Are you challenged to demonstrate security compliance with strict security controls? Are your systems unexpectedly failing security audits due to your inability to routinely assess your posture? By auditing compliance through agile software delivery, one can reduce the toil of demonstrating an aggressive security posture at scale. InSpec, a compliance as code tool, enables organizations to quickly and frequently produce compliance artifacts while providing a framework for iterative continuous improvement.
In this talk, we will share our journey and challenges encountered leveraging compliance as code to validate system compliance in a federal space. We will share first-hand experience and lessons learned with successfully meeting these challenges. Whether you are a software developer, security professional, or in operations, all can benefit from these concepts.
Interpret Security Technical Implementation Guides (STIGs) into well-defined InSpec.
Collaborate on InSpec controls to unite and articulate your organization’s desired security posture.
Learn methods to inject more contextual information into your InSpec results.
Prepare auditors for this new philosophical approach.
Create orchestration pipelines to execute InSpec at mass scale.
Learn techniques for converting InSpec results into auditor required specific formats.
Learn from the shared experiences of an engineering manager responsible for the creation of InSpec profiles leveraged to audit systems with stringent federal security requirements.
Lead Engineering Manager, Cerner