Compliance automation will take center stage this year
|Richard Harris in Security Tuesday, May 4, 2021|
Progress Software CEO Yogesh Gupta says we will see compliance automation topping the tech priority list this year, with smart companies turning to a compliance-as-code approach to keep infrastructure, apps and end user devices secure and compliant.
Compliance automation uses artificial intelligence features and technology to make compliance procedures easier - according to most sources on the web, about the meaning of compliance automation.
Progress Software CEO Yogesh Gupta says with smart companies turning to a compliance-as-code approach to keep infrastructure, apps, and end-user devices secure and compliant, we will see compliance automation topping the tech priority list this year. We sat down with Yogesh to explore more about compliance automation.
ADM: Why do you think 2021 will be the year of continuous compliance?
Gupta: With the dramatic digital shift in 2020 and the increased emphasis on uninterrupted delivery, organizations need to build-in continuous compliance enterprise-wide to manage the risk to the business. The traditional approach of security gates and periodic audits does not align with the continuous delivery model. Who can wait two months for a security and compliance audit that is obsolete before it’s finished? Business needs a better approach. With continuous delivery of applications and infrastructure becoming common, I believe you will see a tipping point in 2021 where continuous compliance gets baked into the delivery process.
ADM: How can continuous compliance support transformation efforts?
Gupta: Digital transformation efforts are all about deeply understanding your customers’ needs and being able to deliver new value to them faster than ever before. Those efforts are completely undermined if you cannot maintain security and compliance. Up to now, a lot of organizations have had success with transformation efforts in pockets, but struggle to scale it enterprise-wide, and maintaining compliance is one of the top barriers.
Some may have concerns that integrating compliance will kill the velocity of digital initiatives, but our research found the opposite to be true. DevSecOps adopters got faster the more they built compliance into their processes. Continuous compliance gives them the visibility and control they need to move quickly with confidence. It is a shift in thinking for organizations, most of which view compliance as a costly drag on efficiency. But the beauty of continuous compliance is that by building security throughout, businesses are empowered to move faster.
ADM: Do you think toolchain security will also become a trend this year?
Gupta: Given the SolarWinds episode, toolchain security is already a hot topic. As organizations put security plans in place, they should make sure to secure the toolchain and not focus solely on the application or asset in production. Unfortunately, organizations cannot go out and purchase a toolchain security product or simply outsource it to a service provider. They need to go through every aspect of the toolchain and apply the right technology, processes, and people to harden the app dev lifecycle.
Extending continuous compliance to continuous security and compliance is a good approach to achieve that goal. Continuous not only applies to a time element but also to the continuous nature of development, given all things agile and incremental. Dev, IT Ops, and Security resources should jointly analyze the entire toolchain, identify potential vulnerabilities and then develop a plan that reduces risk appropriately. Since there are a wide variety of toolchains, often within a single organization, this work must be done for every toolchain—another motivator to coalesce on a limited number of toolchains to help reduce the attack surface.
ADM: How does DevSecOps play a role within toolchain security?
Gupta: We strongly recommend that organizations take an expansive view of DevOps/DevSecOps, which we refer to as Total DevOps. Total DevOps is not limited to the overlap of various participants—say Dev and IT Ops, or Dev, IT Ops and Security—but considers all participants in the application lifecycle. This includes designers, QA, data analysts/scientists, business analysts, etc. Given this perspective, DevSecOps is instrumental in all things security and compliance, including toolchain security.
The other advantage to this approach is that it facilitates collaboration and understanding of the different roles. This helps tear down silos, leading to better processes and teamwork. In this way, DevSecOps serves as a vehicle for the security team to be integrated across all aspects of design, dev, test, delivery and operate. Security professionals then become better equipped to promote the value and necessity of security and compliance across the organization.
ADM: How must developers build security into their apps to avoid hacks?
Gupta: Think of the iceberg metaphor. Developers focus on the code they are writing and the updates they are making to the app itself, but lurking below the surface are a host of dependencies. Infrastructure, operating systems, agents, system libraries and other dependencies all impact the application’s security. They must consider it all and security cannot be an afterthought.
The DevSecOps approach to software delivery enables infrastructure, app dependencies, and the compliance policies that govern them to be defined as code. Every change can then be tested and validated as compliant at every step in the software development lifecycle, enabling you to confidently deploy secure apps.
ADM: Progress acquired Chef in October last year. In the announcement, the former CEO of Chef said both companies share a vision for the future of DevSecOps. Can you tell us about that vision?
Gupta: Absolutely. In application development, security has historically been an outlier, typically addressed just before deployment. But the pace of business demands delivering customer value faster than ever before. That value is undermined if you have a security and compliance process that is an afterthought, and results in inefficiency and added risk. DevSecOps allows for security to become a natural part of the continuous delivery process.
We are proud that Chef is a pioneer in this space and are eager to bring those abilities to bear for all our customers. We recognize the value this intersection offers to companies, and look forward to adding our industry experience, developer tools and scale to the DevSecOps conversation.
ADM: Why did you decide to buy Chef to get into DevOps and what does it mean for the future of Progress?
Gupta: Progress has always been about providing the best tools by developers, for developers to make their lives easier and to help them succeed. We see DevSecOps as the vehicle to automate security and compliance as code to complement development earlier in the process. This ensures that infrastructure, apps and end user devices are continuously compliant, and any application changes can be delivered quickly with the confidence that everything will remain secure.
We are excited to add Chef’s valuable capabilities to our existing portfolio of technology to develop, deploy and manage high-impact business applications and systems.
ADM: The Pandemic has had a big impact on the speed at which many businesses undergo transformation to the cloud. Did this consideration have an effect on your planning or strategy following the acquisition?
Gupta: It is a good question, but the pandemic was well underway at the time and did not impact our strategy for Chef, before or after the acquisition. As for cloud transformation, I see the pandemic as accelerating the inevitable. Cloud adoption has been unfolding for at least a decade. As a product provider, we of course recognize that businesses still have a significant presence on-prem, as well as in hybrid clouds. One of the great strengths of Chef is its effectiveness in any customer environment—on prem, multi-cloud or hybrid—in a uniform and consistent way. This versatility is a hallmark of our Chef strategy. Defining configurations and requirements as platform-agnostic code ensures you have the ability to quickly and consistently deploy your solutions on-prem or in the cloud, without having to re-invent your processes.
ADM: How will you sustain the energy of the Chef community?
Gupta: Communities like Chef’s pulse an energy of their own, but they absolutely need nurturing so they continue to thrive. Progress is 100% committed to serving all three branches of the Chef community.
First is the open source community. We will continue to work with them as active participants, supporting them as Chef did, and Chef will continue to be open source. In fact, on April 28, we are holding the first Chef Community Recognition event to thank the hundreds of open-source contributors who helped accelerate Chef innovation over the past year.
Next is the customer community. Since the acquisition, we have met with hundreds of Chef customers around the world to understand their needs and challenges. We will ensure our product roadmaps continue to evolve to serve their ever-evolving needs.
Finally, we deeply value our Chef partners, the ones who provide complimentary technologies to make Chef products even more amazing. We will continue to foster these relationships and achieve success together.
About Yogesh Gupta
A technologist at heart, Yogesh Gupta is passionate about how technology can make life simpler—both for businesses and individuals. Since joining Progress in October 2016 as its President and Chief Executive Officer, he has strengthened the company’s market position, improved customer relationships, launched new products, acquired three companies and significantly improved operating margins and cash flow. Progress has also refreshed its Board of Directors, increasing the diversity of the Board with four new independent members to build a strong new leadership team that can drive further success.
Prior to joining Progress, Yogesh was President and Chief Executive Officer at Kaseya, Inc., a private equity-backed software company providing IT management software solutions to managed service providers. Before Kaseya, he served as the President and Chief Executive Officer of FatWire Software, a VC-backed marketing automation software company. He led FatWire through the great recession and doubled its revenue over four years, leading to a successful exit to Oracle. A 30-year software industry veteran, Yogesh held several corporate officer roles at CA Inc., including the role of Chief Technology Officer for five years and Chief Strategy Officer and head of M&A for two years.
A recognized expert in emerging technologies and industry trends as well as a published author, Yogesh holds a patent in the field of neural networks. He earned a master’s degree in computer science from the University of Wisconsin and a bachelor’s degree in electronics engineering from the Indian Institute of Technology, Madras. He also serves on the boards of Beth Israel Lahey Health System (BILHS) and Massachusetts Technology Leadership Council (MassTLC).
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more