Software audits play an essential role in ensuring the quality and performance of the applications that government agencies and contractors are developing. Audits are essential for ensuring applications are secure, identifying vulnerabilities that may be – or have already been – exploited in cyberattacks, and even ensuring that an application meets end-user or customer requirements. In this environment, utilizing a concept like audit-ready pipelines is crucial.
The process of developing applications is different than it used to be. Large, monolithic applications are gone. Today’s applications are comprised of many disparate microservices that have independent tasks that – when combined – accomplish a larger job or function.
Think about a modern app, such as a ridesharing app. That single application is an amalgamation of microservices that are running simultaneously to perform the function of connecting a car and driver to a passenger in need of a ride. Maybe one microservice identifies the location of the rider and triangulates the closest car and driver to that location. Maybe another microservice identifies the rider’s final destination and delivers turn-by-turn directions to the driver. And then another microservice handles the credit card payment while another handles the driver rating system.
But the evolution of microsystems isn’t the only change to how applications are developed. Today’s applications are being designed and developed on infrastructure that is – itself – provisioned and configured by software in the cloud. And these cloud-native applications are built within containers and Kubernetes clusters that ensure they work, as intended, in virtually any environment when deployed.
These more complex applications aren’t structured the same. They’re not developed the same. And they certainly aren’t deployed into the same environments. They’re more complex. More complicated. And that same increased level of sophistication and complexity carries over into the audit process. After all, when multiple systems, applications, platforms, and solutions are used by every member of a modern development team – utilizing DevSecOps best practices – there are suddenly more logs, metrics, traces, and sources of information and truth that have to be poured over and aggregated to get a true, complete picture of the development process for audit purposes.
In the event of a cyberattack, a cybersecurity professional would have to review the information from a tremendous number of sources to see where the vulnerability lies and who was responsible for it. An audit is conducted to gauge the status of an application’s development process and if it meets the end-user requirements would need to pull and analyze data from multiple disparate platforms and dashboards to even begin finding answers.
The complexity of modern software and the modern application development process has made the audit process just as complicated, if not more complicated, than the software being developed. But organizations can overcome the complexity by working to turn their application development and deployment pipeline into one that is “audit-ready.”
Audit-ready pipelines comprise a host of innovations that are entirely focused on facilitating auditors’ requests painlessly. In an ideal world, auditors can review the entire application and the software delivery lifecycle (SDLC) to ensure that the application meets end-user requirements, is compliant to government requirements and mandates, that it’s secure against known vulnerabilities and that any problems or vulnerabilities identified during or after the development and deployment process can be isolated and remediated in a timely and efficient manner.
When properly utilized, audit-ready pipelines represent a natural extension to the DevSecOps approach. In a development process that utilizes the audit-ready pipeline concept, “Only people who have access are authorized to start a pipeline, approve gates, run manual tasks or anything else,” explained Avan Mathur, Product Management at CloudBees. This unique condition not only increases security but also allows operations personnel to better track what is happening in the event of an audit request.
Mathur, whose expertise is in DevOps and who recently spoke about audit-ready pipelines at DevOps World 2020, continued by noting that “audit-ready pipelines should provide visibility from end to end, starting with code all the way into production and beyond.”
Audit-ready pipelines make it possible to increase transparency into the SDLC and provide improved visibility without requiring tedious, manual processes to conduct simple application audits. As Mathur explained, “The current state of people’s processes are very tool-heavy with lots of manual touchpoints and everything is disconnected,” which means that when it comes time to audit, “it’s hard to hunt down and find where all that data is located.”
A key benefit of an audit-ready pipeline is central traceability, which allows an auditor to have proof that everything in a process is doing what it is supposed to do when it is supposed to do it. “It’s so much harder to find out what happened and who did what in systems that don’t automatically log activity,” Mathur explained. However, embracing new technologies and orchestration tools can deliver this single source of truth in the auditing process and help avoid unnecessary steps and extra work in the auditing process.
Mathur also highlighted the ability for audit-ready pipelines to allow for the creation of an auto-generated report that can further enhance security. “You don’t want to try to boil the ocean, but there are steps that you can take to start a structured approach,” automation can be a viable end goal with this level of technology.
If your agency or organization is looking to turn its software development and deployment pipeline into an audit-ready pipeline, CloudBees has seven tips that can aid in that transition. Here are the first three of the seven:
- Tip One: Get key stakeholders involved especially the appropriate leadership to ensure that the DevSecOps approach is whole-of-company.
- Tip Two: Conduct value stream mapping to truly understand where your code goes and to provide a better idea to auditors of what to expect.
- Tip Three: Adopt a holistic approach to software delivery to build complete visibility throughout the company. This helps conduct efficient and thorough audits and helps connect every team together.