DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB

Home » Blogs » DevSecOps » What It Really Takes to Build Compliant Apps

What It Really Takes to Build Compliant Apps

Avatar photoBy: Sonya Koptyev on December 20, 2018 Leave a Comment

If you search online for “software compliance,” you’ll be met with a seemingly endless lineup of blog posts, how-tos and explainer articles promising to tell you everything you need to know about writing and deploying software in a compliance-friendly manner.

Recent Posts By Sonya Koptyev
  • 5 Questions to Ask When Choosing a Cloud-Native Security Platform for DevOps
Avatar photo More from Sonya Koptyev
Related Posts
  • What It Really Takes to Build Compliant Apps
  • The 3 Compliance Questions to Ask
  • What Is ISO 21434? Compliance Tips for Automotive Software Developers
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • CI/CD
  • compliance
  • devops
  • security
  • software delivery life cycle
Show more
Show less

Some of those are good resources, especially the ones that delve into meeting specific compliance requirements associated with specific regulatory frameworks. (Articles that make generic recommendations such as “secure your data!” are less helpful, but I digress.)

TechStrong Con 2023Sponsorships Available

In this article, I aim to contribute something new to the conversation about software and compliance, especially as it relates to modern, containerized, microservices-based environments. I’m not going to rehash all of the existing content about compliance best practices. Instead, I’d like to offer a new way of thinking about how you actually build compliant applications—by taking a DevOps approach to compliance.

What does that mean, exactly? Let me explain.

Why DevOps Compliance?

I know, when you hear a term like DevOps compliance, your first thought is likely, “Well, there’s another meaningless buzzword.”

But when I use that term, I’m thinking about much more than marketing hype. I’m referring to the actual practice of using DevOps processes as the basis for building compliance into your applications.

I’ll explain what that looks like in a moment. For now, let me explain why the concept of DevOps compliance matters.

For one, this concept drives home the truth that to create compliant applications, you need to make deliberate design decisions and follow specific processes for implementing them. This is what makes the concept of DevOps compliance, as I’m presenting it here, different from typical recommendations for achieving software compliance. Instead of treating compliance as something that you worry about once your application is written (or as a process that lives in its own silo, if you want to describe it in DevOps-y terms), the innovation behind DevOps compliance is to bake the compliance process into the rest of the software delivery pipeline, ensuring that the software that’s created is secure from the beginning of the development process.

Implementing DevOps Compliance

What does DevOps compliance look like in practice? How do you actually bake compliance into a CI/CD pipeline?

Involving Everyone in Compliance

For starters, you ensure that everyone who plays a role in software delivery understands what compliance means and which specific compliance requirements affect the software they are building. This is not often the case by default. Typically, compliance is something that your lawyers and security team know about, but not something your developers, software testers or IT Ops team members spend much time studying.

To do DevOps compliance, that has to change. Your engineers need not become compliance experts, but they need visibility into the specific compliance challenges that they must meet. They must also understand how those challenges change—as they frequently do, because compliance frameworks have a tendency to be updated regularly.

Tracking Compliance Across the CI/CD Pipeline

Second, achieving DevOps compliance requires implementing processes that allow you to verify and vet the state of compliance at all stages of the software delivery process. When developers are designing new code, they should be thinking about how that code can be compliant. When the QA team is testing the code, they should verify that it meets compliance goals. And when IT Ops deploys the code, it should monitor it to ensure that it is actually fulfilling compliance needs in production.

A third key process to implement is auditing across the software delivery life cycle. While the precise reporting and auditing requirements of software vary from one compliance framework to another, it’s a best practice to make sure that you are logging and able to report compliance-related data.

Auditing

The problem many organizations run into is that they think about the auditing challenge only when software is in production. To do DevOps compliance, you should be baking auditing into all stages of the CI/CD process by collecting data that demonstrates how you are working to meet compliance goals, and that measures your success in achieving them. This practice ensures that if something goes wrong with compliance, you have full visibility into where the issue originated and how to fix it, which are important considerations for meeting compliance challenges successfully.

Ideally, you’d never make a compliance mistake, but in reality, you probably will sometimes experience oversights. When they happen, it’s much better if you know exactly what went wrong and can quickly develop a plan for fixing it. That not only helps you avoid repeating the same mistake, but it can also help keep regulatory authorities happy. They tend to be more forgiving of compliance errors if you can show proactively (using your own auditing data) that you know what went wrong, and how you are going to fix it.

Conclusion

Compliance is not something that most developers or Ops engineers enjoy thinking about. In fact, it’s something that many of them don’t think about at all, and that’s a problem. But as software-related compliance challenges grow increasingly more complex, and as the consequences of non-compliance grow ever greater (both in terms of regulatory fines and a loss of reputation in the eyes of customers), compliance is something that all participants in the CI/CD pipeline should be supporting. They should be doing so at all stages of the software delivery process, and in a way that maximizes visibility into compliance efforts via a clear auditing trail. That’s what DevOps compliance looks like.

— Sonya Koptyev

Filed Under: Blogs, DevSecOps Tagged With: CI/CD, compliance, devops, security, software delivery life cycle

« Logging: Turning Good DevOps Teams into Great Ones
The Time for Time Series Data »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Achieving Complete Visibility in IT Operations, Analytics, and Security
Wednesday, February 1, 2023 - 11:00 am EST
Achieving DevSecOps: Reducing AppSec Noise at Scale
Wednesday, February 1, 2023 - 1:00 pm EST
Five Best Practices for Safeguarding Salesforce Data
Thursday, February 2, 2023 - 1:00 pm EST

Sponsored Content

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Practical Approaches to Long-Term Cloud-Native Security

December 5, 2019 | Chris Tozzi

Latest from DevOps.com

Jellyfish Adds Tool to Visualize Software Development Workflows
January 31, 2023 | Mike Vizard
3 Performance Challenges as Chatbot Adoption Grows
January 31, 2023 | Christoph Börner
Looking Ahead, 2023 Edition
January 31, 2023 | Don Macvittie
How To Build Anti-Fragile Software Ecosystems
January 31, 2023 | Bill Doerrfeld
New Relic Bolsters Observability Platform
January 30, 2023 | Mike Vizard

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

GET THE TOP STORIES OF THE WEEK

Most Read on DevOps.com

Microsoft Outage Outrage: Was it BGP or DNS?
January 25, 2023 | Richi Jennings
The Database of the Future: Seven Key Principles
January 25, 2023 | Nick Van Wiggerern
Don’t Hire for Product Expertise
January 25, 2023 | Don Macvittie
Software Supply Chain Security Debt is Increasing: Here̵...
January 26, 2023 | Bill Doerrfeld
Harness Acquires Propelo to Surface Software Engineering Bot...
January 25, 2023 | Mike Vizard
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.