Baking Compliance in your CI/CD Pipeline
When DevOps engineers talk about Continuous Integration/Continuous Delivery (CI/CD), compliance is not often a major part of the conversation — but it should be for any organization that wants to stay ahead of compliance challenges. Just like everything else in a CI/CD pipeline, compliance should be continual, and it should be baked into all stages of the delivery process. It’s not something that can happen in a silo.
How can a DevOps organization achieve this and leverage the practices of CI/CD to help facilitate their ability to ensure information security and software compliance for their applications? Below we will discuss how each part of the development pipeline can help to achieve compliance within applications, while still delivering software in a timely fashion.
What Is Compliance?
In the world of software development, compliance refers to the security standards that the application must adhere to in accordance with regulations set up for the particular industry in which the application operates.
An example of this includes the Payment Card Industry Data Security Standard (PCI DSS). The PCI Standard must be adhered to by any company that takes payment by credit card. These standards are set up for obvious reasons — the most serious of which is to ensure an appropriate level of information security for customer data. And although the DevOps philosophy of delivering software in faster development cycles may seem detrimental to application security, the main tenets that make up a DevOps organization can actually provide viable circumstances that make application security inherent to the development process.
Baking Compliance into Your CI/CD Pipeline
So how can DevOps practices such as CI/CD make compliance requirements easier to fulfill? The answer is to bake compliance directly into your development pipeline. This requires a concerted effort by those responsible for all parts of the development pipeline, from developers to testers to administrators.
By taking responsibility for compliance from the outset of the project, developers can help to ensure application compliance is built into the development process. As mentioned earlier, continuous integration provides an approach for continuously testing your application through the use of automated testing integration with your CI tool. The very same can be done for application security and compliance testing. By automating security and compliance tests and integrating them with your CI tool, you’ll achieve several goals crucial to the security of your application:
- Compliance flaws will be discovered earlier in the process than ever before. And as we know, the earlier a bug is discovered, the less expensive it is to fix;
- The likelihood of a developer introducing compliance issues into the codebase decreases significantly. When compliance tests run as the result of each commit, they should ensure that the code being committed is compliant with the necessary standards. Test failure will mean build failure, and build failure will immediately notify the developer that action must be taken prior to integrating his/her code changes.
Fine-Tuning Compliance Throughout the Pipeline
A major part of the job responsibility of DevOps testers is to look for opportunities to make application testing more efficient and effective. We typically think about this from the perspective of ensuring application quality. But what if we think of compliance as a part of application quality? Training testers to continually identify opportunities to improve compliance testing, and to make this testing as repeatable as possible, will result in compliance becoming second nature to the organization. This benefit will be felt throughout the entire development process, ensuring that less compliance bugs are present in the codebase, while the bugs that do make their way into code are easily identifiable, and — with any luck — easily fixable, due to the likelihood that they are discovered early in the process.
As we all know, the development pipeline does not just end when an application is deployed to production. Careful monitoring of the production environment is necessary to make certain that any issues are identified and mitigated as quickly as possible. In this sense, compliance monitoring can help to keep your application in line with the proper security regulations and requirements. Implementing auditing and logging that helps to identify these problems (should they exist in production) can bring your DevOps team a great amount of assurance and peace of mind that customer information and your environment as a whole is protected according to industry standards.
Ensuring application compliance requires the participation of all members of the DevOps team. When developers, testers and admins alike make a concerted effort to bake compliance into the development pipeline, it significantly decreases the chances of releasing non-compliant software. With full participation, compliance is treated as part of application quality throughout the process, and team members abandon the less effective method of incorporating compliance at the very end.