Look out! Here comes the auditor!

Uh oh, it’s time for a compliance audit! You know the drill, keep the auditor on the East-side of the building, make sure you only answer the questions that are asked, and remember, this only happens twice a year.

Everyone wants to move faster and ship updates with higher velocity. Regulatory burdens and compliance can add extra drag on the system. Controls that live in notebooks, spreadsheets, and PDF files are difficult to verify. Scanning the production systems for compliance means you find violations when it’s too late and when they’re most expensive to fix. Compliance must be managed as code and must be part of your everyday development process if you’d like to improve compliance and increase velocity. In this talk, we’ll look at one way you can move compliance controls directly into your development process. We’ll explore InSpec, an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

This talk is the story of being audited, how many of us approach these audits incorrectly, and some ideas that we can all use to improve. I will start with describing the problem space and then introduce an open-source, developer-friendly framework called InSpec that can be used to help make compliance a delightful experience for everyone involved.

The talk will be fun, provocative, and, hopefully, will help everyone thing about managing the security and compliance requirements of their systems in a new way.