You are here
Vulnerability Scanning's Not Good Enough: Enforcing Security and Compliance at Velocity Using Infrastructure As Code
Julian Dunn, Chef Software, Inc.
In this talk, I'll discuss why existing approaches to achieving business compliance with security standards do not work. Manual verification steps, ad-hoc, emergency remediation when the auditors are in the building, and post-hoc vulnerability "scanning" that generate large reports but few actionable items result in a world full of "security and compliance theatre" that doesn't actually achieve the objectives. Worse still, once auditors leave, companies go back to doing business as usual -- until the next audit, when the cycle begins again.
I'll describe approaches we've found helpful in creating real compliance. In particular, we've studied common patterns of compliance regulations, and that you can express most of those in code, using a rules language that is easy enough for auditors to understand and for security analysts to use.
Julian is a product manager at Chef, where he works on making IT automation tools fun and easy to use. He has over fifteen years of experience as a consultant, engineering manager, system administrator and software developer in industries as diverse as finance, broadcasting, advertising, publishing, and infrastructure software. Originally from Canada, he holds a degree in engineering from the University of Toronto.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.