Adding compliance assurance into DevOps practices to ship software faster with less risk

Software-based services — apps! — are now the primary way a company connects with customers. A company’s best chance in competing for a larger piece of the market is by shipping software faster. Teams need to continuously deliver infrastructure to run applications, regardless of location or computing environment. But companies can’t ship software faster if security and compliance isn’t a consideration; it leaves customers and businesses more susceptible to vulnerability and risk.

The recent Forrester report, “Master DevOps For Faster Delivery of Software Innovation,” states that “organizations must integrate software supply chain practices into their application governance frameworks. DevOps practices provide the means for doing this at scale.”


Compliance as code allows SAP NS2 to achieve velocity

Jeremy Fields, Senior Director of Cloud Operations at SAP NS2, said DevOps at SAP NS2 means dev and ops teams work together to achieve velocity at releasing code. “Development teams which work through Chef and myriad other tools in order to automate our platform layer work hand in hand with operations. In the DevOps methodology, we can release through the system dev lifecycle, make sure it’s secure and the devs also integrate with O&M teams to see how that code actually works in a production environment.”

SAP NS2 provides SAP’s portfolio to the federal sector, which means they take pre-packaged applications and add additional layers of compliance and security to meet national security standards. In order to do so, SAP NS2 has to package compliance as code, and working with Chef and InSpec is the best way to automate compliance testing and log and audit policy failures for speedy remediation.

“We look at it from a holistic approach,” said Cheerag Patel, DevOps Manager at SAP NS2. “A lot of folks build environments and put compliancy in toward the end — which can cause a lot of trouble. If we start building with compliancy in mind from day one, it should make our lives a lot easier.

With automated compliance, SAP NS2 can build federally secure systems from the get-go.

Remediate faster with Chef

When Shellshock hit in 2014, a major financial institution we work with saw drastic differences in its servers that were treated as code using Chef and those that had not yet migrated.

Systems that are treated as code can self-report, meaning the security team can quickly and easily identify the vulnerability and patch accordingly.

Equifax easily scans and maintains security policies

Equifax Inc., a leader in workforce information solutions, organizes and assimilates data on more than 820 million consumers and 91 million businesses worldwide. Because Equifax not only manages a lot of data, but data which often contains sensitive information, keeping software secure and in compliance with company and regulatory standards — such as Defense Information Security Agency Security Technical Information Guides (DISA STIGs) and National Institute of Standards and Technology (NIST) — posed a challenge.

Equifax started using Chef in 2014 to deliver applications and infrastructure safely and quickly. Since 2014, Equifax has expanded its use of Chef to include InSpec and Automate, which has allowed the company to reduce time to spin up VMs from weeks to minutes, build a self-service portal for developers and improve its disaster recovery strategy.

“[Previously,] we had to go through and painstakingly piece these things together, which took a very long time,” said Jim Grill, Senior Director of IT Software Engineering and Automation at Equinox. “Because InSpec is so easy to understand, it’s easy for auditors to look at the InSpec source and understand what you’re checking for.” Jim added that if servers or VMs are lost, now Equifax can “know with absolute certainty and confidence that we can redeploy our servers immediately.”

With InSpec and Automate, compliance at Equifax has become human-readable, making it simpler and easier for the company to provide proof of compliance, run and pass audits and keep everything secure in a challenging environment.

To learn more about how companies can use DevOps alongside tooling and automation to provide safe and flexible environments for more reliable software, check out Forrester’s report, “Master DevOps For Faster Delivery Of Software Innovation.”


Author Marc Holmes

Marc is VP Product & Revenue Marketing at Chef. He's spent two decades in IT building, managing, evangelizing, and marketing open source, developer platforms, and enterprise software at companies including Docker, Hortonworks, and Microsoft. He's no friend to the Oxford comma. Find him @marcholmes.