Managing Risk and Compliance for DevOps - An Interview with Nish Bhalla, CEO of Security Compass

During the past decade, organizations of all sizes have begun to adopt automated platforms to support governance, compliance, and risk (GRC). Originally developed to reduce mundane paperwork, GRC platforms evolved to support compliance controls in business unit infrastructure. And, more recently, businesses have recognized the need for GRC in the context of DevOps - and now, DevSecOps. This is super good news for our industry.

Security Compass has been a leader in this on-going movement to support security compliance and risk management during software development. We recently asked Nish Bhalla, CEO of Security Compass, to provide an overview of modern GRC protections in legacy and modern DevOps lifecycles. We also asked him how the Security Compass platform works in the context of such software processes.

EA: Why should we care about software security, and why isn’t it a priority for most industries?

NB: As software applications become more prevalent in business, and more crucial to organizational success, it becomes critical that we protect our assets. Unfortunately, this isn’t a priority for many organizations due to a lack of awareness regarding the potential consequences. However, new regulations are now being enforced, meaning that security must become a greater priority. The PCI Software Security Framework and the New York State Department of Financial Services (DFS) Cybersecurity Regulation 23 NYCRR 500 Section 500.08 (Secure Application Development and Auditing), are prominent example frameworks that demand improved controls during the SDLC.

EA: Does DevOps introduce more security threats, or does it have a more risk-reducing impact?

NB: In a DevOps environment, you can deploy applications faster, which in turn allows you to respond faster to identified security defects. Ultimately, this reduces the cost of fixing defects as well. The main drawback related to the introduction of DevOps is that, those organizations who have dispensed with their old security activities haven’t necessarily established compensating activities that work with the new DevOps methodology. Without encountering any immediate negative consequences, organizations will proceed with business without sufficient security due diligence in place, until they encounter an issue.

EA: How does the Security Compass platform work?

NB: We provide tools that integrate security and compliance directly into the DevOps process. Some people have referred to our platform as supporting governance, risk, and compliance (GRC) for DevOps – and this is an accurate reference. The whole idea of the Security Compass solution is to ensure that the automation inherent in DevOps is complemented with security automation to create a DevSecOps approach – thus resulting in more secure products being developed. The central part of our solution is SD Elements, which translates policies to prescriptive, measurable procedures that are used by IT and Engineering teams to achieve their security and compliance objectives. SD Elements generates and tracks granular security controls with a flexible, rule- based engine and integrates those controls into Application Lifecycle Management (ALMs) and enterprise workflows used by development teams. SD Elements also delivers Just-In-Time training to developers, providing concise, contextual guidance on how to implement controls right when they need it.

EA: What are some software-related threat trends you’re seeing in your customer base?

NB: With the trend towards Agile, every part of the software development life cycle is moving more quickly, which is why an automation platform, such as ours at Security Compass, is essential to every software development team. Automation is the key to dealing with the rapid pace of development vs. the rapid advancement in adversary capabilities and ever-growing complexity of regulatory compliance. Customers also seek our help in dealing with privacy, compliance, and other non-functional requirements. The trick is creating and establishing a system that allows you to operationalize the identification and tracking of these requirements throughout the SDLC, which is one of the features of our platform. This gives management the visibility into the security posture of all their applications at a glance, but also makes it easy to prove to regulators and auditors that best practices in secure software development have been followed by the organization.