a love letter to auditors from devops, where we promise to make life better
Dear Auditor,
We realize that we have been changing things in a rapid fashion from Agile and DevOps to Cloud and Containers. Yes, we have been busy, and are having great success delivering faster than ever, with better quality and supporting the business response to competitive pressures. This isn’t just icing on the cake, the only sustainable advantage in our industries is the ability to meet customer demands faster, more reliably than our competitors.
With all this growth, we made a mistake, we forgot to bring you along for the ride. That is totally our bad, but we want to make it right. We want to make some new commitments.
For example, you have told us that you are concerned about “Separation of Duties” in agile and DevOps practices, and we heard you! We think we have a better way to manage this and risks now. Having everything in version control, enforcing peer review for every change, releasing via a secure pipeline, restricting production access, and monitoring unauthorized changes in production systems should address your concern.
The DevOps community has been experimenting quite a bit over the last number of years and common practice represents the collective wisdom across many companies, industries, and countries.
We have compiled a list of audit concerns and documented them in a DevOps Risk Control Matrix with lot of details around the controls, our practices and evidences that are collected to support the control. We hope this matrix provides a way to collaborate.
Please don’t misinterpret that we are backing down from speed and providing value, but we are really excited to move forward, together.
Created by Ben Grinnell, James Wickett, Jennifer Brady, Rob Stroud, Sam Guckenheimer, Scott Nasello, Tapabrata Pal
Released under the CC0 License: https://creativecommons.org/publicdomain/zero/1.0/