OPA is being advanced under the auspices of the Cloud Native Computing Foundation (CNCF). It became an incubating project in 2019 and officially graduated in February of 2021. Gentele suggests that more time should pass before officially designating one approach versus another as being graduated. The CNCF makes it clear it is not trying to pick a winner in any category, but assigning a project a top-level status creates a perception within the larger open source community that might discourage additional innovation, notes Gentele.
Regardless, it’s not uncommon for the CNCF to adopt projects that address the same issue in a different manner once it’s deemed there is a sufficient level of support for a project.
The compliance framework is the second open source project launched by Loft Labs in as many months. The company has also launched an open source vcluster project, which makes available a tool to enable applications to share the same Kubernetes cluster in isolation from one another.
As DevSecOps best practices for managing security as code continues to gain traction it’s only a matter of time before more organizations start to also manage compliance as code. As is the case with security, the challenge is finding a way to make managed compliance-as-code a natural extension of a DevOps workflow without significantly slowing down the rate at which applications are developed.
Just as in security, there are also whole cadres of IT professionals that focus on compliance management. The processes those compliance teams employ will need to be aligned with DevSecOps workflows.
It’s conceivable the motivation to incorporate compliance tools within DevOps workflows is actually higher than it is for security tools. There is a very real cost that organizations experience when a compliance mandate is not met or simply ignored. In contrast, security is perceived as a potential risk that might create some unknown cost, which makes it challenging to ascribe a specific return on investment to any security tool.
One way or another, however, both compliance and security will become extensions of DevOps workflows. There may even come a day when both security and compliance are just one more requirement in a larger quality assurance process that most application development teams, to varying degrees, already implement.