DevSecOps, Engineering

Regulatory and security compliance is one of these issues that, firstly, is growing more and more complex as regulation increases in volume, and, secondly, is not going away anytime soon. Investment banks currently spend about 72% of their profits on complying with regulation and 80% state that they are changing their business strategy in response to regulatory changes. [1]

There are several reasons why all enterprises have such difficulty complying with regulation.

Firstly, the regulation is itself quite ambiguous and changes regularly. The only way to deal with this high frequency of change is to be able to incorporate compliance requirements into the software delivery pipeline in an agile way.

Secondly, much of the processes around engineering compliance are slowed down by the huge amount of manual work involved, which makes compliance an incredibly slow process. This lack of automation also results in snowflake servers and and divergent environments, the status of which is hard to determine.

Compliance is therefore typically a slow, largely manual and cumbersome process that cannot respond quickly to market changes.

This situation can be hugely improved by moving towards compliance as code. This is a derivative of infrastructure as code that means that the requirements for regulatory and security compliance broken down into chunks and are embedded into the servers you provision, the environments you build and the code that you deploy.

Using configuration management, then you can ensure that your infrastructure is being near-constantly monitored and reconverged on your desired (i.e. compliant) state. This means that compliance is automatically enforced across your entire IT infrastructure and the software you build on it. Regular scanning and reporting means that any issues are identified and can be remedied as early as possible in the software delivery pipeline. This also means that, should an auditor turn up on your doorstep, your are in a position to provide an instant report on your compliance status.

Daniel Hurst, Financial Services Account Principal at Contino, presents a demo below to demonstrate how compliance as code works using Chef Compliance, Inspec, Prometheus and Grafana.  

Code repos can be found here:

Sample InSpec profile:

Chef Compliance Exporter:

Prometheus node exporter:


[1] Accenture. From Impact to Implementation: Addressing the Key Technology Impacts from Markets in Financial Instruments Directive II

  • Daniel Hurst

    Account Principal