Setting Up the DevOps-Audit Cycle
Organizations that adopt DevOps have an easier time with audits. It works in a cycle: If you get audited regularly, you pay attention to details. Being detail oriented helps you get better at certain tasks because you understand them more deeply.
DevOps promotes delivery in small batch sizes, releasing early and releasing often. These practices force you to improve your mechanics, and that’s what auditors are interested in — how you’re doing what you’re doing. They don’t care if you’re using Java or Python; they do care that you test software regularly, that you document how and why you make changes, and that you track how those changes get done.
Organizations that tend to do well in their DevOps deployments are the kind of organizations that pass audits. They tend to be open and transparent. The ones that fail or stall out are the ones that are closed off, siloed and not able or willing to break down barriers and cultural silos.
Auditing and compliance have actually emerged as a prime motivation for doing DevOps. A large financial services company we’ve worked with had a process where the software team went through 65 steps before it could send a single file into production. Sifting through details relating to each of those steps when the auditors asked for information was a drawn-out process.
If you announce a vulnerability, auditors will want to know what you’ve done about it. If you don’t have a bill of materials for your application, if you don’t understand what versions of your applications are running, then you can’t easily answer the question of where the vulnerability was deployed. Adopting a DevOps practice, the institution now collects information in minutes, rather than days or weeks.
A big defense contractor went through a similar evolution in its DevOps adoption. The contactor used to follow a scrum process, where at the end of each iteration it spent two weeks compiling paperwork on what teams had done. This process helped with mandatory audits, but it was woefully inefficient. Instituting a continuous integration/continuous delivery workflow, the organization was able to reduce the reporting down to hours. Instead of having to go to 15 different systems and talk to a bunch of people, teams did the work as they went along, collecting the bulk of the information they had and putting it into a consumable format at the end.
How to Streamline Your Agency’s Audits
If you’re in a highly regulated industry such as government, there are some ways you can configure your DevOps processes to help streamline your audits. Here are a few tips.
- Watch closely for vulnerabilities: You can scan manually or automate the function, but scanning everything is important to ensure you’re spotting bugs early in the process. A lot of organizations will wait to do all the scanning before they put software into production. But a lot of vulnerabilities aren’t uncovered until years and years after they’ve been put into place.
- Understand everything you have in production: Keep an electronic bill of materials about what’s running where — all versions, third-party libraries and open-source components. Know what you’re running, so when it’s time to jump you have the answer the auditors are looking for.
- Value stream mapping: Use it as a framework to understand what your process is. If you don’t collectively have a detailed understanding of the path your code takes, from the time you have the idea to the time it gets produced, you couldn’t explain to an auditor how things are progressing. This is valuable for organizations starting the process: Anything that helps you automate and orchestrate also helps you audit and be compliant.
- Adopt a holistic approach to software delivery: To conduct an efficient, accurate audit, you need to have information and visibility across your organization. One way to do that is to adopt a software delivery management mindset, which connects all facets of your organization’s software delivery function, from ideation to release to sales and back again, through feedback loops. SDM commits organizations to unfettered information sharing, streamlined communications and a common system of record.
- Don’t ignore culture: You don’t want to be in the kind of organization where a vulnerability gets discovered and you don’t feel comfortable telling a CISO about it. If you don’t have an understanding of how this stuff works, you can’t get through an audit. Culture and communication are all very important if you operate in a highly auditable organization. Somebody’s going to turn that rock over; it’s better if it’s you who raises a problem rather than the auditor.
- Get stakeholders involved: Make sure you get all the right people in the room to set up practices to pull information out for timely audits.
- But don’t try to boil the ocean: If you have 500 products, don’t try to get 500 teams in the room to serve each one. Don’t try to get all stakeholders in one room. Work with a representative sampling of the technologies, platforms and types of products you’re working with. Work with teams that are early adopters and some that aren’t. Don’t try to fix everything at once.
There’s no reason DevOps and audits can’t be best friends. The initial tensions have subsided, and delivery processes have become more predictable, safer, more secure and more efficient. They’re becoming easier to manage from a compliance standpoint. If you’re in a highly regulated industry, DevOps is one of best tools you can add to your toolbox.