Why building compliance as code in DevOps will benefit your entire company

Vanessa Wegner ·
Aug 19, 2019 · 6 min read

Compliance, both regulatory and self-imposed, is another area where the shift-left movement has taken hold. By building compliance into your workflow with compliance as code methods, your team can save time while producing secure, low-risk code.

What is compliance as code?

Compliance as code methods ensure that the correct regulatory or company compliance requirements are fulfilled with zero-touch on the path to production. It builds compliance into development and operations.

The utilization of compliance as code tools enable stakeholders to ensure that production procesesses are compliant by means of defining how resources must be configured. Such a structure often allows these tools to automatically adjust resources into a compliant state in order to meet these pre-defined compliance requirements.

This type of minimal-friction compliance is a crucial solution for large enterprises – especially those subject to complex regulation (such as enterprises operating in healthcare or financial services). By building compliance into the DevOps lifecycle, you will streamline the workflow and save developers valuable time during review and testing.

Benefits of compliance as code

Adopting compliance as code brings a number of advantages and new operational capabilities.

Challenges of compliance as code

DevOps means experiencing changes often and quickly, and despite the benefits that automated compliance as code brings, it can also be a challenge. It can sometimes be difficult for security to keep up with the speed of change.

And sometimes, even automated compliance as code isn’t perfect. It’s important to remember that there’s no cap on how careful you should be when it comes to DevOps compliance. Despite having automation in place, a pair or two of human eyes open to keep watch is still useful – even if it means a possible increase in human error.

How to impliment compliance as code

As Jim Bird wrote for O’Reilly, compliance as code policies must be defined up front, and will bring together management, compliance, internal audit, PMO, and infosec leaders. This group will work together to define rules and control workflows. Management also needs to understand how operational and other risks will be handled throughout the pipeline.

How your company does establish compliance as code policies will depend on how your team is structured but regardless of how your teams interact, transparency is required. To ensure that information is shared and decisions are made collaboratively, consider establishing the following guidelines:

Enhance technology with culture

Technology and processes will only work if your team cultures are aligned with your goal – and culture starts at the top. Team leaders should promote and exemplify a security-first mentality and openness to collaborative change. This will be a new way of thinking for some, but it will help teams adopt the shift-left trend, ultimately saving everyone time and reducing business risk.

Compliance and open source

In 2015, The Linux Foundation found that more than 60% of companies build products with open source software, but more than half of those companies don’t have formal procedures in place to ensure their software complies with open source licenses and regulations. Companies should create a free and open source software (FOSS) compliance program not only to abide by copyright notices and license obligations, but also to protect company IP and third-party source code from disclosure.

How we do compliance at GitLab

We began our formalized compliance program towards the end of our Series C funding round, which was fairly early compared to other businesses of our size. The benefit of starting early was that we were able to implement security controls while we were still developing and evolving our operating processes, instead of retrofitting security to the business. The key decision in our approach was choosing between independent or aggregate security controls: We chose the aggregate route, leveraging Adobe’s CCF, rather than implementing industry frameworks individually. This allowed us to mitigate overlapping asks to GitLab teams, which enabled an agile and efficient program standup, and gave the compliance group internal credibility.

Compliance as code provides benefits across your ecosystem

There are benefits to everyone from the developer to the third-party auditor when compliance is baked into code from the beginning. These benefits include:

Common compliance as code tools

Google Cloud Platform, Amazon Web Services, and Azure are all cloud services that can be used in compliance as code. And oftentimes, these tools are even more effective when paired with native tools.

Through proper tool adoption, the three core actions of a compliance strategy can be automated: prevention, detection, and remediation.

Cover image by Hack Capital on Unsplash

“How to get started with compliance as code” – Vanessa Wegner

Click to tweet

Edit this page View source