Vulnerability Scanning's Not Good Enough: Enforcing Security and Compliance at Velocity Using Infrastructure As Code

In this talk, I'll discuss why existing approaches to achieving business compliance with security standards do not work. Manual verification steps, ad-hoc, emergency remediation when the auditors are in the building, and post-hoc vulnerability "scanning" that generate large reports but few actionable items result in a world full of "security and compliance theatre" that doesn't actually achieve the objectives. Worse still, once auditors leave, companies go back to doing business as usual -- until the next audit, when the cycle begins again.

I'll describe approaches we've found helpful in creating real compliance. In particular, we've studied common patterns of compliance regulations, and that you can express most of those in code, using a rules language that is easy enough for auditors to understand and for security analysts to use.

Julian is a product manager at Chef, where he works on making IT automation tools fun and easy to use. He has over fifteen years of experience as a consultant, engineering manager, system administrator and software developer in industries as diverse as finance, broadcasting, advertising, publishing, and infrastructure software. Originally from Canada, he holds a degree in engineering from the University of Toronto.