An Unlikely Union: DevOps and Audit
Information Security and Compliance Practices
Many organizations are adopting DevOps patterns and practices, and are enjoying the benefits that come from that adoption: More speed. Higher quality. Better value. However, many organizations often get stymied when dealing with information security, compliance, and audit requirements. There seems to be a misconception that DevOps practices won’t work in organizations which are under SOX or PCI regulations. In this paper, we will provide some high-level guidance on three major concerns about DevOps Practices:
- DevOps and Change Control
- DevOps and Security
- DevOps and Separation of Duties
Tactics for Implementing Test Automation for Legacy Code
This paper addresses how to meet and overcome the challenges associated with test automation for legacy code. Below, we look at the type of company that may have a need for test automation, along with the typical organizational structure found there. It walks through an approach for justifying test automation within your organization, providing pillars for that justification, objections that are commonly raised, and tactics for overcoming those objections.
The intended audience is anyone who wants to apply test automation to their legacy code, but is running into internal roadblocks, such as:
- Management or company buy-in,
- Creating space in the schedule, and
- Budget constraints.
This paper cover the basics you’ll need to start the test automation journey for your legacy code, and help you engage those around you.
DevOps Automated Governance Reference Architecture
Attestation of the Integrity of Assets in the Delivery Pipeline
As organizations adopt DevOps practices, they develop increased productivity within their software development teams, faster releases of digital products, and improved customer experiences. But as the rate of delivery increases, it becomes more difficult for security and compliance to keep up without getting in the way. So, how can you ensure that all aspects of your deployment pipeline are protected as delivery velocity dramatically increases?
The “shift-left” practice in DevOps helps organizations improve quality and security by moving testing earlier in the release process. As more and more DevOps practices are automated, it becomes harder to capture the data required to ensure all security and compliance concerns are met. Organizations need an automated way to track governance throughout the entire software delivery process so they can attest to the integrity of all assets and to the security of all running applications.
This paper is intended to guide organizations on implementing an automated process for tracking governance throughout the deployment pipeline by providing a reference architecture to help guide organizations on how to design and implement automated governance throughout the delivery pipeline. A sample use case is also provided to further enforce these best practices.
The paper strives to design a model flexible enough that it could easily be extended and adopted by organizations struggling to maintain compliance and audit controls as their software delivery speed increased. It creates a reference architecture that enables an organization to create trust within the process of delivering software and services. As organizations further automate the continuous delivery of software and services, they also need to ensure there are common validations and trust mechanisms throughout the process.
Ultimately, a DevOps automated governance process can give organizations the assurance that the delivery of their software and services are trusted.