In this chapter, you will learn what InSpec is, what compliance as code is all about, and why you need a continuous compliance culture and strategy to survive the digital Darwinism.
Let's take a closer look at InSpec.
InSpec is Chef's open source language for describing security and compliance rules or policy that can be shared between software operations and security engineers.
InSpec is a testing framework for testing your infrastructure.
It provides a domain specific language to define compliance and security requirements in the form of so-called controls.
The domain specific language was designed with non-developers in mind, and makes it easy to read and understand these controls.
After you've coded your controls with InSpec DSL, you can run them as automated tests to audit your system.
InSpec is platform agnostic - that means that nothing must be installed on the system that you are verifying.
InSpec does not need an agent - meaning that the InSpec code stays on your workstation and the code will be remotely executed at the target without installing a piece of software.
In many companies, compliance rules are documented in the form of Excel sheets or Word documents.
These guidelines are then implemented in the form of IT controls and carried out manually during an audit.
IT controls can be categorized as general controls or application controls.
Access to hardware that manages secret keys is only allowed in the Four-eyes principle.
An application control, on the other hand, could be Maximum Password Age policy, which determines how long a user can keep a password before they are required to change it.
More or less, both types of controls can be checked in a manual or in an automated way.
Instead of executing audits in which checklists must be processed manually, these controls can be verified by automated tests.
These automated tests, better known as Compliance as Code, replace the abstract description of the control with concrete, automatically executable tests.
These tests can be integrated into the continuous delivery pipeline to identify compliance issues early in the development process.
With Compliance as Code, security and compliance is brought in from the very beginning and compliance issues can be found in the development phase instead at the end with a manual check.
Continuous Compliance is about achieving compliance and increased security across your IT and business environments, and then maintaining compliance on an ongoing basis.
It is not acceptable to develop, deploy and run software in an agile way, but not have the infrastructure compliant from the beginning.
The concept of shift-left on security has gained momentum in the software industry.
The same concept can be applied for regulatory compliance.
Compliance teams can collaborate with engineering teams to bake compliance in the design of software applications and help automate compliance checks.
With the advent of DevOps, it is a must that compliance is baked in during the development cycle, so that at the time of deployment, your infrastructure is compliant.
With InSpec, we describe policies using code, which means we can use them again and again, customize them or modify them whenever we need to.
InSpec allows us to scan systems in different pre-prod environments in the same way we scan our product systems.
In this case, no security or compliance related change ever makes it to production without complying with our regulatory, organizational and team policies first.
Integration of compliance into the DevOps toolchain from the start of development ensures that an application is compliant, which speeds up the transition from development to production.
So, what is Continuous Compliance?
Continuous Compliance is about developing a culture and strategy within your organization that continually reviews your compliance requirements.
Continuous Compliance aims to take teams away from reacting to audit requests and bring them towards being prepared for the future.
All right, we are at the end of this chapter.
You learned what InSpec is, what compliance as code is all about, and why you need a continuous compliance culture and strategy.
Let's go to the next chapter.