Compliance as Code: A Study of Linux Distributions and Beyond
Jukka Ruohonen, Esmot Ara Tuli, Hiraku Morita
TL;DR
This paper empirically analyzes a compliance as code project for Linux distributions, revealing variability in rule coverage, similarities in code snippets, and potential for updates aligned with cybersecurity standards.
Contribution
It provides the first detailed empirical study of compliance as code in open source Linux distributions, highlighting coverage, similarities, and mapping to cybersecurity regulations.
Findings
Coverage of compliance rules varies across vendors.
Code snippets show some similarity despite different rationales.
Rules are mapped to cyber security requirements of the CRA.
Abstract
Compliance as code is an emerging idea about automating compliance through programmed compliance controls and checks. Given scant existing research thus far, the paper presents an empirical analysis of a compliance as code project addressing open source software (OSS) projects and products. The dataset examined covers a little over 1,500 unique compliance rules designed and implemented for 14 Linux distribution releases from five vendors. According to the results, (1) the coverage of the rules varies across the five vendors. Then, (2) the brief rationales provided for the rules do not exhibit statistical similarities but the short code snippets for these do show similarities to some extent. Furthermore, (3) as many as 24 controls are covered from over 10 different organizations, among them governmental agencies, standardization organizations, and non-profit associations. Finally, (4)…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsInformation and Cyber Security · Access Control and Trust · Cybersecurity and Cyber Warfare Studies