘
When’ specifies the event trigger, for example, relating to system or application events such as ‘
and two-factor authentication is off’. Finally, ‘
Then’ specifies what action should be taken when an event occurs in relation to the context. ‘
Then’ in this case could be ‘
prompt them to enable two-factor authentication’. This would allow security personnel with less coding knowledge to easily implement IT compliance policies, for both customers and employees. (More about the Gherkin syntax here.)
Web Security, DevSecOps, and Compliance
As you can see, DevSecOps has immense potential to improve both regulatory compliance and general cybersecurity in the enterprise. By leveraging insights from SecOps teams, DevOps personnel can start building applications that are foundationally compliant, reducing non-compliance risks for your organization.
An important part of this process is maintaining tight web security, and ideally, doing this automatically. Reblaze is a cloud-based platform that offers Web Security for DevSecOps. It provides Infrastructure-as-Code functionality, and can be controlled programmatically via its API. Reblaze dynamically recognizes and protects new applications and APIs, supporting fast-moving DevOps environments by adapting to new deployments and evolving traffic flows. Reblaze offers web application protection, API security, DDoS mitigation, advanced bot management, a client-side SDK for mobile/native app protection, and more.