Tuesday Morning Grind, Ep 8 - Effectively Auditing the SDLC
IT Auditors and Security Assessors often have a hard time understanding the risks associated with the modern software engineering ecosystem. In this episode we discuss DevOps and DevSecOps, potential risks security assessors should understand, and common tool sets that support these approaches to engineering.
Effectively Auditing the SDLC
Quick Recap: What is Agile and DevOps?
- Agile was an evolution in project management that focuses on continuously delivering a project in smaller increments through an iterative process.
- DevOps is an evolution of Agile. It is a software development process that brings together the traditionally siloed worlds of software engineering and IT operations.
- DevOps is heavily focused on automation and implementation of a specialized toolset to reinforce the DevOps culture and continuous delivery of software.
- In DevOps we see a paradigm shift in how software is delivered and supported. A continuous feedback loop keeps development and infrastructure teams marry the software engineering and infrastructure management teams.
Why is Auditing the Modern SDLC Difficult?
- Auditing an SDLC based on a DevOps method of delivery can be tricky for multiple reasons.
- Processes and toolsets will differ across teams (even within a single organization).
- Tools have the potential to change how things are done and the controls in place.
- There is not always clear indication that checks and balances are in place. Some will be automated while others may be manual but undocumented.
- DevOps teams are constructed of multiple teams working in conjunction with one another.
First Step to Success: Map the Process (in Plain English)
- Perform a walkthrough of the entire lifecycle from product planning and roadmap development to operations teams.
- Map the process in plain English as a narrative.
- Identify tools, scripts, plugins, and key processes along the way.
Identify Control Points
- Based on your narrative, start identifying control points.
- Remember that some control points may not yet be audit ready. Some may be automated while others are manual.
Identify Opportunities for Security Integration
- My DevSecOps white paper has a breakdown of various security integration opportunities throughout the DevOps lifecycle.
- Remember, not all tools will fit all teams. Some are language dependent, others may only work on one cloud platform or another.
- Shoot me a message on Linkedin if you’re interested in getting a copy of the whitepaper.