Creating compliance reports and guiding audits
DevOps is taking a huge flight in enterprises. Embedding security in DevOps is a logical next step. But how can enterprises be sure that their DevOps and DevSecOps are compliant with the frameworks that we've discussed throughout this chapter? The answer to that question is: by audit. IT systems are regularly audited, and so should DevOps practices. Having said that, auditing DevOps is still unchartered territory, although major accounting firms such as KPMG and Deloitte have issued white papers on the subject.
DevOps audits should include at least the following topics:
- Evaluating the DevSecOps strategy: Is the strategy clear? How is governance arranged? A DevOps strategy can be set per business unit or enterprise-wide. Both are fine, so long as the strategy is followed through consistently. The goals should be clear and adopted by every team. The same applies to the way of working across all disciplines in the team. Processes...
