Interview › Security & DevSecOps
What is compliance-as-code, and how do you continuously prove compliance? [Advanced]
Answer
Compliance-as-code means expressing compliance controls as automated policies, tests, evidence collection, and continuous monitoring instead of manual screenshots and periodic checks. It helps prove controls are enforced over time, not just documented once.
Technical explanation
Examples include IaC policies, Kubernetes admission policies, CIS benchmark checks, encryption checks, logging checks, and access-review automation.
Evidence should be machine-generated, timestamped, tied to control IDs, and stored in an auditable system.
Manual review still exists for risk acceptance and control design, but routine evidence should be automated.
Hands-on example
Hands-on: map SOC 2 control CC6.1 to automated checks: MFA enabled, admin roles reviewed, no public admin ports, CloudTrail on, production deploy approvals required. Export daily evidence from policy engines and store it with control ID, timestamp, result, and owner.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]