‘Compliance as Code’: Getting started

For many Compliance and non-technical stakeholders, it’s hard to even think about approaching something resembling code, as you may immediately get headaches or vertigo. You feel really out of your depth.

If I had cookie every time I’ve heard Risk and Compliance professionals use the sentence “I’m not technical”, or the even more dangerous variation “I’m not technical but”, I’d have a lot of cookies or getting again close to obesity.

But it doesn’t have to be that way. No one was born “technical”, and “technical” really just means acquiring a number of skills that will allow you to do certain tasks.

Remember, your aim is NOT to become a better Dev or Engineer than the Devs and Engineers, Your aim should be to not feel lost when looking at a line of code, and generally look at a Continuous integration definition file and have a decent understanding of what’s happening so you can then integrate some security tests in it.

As someone much better than me at this told me once “80% of what you need is probably already done and available, you just need to figure out the 20% that’s up to you”…

With that in mind, here’s my opinion on the key skills you should acquire over the next 6 months to 3–4 years maximum:

  • If you enjoy Novel formats, please read “The Phoenix project”. If you want to really understand DevOps, get the “DevOps Handbook”
  • Learn how to use Git
  • Learn about at least one of the 3 cloud providers (Azure, AWS or GCP)
  • Learn Linux basics
  • Learn about the tools of the trade for DevOps, like A CI/CD product, a containerisation technology like Docker and an IT automation framework like Ansible
  • Get familiar with how to apply security controls in CI. Focus on controls like Secrets hunting, Vulnerability Scans, Secure dependency checking and hardening

Let’s look at each in some more detail.

Reading books — Phoenix Project and DevOps handbook

The Phoenix project in particular is a really good novel that explains how an organisation adopted what came to be called DevOps practices from attempting to address some of the problems they encountered. John, the CISO, gets a really hard time in the book with all the typical and expected “doom and gloom” preaching culminating in no impact whatsoever to the organisation from not following his recommendations/demands and still passing an external audit. You’ll understand why you’re better off than what you have now.

Control reliance works differently in a DevOps world and few books should transpire that better than “The Phoenix project”. “The DevOps handbook” by the same authors is a continuation of the novel, which actually defines the discipline outside of the novel format. Both are brilliant and recommended readings.

Learn how to use Git

Git is a version control system, and where you’ll have most if not all of the auditability of what’s happening in your environment. Bear in mind that in many organisations, there are still other venues or access methods into changing the production environments so be sure to identify and check those, but most of the changes would expectedly be under version control. This means that most changes to both application and infrastructure layers should have a clear audit trail that can be checked for assurance.

I particularly like Atlassian’s explanation of what version control is. You can find it here: https://www.atlassian.com/git/tutorials/what-is-version-control

Learn about Cloud

Learning about Cloud is not “read a few biased articles about cloud and cloud adoption”. For me, it means 2 things.

First, you do some training to understand the majority of the service offerings from each cloud provider (they tend to be similar and equivalent, it is commodity computing after all), and how to actually configure them. Particularly, focus on understanding the command line as that will be the venue to integrate learnings into Continuous Integration. There are Udemy and Pluralsight inexpensive courses for these, so I don’t think resources is a good excuse for not doing it.

Learn Linux basics

You don’t need to become an expert but you should have some familiarity with the Linux command line. Again, you have basic courses at your disposal through Udemy and Pluralsight, but a great place to start would be https://tutorials.ubuntu.com/tutorial/command-line-for-beginners#0

Learn about the tools of the trade for DevOps, like A CI/CD product, a containerisation technology like Docker and an IT automation framework like Ansible

There are many variations and different products for each of these, so I’d suggest you go find out what your organisation uses or is planning on use, and choose to focus on that one. There’s no point in learning about all the CI and/or Automation frameworks out there.

For CI/CD some of the most common are: Gitlab, Jenkins, Travis, CircleCI, Azure DevOps. They come in SaaS and on-prem/cloud versions so you can play around with them. If your organisation doesn’t do CI yet and you still want to learn, I’d suggest Gitlab as it’s my personal favourite.

On Containerisation, Docker has become a de-facto standard so look no further. For extra points, learn about Orchestration platforms and Kubernetes would be the most used one as all Cloud providers now also offer managed Services based on Kubernetes.

Finally, an IT automation framework is usually employed and the typical culprits are Ansible, Chef and Puppet. If your organisation doesn’t have one, start with Ansible.

Get familiar with how to apply security controls in CI. Focus on controls like Secrets hunting, Vulnerability Scans, Secure dependency checking and hardening

I’ve already mentioned a number of different tools in my last blog post about Compliance as Code (https://medium.com/@marioplatt/whats-the-fuss-with-compliance-as-code-11ac8e985dc) so won’t do it again here. But the idea is to start with just a few checks, even getting access to fork your organisations actual source code and try and integrate security tests with a live example. You may even get the bonus of asking smart questions to your Devs and Engineers and really improve your relationships if you approach it with inquiring mind and wanting to learn about, and at the end of the day, that’s what DevOps is. Here, I’d recommend downloading DevSecOps Studio which has a lot of this already done for you as a great lab to experiment with.

After this, as I spoke earlier move quickly to Inspec.io, Open Policy Agent or Sentinel by Hashicorp

And if you want a great structured online and f2f training from people who know this well, I’d recommend https://www.practical-devsecops.com/

Bringing a team together around a common goal.

Conclusion

I appreciate this is a big list, especially if you know none of them but the key thing is to start where you are with what you have, for what you have is plenty. You understand compliance and risk, you just don’t understand this new dialect used to describe it.

If you’re starting from scratch, this is NOT a 6 month plan. It will likely take you more than that if you really want to become good at this, but you ca make tremendous amount of movement forward if you start now.

I’m sure you won’t regret it and will be acquiring skills that will separate you from your competition for years to come.