“Every company now is a software company. ”- Microsoft CEO Satya Nadella in 2019
“Software and cathedrals are much the same, first we build them, then we pray.” - Anonymous
DevOps, a shortened version of Development and Operations, is a modern approach based on lean and agile principles in which business owners, the development team, operations and quality assurance collaborate to deliver software in a continuous manner. This enables the business to release software to market and seize opportunities rapidly, reducing the time lag to act on customer feedback.
In short, DevOps enables the business to address the disadvantages of the traditional waterfall method and deliver customer-friendly software products rapidly and frequently. Technological advancements like that of the public cloud and Infrastructure as a Service (IaaS) set developers on the path toward rapid software development methods aided by an agile and scrum framework.
The need for security in DevOps is met by DevSecOps, which is an attempt at creating and including modern security practices that can be incorporated in the fast and agile world of DevOps. It is an extension to DevOps’ goal of promoting collaboration between developers and operators by involving security experts from the start of a project.
In this article, DevOps and DevSecOps will be used interchangeably.
Basic terms in software engineering
- Monolithic Architecture: All functionalities reside in a single code base. The components of the software include the user interface, business logic and database tightly integrated and deployed as a single unit – not suitable for big projects.
- Microservices Architecture: All functionalities of a software are distributed into independent deployable services which have their own business logic and database. Every service is responsible for one functionality.
- Application Programming Interface (API): Defines how two applications communicate with each other using requests and responses.
- Container: A self-contained unit of software including all elements necessary to run an application consistently from one computing environment to the next.
- Docker and Kubernetes: Docker is a container runtime while Kubernetes is a platform for running and managing containers from many container runtimes.
Internal Auditor as a Catalyst
Internal auditors can play the role of catalyst within the organization to implement DevSecOps successfully. They should closely work with the team and report to management with valuable suggestions supported with material evidence and metrics. Some of the important examination areas are as follows:
- DevOps Culture
DevOps is a cultural movement. It is all about people. A DevOps culture is characterized by a high degree of collaboration across roles, a focus on business instead of departmental objectives, trust and high value placed on learning through experimentation. Scaled Agile Framework (SAFe), Disciplined Agile Delivery (DAD) and Scrum are at the core of DevOps and can be leveraged to help adopt a DevOps culture. As measuring culture is extremely difficult, an internal auditor should take direct measure of attitudes through surveys, interviews and reviewing the frequency of scrum meetings, minutes and exchange of emails and through indirect measures of how members reach out to others cutting across organizational layers.
- DevOps Process Adoption
The most important DevOps process is change management, which calls for:
-
- Continuous improvement
- Release planning
- Continuous integration
- Continuous delivery
- Continuous testing
- Continuous monitoring and feedback
Internal auditors must identify the right set of efficiency and quality metrics as suggested by management, and should establish a baseline against which to measure improvement.
- DevOps Technology Adoption
Technology frees people from routine tasks and enables them to focus on innovation. The cardinal principle of DevOps is deploying automated tools and reusable assets, code and practices which are cost-effective and efficient, thereby satisfying the primary goals of agility and lean management. Internal auditors must verify the efficiency and effectiveness against the four axioms of enterprise IT governance:
-
- Strategic alignment
- Value delivery
- Performance evaluation
- Risk optimization
- DevSecOps
Internal auditors must review and ensure the presence of the following key points:
-
- Well-defined roles and responsibilities are established in the cross-functional DevOps team.
- Well-defined DevSecOps-specific policies are established to enable organizations to keep up with the pace of application development in a DevOps environment.
- Automated security tools are deployed in the environment reducing vulnerabilities and security flaws due to human error.
- Automated audit trail is maintained throughout the software development lifecycle facilitating compliance reporting.
- Material evidence of continuous monitoring of security metrics and improvement measures are undertaken.
- Strong sponsorship and support from management on security needs and the alignment of development and security at the management level. Otherwise, as noted in a CSO article, “you end up with management level clashes sometimes where the goals are different even though the people are working in the same team. It is like parallel play with little kids. You have two toddlers who are playing next to each other, and they are not fighting, but it does not mean they are really playing together. I think it is an element of that happening in a lot of organizations.”
- Compliance with NIST Guidelines on Software Supply Chain and DevOps Security Practices - Implementing a Risk-Based Approach to DevSecOps
Author’s note: The opinions expressed are of the author’s own views and do not represent that of the organization or of the certification bodies he is affiliated to.