Compliance as Code: A Study of Linux Distributions and Beyond
Jukka Ruohonen, Esmot Ara Tuli, Hiraku Morita
TL;DR
An empirical analysis of a compliance as code project addressing open source software projects and products finds that the rules can be mapped to the essential cyber security requirements of the Cyber Resilience Act (CRA), although only modest agreement exists among the three authors regarding individual mappings.
Abstract
Compliance as code is an emerging idea about automating compliance through programmed compliance controls and checks. Given scant existing research thus far, the paper presents an empirical analysis of a compliance as code project addressing open source software (OSS) projects and products. The dataset examined covers a little over 1,500 unique compliance rules designed and implemented for 14 Linux distribution releases from five vendors. According to the results, (1) the coverage of the rules varies across the five vendors. Then, (2) the brief rationales provided for the rules do not exhibit statistical similarities but the short code snippets for these do show similarities to some extent. Furthermore, (3) as many as 24 controls are covered from over 10 different organizations, among them governmental agencies, standardization organizations, and non-profit associations. Finally, (4) the rules can be mapped to the essential cyber security requirements of the Cyber Resilience Act (CRA), although only modest agreement exists among the three authors regarding individual mappings. This observation supports an argument that the compliance as code project studied could be updated with new compliance checks. Given that also operating systems are in the CRA's scope when used in a network-connected product, such an updating would have also practical relevance in the nearby future.