Compliance is rarely listed as a requirement when a company is considering implementing a new development pipeline. If it’s considered at all, it’s generally an afterthought viewed as a necessary evil — something to be tolerated, not embraced.
Compliance isn’t evil, but it is necessary. Because of hacktivist groups like Anonymous, it’s becoming increasingly obvious that companies are being breached — and they can’t get away with pretending they weren’t. In the same vein, consumers lose trust in a company when they find out a breach occurred because a security compliance audit hadn’t taken place in many years.
Because compliance is often seen as the domain of a select few individuals tasked with enforcement, the attitude of developers can be cynical at best and actively hostile at worst. Negative attitudes toward compliance tend to manifest when compliance policies affect a developer’s day-to-day workflow significantly enough to cause bottlenecks in the development process.
Instead of making compliance a mandate forced upon employees, businesses should allow their teams to invest in security on their own. The following strategies will ensure an easy transition into compliance while getting developers involved in a positive way.
1. Developer Involvement
One of the keys to changing developers’ attitudes toward compliance is to involve them in the policy and workflow creation processes. When someone invests time in crafting a policy or designing a workflow, he is much more likely to value that process and, by extension, adhere to it.
A collaborative approach is also far more likely to generate a policy that integrates with existing tools and processes to minimise disruption and maximise productivity. Of course, it’s important to moderate the creation process to ensure that the end product does, in fact, cover all desired compliance standards.
A solid policy creation strategy will ensure that stated policies fit well with existing development workflows, but it’s only the first step toward ensuring compliance with standards. Without the ability to prove policy adherence during an audit, a stated policy has very little utility. Traceability is particularly important when compliance with strict standards — such as the Payment Card Industry Data Security Standard, Sarbanes-Oxley Act of 2002, or the Health Insurance Portability and Accountability Act — is required.
2. Workflow Automation
The first step toward proving policy adherence in an audit is the automation of infrastructure creation and maintenance. There’s no better way to ensure policy adherence and streamline development workflows and processes at the same time.
The automation of previously manual workflows limits the possibility of a breach of policy occurring while providing a faster and more convenient path to production for developers. Once a robust automated solution is implemented for a given task, the ability to perform this task manually should be removed or limited to emergency situations only.
3. Documentation and Traceability
One of the most important aspects of proving compliance with standards is the ability to trace each change back to its source and verify that the change was made in an approved manner. Most major automation tools have logging and authentication abilities built in, which greatly facilitates this process.
Automation tools generally make use of configuration files that specify actions and parameters, which are then used to create and modify existing resources. These configuration files can also serve as an authoritative source of documentation, as long as the entire workflow for that particular resource is automated.
4. Internal Services
When introducing automation tools to development teams, it’s helpful to treat each tool as an internal service. A service-oriented approach shields developers from back-end complexities when possible, allowing them to focus on writing solid code.
A team well-versed in the intricacies and security requirements of each tool should perform the setup and configuration of that process. This will ensure that security holes aren’t introduced during the automation procedure. It may be necessary to hire a consultant to take full advantage of the features each tool has to offer.
In today’s increasingly dynamic development environment, companies have to maintain compliance standards and security. By getting developers on board while taking advantage of automation, companies will have an easier time of maintaining these standards.
Automation as an Investment
Although the upfront costs of automation can seem high, properly implemented automation not only increases compliance and security, but it also upturns developer productivity and morale.
Another factor to consider is the decreased risk of security breaches, which can be extremely costly in terms of dollars spent on remediation, as well as damage to the company image.
The combined benefits of automation are such that it is now commonly viewed as a baseline requirement for any modern software development pipeline — not a luxury for elite development teams.
Compliance is a two-sided coin. It’s an annoyance that adds extra work, but it provides a better product and an easier workflow down the line. With the further integration of automation, developers will be able to focus on their coding while making compliance a priority.
Andrew Storms is the vice president of security services at New Context, specialising in lean security and helping companies build better software.