 My name is Greg Ellen. I was the first chief data officer in the federal government where I learned that compliance often required heroic efforts, which is why I'm here to talk about how to automate compliance if you aren't Chuck Norris. So first I want to thank DevOps for helping me learn how to automate. I have learned so much through DevOps days, and I'd also, of course, like to thank you, Chuck Norris, for letting me live. Now Chuck Norris, he doesn't need to audit because his servers just comply. The rest of us have a problem. Everything is getting faster in our world with all the tools we use, but compliance is really struggling to keep up because it's a paper-based process and documents. So the four P's to solving your problem if you're not Chuck Norris is to prepare paperwork as part of your pipeline. The way to remember it is that Chuck Norris' method of attack, continuous delivery. Now it all starts with agile. Chuck Norris wins Scrum because he has no blockers. What we can do is we can include cybersecurity-related stories as part of our agile backlog and then pick those off as we're actually doing the work. We can also build a Docker scanning instance into our CI pipeline so we can scan with every build. Chuck Norris doesn't use Docker because nothing can contain Chuck Norris. I want to repeat this point because it's really important. Security people in the room, let developers scan. There are some great tools from Openscap, thank you, Openscap, Inspec, Chef Otis. Now scanning doesn't matter to Chuck Norris, everything has a vulnerability. Now Chuck Norris' servers don't go down, they throw down. So you can also include your penetration test as part of your automated test using tools like OWASAP or Gauntlet. And if you look, there are opportunities to integrate those directly with Jenkins. This is audience participation. Chuck Norris only uses Ansible, Chef or Salt because Chuck Norris is nobody's... Very good, excellent. All right, Chuck Norris replaced XML with YARC, yet another roundhouse kick. Open Control is this new idea of replacing Word documents for compliance with YAML. You can go to opencontrol.org and you can learn more about it. That's what I'm going to talk about next through these slides. The major benefit is if we start using YAML, we can produce digital system security plans as well as paperwork plans. I don't know if you know, but Netflix replaced Chaos Monkey with Chuck Norris. If you treat your servers like pets, Chuck Norris will kill them. So don't treat your documents like pets either. The idea behind Open Control is to break them up and put them into code repositories and manage them like code. Chuck Norris is the one guy that doesn't have to do page or duty. So this is an example of some Open Control format. You can see at the very bottom how we have a particular tool, a UAA server that is actually contributing to a control of the NIST 853. And the idea is that we can actually get a flow in the supply chain of documentation for compliance, and we can then assemble our whole system security plan automatically. And by the way, Chuck Norris is the reason kernels panic. All right, Open Control community is real, AT&F in the government, Pivotal is involved with it. Also, Docker has released some Open Control, Red Hat is doing it. And remember that the only shell Chuck Norris ever uses is Bash. If you want to get started with Open Control and try this compliance automation, look for Fredonia compliance tutorial. It'll introduce you. It's very simple. Also, never name a directory Chuck Norris because you can't slash Chuck Norris and live. Lastly, remember to monitor your software supply chain the same way that you monitor your commits. Tools like Ion Channel or Sonotype. And if you include Chuck Norris in your code base, your process can't be killed ever. All right, so I want you to all pledge to use at least one tool in your compliance pipeline or in your CI pipeline related to compliance. They're up here and Chuck Norris's Hello World app was kill-9. So right, everybody, choose one tool that you pledge to add to your pipeline that you're going to check out. Just choose one of those from Inspect, to OpenScap, to Sonotype, et cetera. And remember that Chuck Norris is watching. Now we can't all be Chuck Norris, but when we automate, Chuck Norris approves. Thank you very much.