Here’s how it works
Quickly set up our CLI (cowctl) and perform the following:
- Create/select tasks to compose a rule.
- Create/select an application connector and configure its access credentials.
- Test the rule against the application to produce evidence.
- Execute with runtime application credentials to produce evidence and compliance scores.
Our Objectives
Adopt automation
Enable engineering teams with Security and GRC to adopt automating security controls freely, contribute and bring security and GRC teams closer.
Reduce the cost of compliance
Enable GRC teams to build and share rules that can help the community at large and each other and to reduce manual toil and cost of security compliance
Enhance efficiency
Reduce resistance with internal auditors and QSA to readily adopt the evidence for review and attestation.
How can this project help?
Complex rules
Rules for evaluating security compliance are typically more complex than simple key-value checks. Open Security Compliance allows you to chain tasks that can perform complex compliance checks.
Standardizing Evidence
There is a lack of standardization of evidence structure for security compliance. This project can help the community build together in open source standard inputs and outputs that all stakeholders: security and compliance engineers and auditor can agree.
Creating Security Compliance Best Practices
By providing a standardized and reusable framework, we as a community can quickly build best practices, especially for Cloud and Kubernetes environments.
Extending SecOps' Automation for Compliance
Currently we have built it for Python and Go for developing high performant rules. We are also shortly providing rules that can leverage other open source and well-known commercial policy engines such as OPA, Semgrep and AWS Config.
Integrate Security Compliance Harness in CI/CD Pipeline
Shift security compliance left by executing these rules and rule groups early in the product release lifecycle that can provide engineers with insights into security compliance checks.
Respond and Remediate to Gaps
Why stop with assessments? Let us use the building blocks to provide guided and automated remediation.