Attestations: An Introduction to the Backbone of Compliance

GitHub Logo

Building software is a risky business, and risks have emerged faster than our ability to mitigate them. As the SolarWinds attack showed us, every step in your DevSecOps pipeline introduces new weak points that can be exploited by bad actors. Regulators have rightly taken an aggressive approach to this problem, and are in the midst of rolling out a tidal wave of new requirements that will hold software companies accountable for their efforts to mitigate the inherent risks of their business.

But the good news for software companies is that you already have most of the information that you need to both mitigate risk and prove your compliance. You just need a way to extricate it.

Your DevSecOps pipeline produces reams of evidence on a daily basis. Each pull request, build, scan, and deployment is an event that produces evidence that should be used for security and compliance. Gone are the days when a simple screenshot or checkbox will serve this purpose. Humans are error prone and untrustworthy. “Take my word for it” can no longer be our default method of proving compliance and early attempts to automate this process run afoul of basic legal principles.

That’s where attestations come in.

People often ask us where the name “Fianu” comes from. It originates from the Irish word fianú, which means “attestation.”

Attestations are the unit of measurement for software compliance. Auditors, regulators, and stakeholders rely on attestations to verify that you’re adhering to the necessary risk management policies and procedures.

Automated governance is the process of using software to capture evidence, enforce policy, and generate attestations to prove the compliance of your software. For this reason, attestations are the foundation of automated governance, and Fianu was created for this very purpose.

Fianu captures evidence throughout the software development lifecycle. From first commit to production release, Fianu uses a combination of third-party integrations and plugins to produce context-rich evidence that outlines your software’s journey through the DevSecOps pipeline.

Using this evidence, generates an auditable ledger of attestations that can be used to enforce policy, mitigate unintended risks, and prove compliance.

Fianu attestations are produced by three components,

  1. Event data
  2. Policy
  3. Rule

When an event is received, Fianu identifies the software asset in question, computes the necessary policy, and executes an OPA rule comparing the policy and event data to produce a pass or fail decision.

Fianu attestations include additional context that allows you to tell the story of a software artifact and its journey to production. A complete attestation does the following:

  1. Declares what events occurred
  2. Identifies the asset in question
  3. Timestamps with context
  4. Describes the conditions that created this event
  5. Details the output of the event
  6. Shows the compliance status (pass or fail)
  7. Provides sufficient information to reproduce the result

Attestations are essential for validating compliance in software development. Automated governance platforms, like Fianu, capture and leverage data from every stage of the DevSecOps pipeline to create attestations. These attestations provide a transparent and auditable record, demonstrating adherence to security standards and regulatory requirements throughout the development process, and safeguards the integrity of the final software product by ensuring that all activities meet the established policies and procedures.

Ready to get started?

Schedule a demo today!