As data breaches increase in frequency and scope, more governmental entities focus on using the stick rather than the carrot to prevent them. Compliance standards and regulations set baseline, minimum security controls that establish basic cyber hygiene. While compliance is not security, software developers need to understand these basic requirements so that they avoid violations. Compliance violations increase data breach costs and lead to fines. Understanding how compliance impacts software development can make it easier to meet requirements .
What are security compliance standards?
Compliance standards are sets of rules that an organization is required to follow. To prove that the organization follows the rules, it must have a set of written policies, and it must also create a set of procedures and processes that people must follow as they carry out the policies.
In security, compliance requirements can come from both regulatory bodies, like legislatures or agencies, and industry-standard organizations, like the National Institute of Standards and Technology (NIST).
Some primary security compliance mandates include:
- Payment Card Industry Data Security Standard (PCI DSS)
- NIST Special Publications
- International Organization for Standardization (ISO) standards
- Federal Information Security Modernization Act (FISMA)
- New York Department of Financial Services (NY DFS) Cybersecurity Regulation
- General Data Protection Regulation (GDPR)
- Sarbanes-Oxley Act (SOX)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act (HITECH)
What is the process of building a security compliance program?
From a security standpoint, most compliance standards take a risk-based approach. This means that the organization creates a cross-functional team which:
- Identifies all potential risks
- Assigns a rating for each risk type
- Analyzes the likelihood of a data breach
- Sets a risk tolerance
- Puts risk mitigation controls in place
As companies shift security left, developers need to be integrated into the compliance program. Whether developers build internal applications or design software for customers, they have critical information around software components that need to be considered.
What is compliance in software development?
Software developers may not need to know the intricacies of compliance mandates, but they should know the basic security best practices.
Despite continuously evolving, complex technologies, several fundamental security principles remain the same. For example, nearly every compliance mandate includes:
- Scanning for security vulnerabilities
- Encrypting data
- Ensuring appropriate access controls
Developers regularly review their code for vulnerabilities. Additionally, part of their SDLC practices already incorporates making sure that their software appropriately encrypts data and offers the access controls necessary for applying the principle of least privilege.
What is Compliance as Code?
Compliance as Code is the process of using automated tools to review code so that teams can build compliance into development and operations. By incorporating compliance policies, checks, and auditing into development, regulatory compliance is no longer a time-consuming burden that development teams need to overcome.
To move towards a Compliance as Code development model, teams need to make sure that they:
- Start by defining compliance policies, rules, and control workflows
- Build code and configuration reviews into the CI/CD pipeline
- Reviewing internal development team controls, like engaging in peer reviews or reviewing developer access rights
At its core, Compliance as Code builds traditional governance, risk, and compliance practices directly into the development process.
What are the business benefits of Compliance as Code?
As the first word of the phrase, compliance is intended as a key business outcome. However, Compliance as Code goes beyond mitigating compliance risk. As developers integrate compliance into their daily tasks, organizations are able to add technical and operational outcomes, including:
- Reduced time spent fixing code
- Increased visibility into and documentation of software security controls and compliance
- Reduced time spent on gathering audit documentation
- Reduced compliance violations
- Continuous compliance and security monitoring
- Enhanced cross-functional collaboration within the compliance team
Although compliance only sets minimum security baselines, it needs to be seen as an enabler for development teams and businesses. When it becomes a roadblock, people tend to view it as an expendable process. Unfortunately, in today’s increasingly regulated technology space, development teams must find ways to streamline their compliance activities and avoid regulatory penalties, so that the business remains financially secure.
Building risk management into the software development life cycle (SDLC)
For software developers, compliance falls into the software development lifecycle (SDLC). Building compliance into the SDLC may sound difficult. However, in many cases developers are already engaging in many of the steps; they just don’t realize it. Understanding how to incorporate Compliance as Code into the SDLC for a more robust risk management strategy can help eliminate the hurdles that people associate with compliance.
As part of the project planning phase, development teams need to consider the compliance mandates that the business needs to meet. For example, if the software will process credit card data, then it needs to meet PCI DSS requirements. If it’s a mobile health app, it needs to meet HIPAA compliance mandates. These security and documentation requirements should be incorporated as early as possible so that remaining steps can build in compliance and risk management.
For each feature and capability, the software design requirements should take into account controls for protecting data and ensuring compliance. For example, if the software will have a login feature, then the developers need to apply the appropriate access control capabilities. If it will be a web application, then they should incorporate mitigating injection attacks as part of this phase.
As the architects develop their design approach, they need to consider the different technologies and tools that can build Compliance as Code into the development processes. For example, a Static Application Security Testing (SAST) tool can provide visibility into potential vulnerabilities and reachable vulnerabilities, giving teams a way to remediate risk as quickly as possible.
Using compliance automation gives development teams a way to continuously monitor their code and repositories for the compliance assurance necessary. By documenting practices throughout the development cycle, they build security and compliance into their daily activities, eliminating the roadblocks associated with traditional manual practices.
Quality assurance should also incorporate compliance assurance. As part of testing software for bugs impacting performance, development teams should also include security and compliance checks. Compliance gives teams a way to “check their work” and ensure they applied best practices.
Deployment and Maintenance
Compliance and security monitoring should be incorporated into the continuous review and maintenance practices. This means continuously monitoring for new vulnerabilities, remediating security risks as soon as possible, and documenting all activities.
ShiftLeft: Moving Compliance Left with Next-Generation SAST
With ShiftLeft, developers can build vulnerability testing directly into their workflows for enhanced security and compliance. ShiftLeft tests the entire application as it is being built for more accurate findings and reduced false positives by proving attackability for software flaws. Not all vulnerabilities can be reached and attacked — in fact, it’s often a small minority that are reachable by hackers and are therefore deemed “attackable” and urgent to repair quickly. With rapid, continuous scanning developers can remediate security risk in the code they are currently working and fix bugs before they become debt.
ShiftLeft CORE provides compliance reports for leadership, partners and auditors. ShiftLeft CORE is the only code analysis platform to provide a software bill of materials (SBoM) that uniquely accounts for the attackability of open source packages used by the app. Unless attackability is determined, the security risk of your application is artificially inflated by vulnerabilities in open source libraries that are impossible for outsiders to reach given the architecture of your application.