Compliancy is a major concern for nearly every company. Especially on the topics of ‘when is good good enough?’ and generating + delivering evidence, development teams might get stuck for weeks on end to prove security & compliancy standards are being met. If they are being met in the first place. But the other side of the coin (roles like compliance/security officers) run into similar problems. The coordination and performing of controls, activities often done by hand and in appearing as huge, dreaded checklists in Excel, cost huge amounts of time on both sides. We'd rather spend that on further improving our system. So let's get that toil out of the system using a case study, demonstrating how commonly used tools, techniques and patterns can also be applied to automating COBIT style key controls.
- BDD style testing (‘Given, When, Then’) using Python & behave, to write acceptance tests on whether we are actually compliant
- Setting up a Compliance/Evidence API that can be used to store and tag evidence, with the goal of making the storage behind it a ‘Self Service Evidence Store’
- Building a reactive architecture with tools like Azure Event Grid to respond to actions within your landscape; e.g. provisioning development resources to be compliant-by-design & automatically generating additions to existing resources like self-service access profiles or pipeline building blocks (compliancy does not have to exclude development enablement, after all!)
Engineering consultant with leadership, development, operations and cloud engineering experience. Leading a team of fellow consultants and engineers and ensuring they develop to their fullest potential. Certified trainer & workshop host, love to talk about prior experiences & how I tend to tackle things. Particularly in areas of DevOps mindset/behaviours, Cloud(-native) architecture and compliance automation. Specialist in compliance automation (or IT control automation), reactive architecture + SDLC tooling, including Gitlab, ADO, Serverless and others Experienced in setting up automation, improvement and migration activities related to these types of tools & products. Always looking for new things to add to / improve my arsenal.