Orchestrating Compliance Across the Software Development Life Cycle

The urgency to deliver innovative software must be balanced against the need for compliance with internal policies and regulatory standards. This blog explores how CloudBees addresses this challenge by integrating our CloudBees Continuous Delivery/Release Orchestration and CloudBees Security & Compliance products.

Software releases must consistently adhere to technology and cybersecurity frameworks, especially in highly regulated industries. These are designed to manage confidentiality, integrity, and availability risks related to their systems and data. Meanwhile, the need to constantly deliver innovation while meeting ever-changing regulatory frameworks such as PCI DSS, FedRAMP, and SOC2 adds complexity to the process.  The impact of not solving this problem can be severe, including non-compliance and regulatory penalties, data breach costs, slow reactions to audit requests, and more. 

Proving compliance as part of software releases is needed to inform go/no-go decision-making and show auditors and risk stewards that they adhere to best practices. Product teams perform different compliance tasks during software delivery, such as:

• Hard-coding steps in their pipeline stages to trigger security scanning tools,

• Checking whether the relevant stakeholders approve changes,

• Ensuring testing and roll-back plans are in place,

• Validating whether the number of findings is within the threshold release,

• Responding to audit requests and providing evidence that they have performed compliance tasks per the organization's policies.
  

The process for evidencing the completion of compliance tasks has often been a combination of manual and semi-automated exercises. It involves multiple resources collecting point-in-time artifacts from various other teams and systems and then sharing them with auditors and risk stewards. Once the pipeline deploys software into production, it loses its ability to track security and compliance.  

Automation is required to fix these challenges. However, finding a collection of individuals who understand the entire process takes time and effort. And even if successful, it comes at the expense of other mission-critical projects. 

Existing approaches to compliance within the software development lifecycle (SDLC) have mainly focused on: the source code and binary aspects, the infrastructure aspect, and/or the process via manual documentation upload. The mapping of compliance tasks to industry frameworks is limited.  As such, no solutions are currently designed to automate SDLC-compliant pipelines. 

This gap forces teams to resort to suboptimal approaches like Excel, manual trackers, or hard-coding additional logic/tool checks into their pipelines. For example, designing pipelines to analyze results and then making decisions or setting priorities based on the analysis. The result is brittle, clunky, and unscalable pipelines. Thus, when evaluating solutions, organizations should strive for the following: 

• Model and refactor pipelines to perform tasks in a controlled way (for example, ensuring tests at particular stages),

• Seek a solution removed from the pipeline to watch the entire ecosystem (commit to production) to catch things often missed by pipelines and to rationalize and prioritize issues. 

Combining these allows pipelines to automatically promote or break a build based on contextualized risk rather than pass/fail criteria.

CloudBees adopts a fresh approach whereby security and compliance tasks run continuously alongside the software delivery process.

CloudBees Continuous Delivery/Release Orchestration (CloudBees CD/RO) is an enterprise-grade DevOps release automation solution that simplifies the provisioning, building, and releasing of multi-tiered applications. Its model-driven approach to managing environments, applications, and microservices allows teams to coordinate multiple pipelines and releases across the environments in an efficient, predictable, and auditable way. 

CloudBees Security & Compliance (CloudBees S&C) provides an innovative, automated, ‘compliance as code’ platform that enables you to eliminate manual effort and disruption while simplifying your CI/CD pipelines. By externalizing all security and compliance tasks from your pipeline, its approach simplifies your engineering workflows, enhances operational efficiency, and reduces the cognitive workload on your development teams. CloudBees S&C is an independent platform that automates and enforces security and compliance tasks by leveraging your existing SDLC tools and automatically maps security and compliance evidence to industry standards such as FedRAMP, PCI-DSS, NIST, or your custom controls, enabling teams to respond to requests from auditors.

These are complementary solutions that each: 

• Focus on solving enterprise-grade problems, emphasizing releasing software faster and more securely. 

• Allow for autonomy in tool selection while providing the necessary visibility and guardrails across the entire SDLC. 

• Automate evidence collection to generate real-time audit reports. 

Where they differ, and where this integration comes into play, is the context gathered (pass/fail vs. risk-based) and where the logic resides (inclusion in the pipeline vs. pipeline independent). 

Before this integration, developers relied on configuring their pipelines to validate security and compliance task outcomes. Each team needed to implement steps to call security scanning tools and process their outcomes. For example, the following diagram illustrates a ‘before’ our integration scenario, highlighting predefined tasks for various SAST and DAST scanning tools baked into the release pipeline.

CloudBees CD/RO release v23.08.0 is the first phase of this integration. CloudBees CD/RO integrates with CloudBees S&C to provide security compliance checks for the pipeline, continuously ensuring internal policy adherence. The following diagram shows how these Compliance Checks appear within an Exit Gate for CD/RO.

When you execute CD/RO pipelines, the CD/RO gating will contact the CloudBees S&C endpoint to decide on the application security and compliance adherence to enable progress to the next stage. Our integrated solution occurs as follows:

• CloudBees CD/RO will contain defined pipelines associated with an application with various stages: development, quality assurance, user acceptance, and production. 

• CloudBees S&C responds to events occurring on your source code repository (e.g., commit, pull request, new branch creation), newly built binary packages and containers artifacts stored in binary repositories (e.g., push events), and infrastructure events (e.g., new container deployed, changes to resources metadata) and triggers the relevant security and compliance accordingly. The compliance posture is then continuously updated on a per-application environment basis. 

• CloudBees S&C offers an API that can be invoked securely from the CD/RO gate to decide whether the promotion from one environment to another can proceed if the security and compliance checks pass.

• CloudBees CD/RO and CloudBees CI API communication can be configured to enable mutual authentication over a secure network protocol.

These steps occur without interfering with the developer's workflow by feeding compliance task outcomes in the release orchestration gating steps for decision-making.

Through this integration, enterprises can ensure SDLC-wide compliance automatically without burdening developers. This way, governance can be streamlined across all teams, reducing the risk of non-compliant pipelines and improving audit response time. The result is teams can go fast and safe by empowering enterprises to:

• Reduce Waste: Centralize governance and compliance across the SDLC by automating policies that reduce manual intervention. Using contextual insights allows developers to focus on the right tasks and eliminate noise associated with “alert storms.”

• Optimize Developer Experience: Safely reduce the toil placed on developers by prioritizing risk and automating compliance and governance requirements.

• Increase Delivery Velocity: Automating security and compliance decisions through a shared library outside the pipeline enables predictable, repeatable, and governed releases across teams and tooling.

By externalizing all security and compliance tasks to CloudBees S&C, engineers can focus on what they do best – build, test and deploy software at the required pace. The following image illustrates how all the security checks from our earlier screenshot are captured in a single ‘Compliance Check’ task as part of the exit gate criteria to move from Dev to QA. 

Delivering software at the speed customers demand while adhering to regulatory compliance is challenging. Failure to address these requirements can have severe consequences, such as regulatory fines and wasted resources. Enterprises are trying to solve this through suboptimal approaches without the benefit of a solution specifically designed to address this problem. 

By integrating CloudBees CD/RO and CloudBees S&C, enterprises can automatically scan releases and pipelines defined in CloudBees CD/RO, showing whether they comply with the policies described in CloudBees S&C. This will enable teams to release software fast and safely without burdening the developers. 

CloudBees is committed to providing solutions enabling enterprises to deliver software faster, safer, and fully compliant. Stay tuned for future updates on enhancements for our integrated solutions and how they can transform your software delivery process.

• Learn more about CloudBees CD/RO

• Learn more about CloudBees Security & Compliance

• Docs: Learn how to set up a Compliance Check rule in CloudBees CD/RO

• Docs: Learn how to configure this integration within CloudBees Security & Compliance